nanog mailing list archives
Re: Summary with further Question: Domain Name System protection
From: Jeff Aitken <jaitken () aitken com>
Date: Tue, 17 Aug 2004 16:23:37 -0400
On Tue, Aug 17, 2004 at 09:32:28PM +0200, sthaug () nethelp no wrote:
Hosts tend to be a faster writeoff cycle than routers in companies I've worked at, therefore getting the benefit of moores law about 25% faster than the routers. Turn on firewalling in the host.If you have a choice between access lists on a software forwarding based router and firewall on a host, this may be a good choice. If your routers have hardware forwarding, I'd go for the router every time...
Seems like the most sensible option is "defense in depth", tailored to your specific mix of equipment and clue. Throw away what you can at the edge (e.g., uRPF), spread the load (e.g., anycast), and firewall, as appropriate. Many routers with "hardware forwarding" have potentially significant limits when it comes to ACLs. Even the more capable devices don't necessarily give you the ability to look arbitrarily deep inside incoming packets, at least not without expensive additional cards. A firewall can usually perform that level of inspection, which means it will catch "bad" packets that the router didn't. None of these steps alone is perfect, but the combination can be fairly effective. One size does not have to fit all. --Jeff
Current thread:
- Summary with further Question: Domain Name System protection, (continued)
- Summary with further Question: Domain Name System protection Joe Shen (Aug 16)
- Re: Summary with further Question: Domain Name System protection Patrick W Gilmore (Aug 16)
- Re: Summary with further Question: Domain Name System protection bmanning (Aug 16)
- Re: Summary with further Question: Domain Name System protection Patrick W Gilmore (Aug 16)
- Re: Summary with further Question: Domain Name System protection bmanning (Aug 16)
- Re: Summary with further Question: Domain Name System protection Patrick W Gilmore (Aug 16)
- Re: Summary with further Question: Domain Name System protection Joe Abley (Aug 17)
- Re: Summary with further Question: Domain Name System protection Michael . Dillon (Aug 17)
- Summary with further Question: Domain Name System protection Joe Shen (Aug 16)
- Re: Summary with further Question: Domain Name System protection vijay gill (Aug 17)
- Re: Summary with further Question: Domain Name System protection sthaug (Aug 17)
- Re: Summary with further Question: Domain Name System protection Jeff Aitken (Aug 17)
- filtering 1918 (was Re: Summary with...: Domain Name System ...) Paul Vixie (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Richard A Steenbergen (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) David A. Ulevitch (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Richard A Steenbergen (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Jared Mauch (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Richard A Steenbergen (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Patrick W Gilmore (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Paul Vixie (Aug 18)
- Re: filtering 1918 (was Re: Summary with...: Domain Name System ...) Paul Vixie (Aug 18)
- Re: Summary with further Question: Domain Name System protection sthaug (Aug 17)