Re: Summary with further Question: Domain Name System protection

[Jeff Aitken <jaitken () aitken com>]

On Tue, Aug 17, 2004 at 09:32:28PM +0200, sthaug () nethelp no wrote:
> > Hosts tend to be a faster writeoff cycle than routers in companies I've
> > worked at, therefore getting the benefit of moores law about 25% faster
> > than the routers.  Turn on firewalling in the host.
>
> If you have a choice between access lists on a software forwarding
> based router and firewall on a host, this may be a good choice. If
> your routers have hardware forwarding, I'd go for the router every
> time...

Seems like the most sensible option is "defense in depth", tailored
to your specific mix of equipment and clue.  Throw away what you
can at the edge (e.g., uRPF), spread the load (e.g., anycast), and
firewall, as appropriate.  Many routers with "hardware forwarding"
have potentially significant limits when it comes to ACLs.  Even
the more capable devices don't necessarily give you the ability to
look arbitrarily deep inside incoming packets, at least not without
expensive additional cards.  A firewall can usually perform that 
level of inspection, which means it will catch "bad" packets that
the router didn't.  None of these steps alone is perfect, but the
combination can be fairly effective.

One size does not have to fit all.


--Jeff