nanog mailing list archives
Re: Checkpoint IPS
From: BPNoC Group <bpnoc.lists () gmail com>
Date: Sun, 8 Feb 2015 14:00:03 -0200
On Sun, Feb 8, 2015 at 2:05 AM, Ca By <cb.list6 () gmail com> wrote:
On Friday, February 6, 2015, Roland Dobbins <rdobbins () arbor net> wrote:On 6 Feb 2015, at 23:23, Darden, Patrick wrote: And when your opinion is an acknowledged universal constant, I will tipmy hat to you.It's been a constant for the last couple of decades - I can't count the number of times I've been involved in mitigating penny-ante DDoS attacks which succeeded *solely* due to state exhaustion on stateful firewalls, 'IPS' devices, and load-balancers. I've seen a 20gb/sec commercial stateful firewall taken down by a 3mb/sec spoofed SYN-flood. I've seen a 10gb/sec commercial load-balancer taken down by 60 second at 6kpps - yes, 6kpps - of HOIC. And so on, and so forth. 'Dismiss' it all you like, but it's a real issue, as others on this list know from bitter experience.Hi, Roland is right. 99% of network based security products are pure snake oil. Patch you servers, know your base line, statelessly filter unwanted traffic, rtbh as needed, sleep well at night. Bye.
Yeah, but Mr Tracanelli has a wider point. A firewall or IDS has its place near the core, due to exhaustion not taking core routing down and taking your availability away, while still adding security to it. While stateful firewall / IPS / proxy belongs somewhere else deeper in the network, closer to business logic than core/border. Mr Dobbins' slides/presentation gives an idea that a proxy (waf, whatever) fits sitting unprotected among routers and application servers, while its also stateful and fragile enough to deserve previous protection.
----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Re: Checkpoint IPS, (continued)
- Re: Checkpoint IPS Patrick Tracanelli (Feb 05)
- Re: Checkpoint IPS Ray Soucy (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- Re: Checkpoint IPS Patrick Tracanelli (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Roland Dobbins (Feb 06)
- Re: Checkpoint IPS Ca By (Feb 07)
- Re: Checkpoint IPS BPNoC Group (Feb 08)
- Re: Checkpoint IPS Roland Dobbins (Feb 08)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Re: Checkpoint IPS Darden, Patrick (Feb 06)
- Re: Checkpoint IPS Colin Johnston (Feb 06)
- RE: Checkpoint IPS Raymond Burkholder (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)
- RE: Checkpoint IPS Matthew Huff (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 05)