nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: D/DoS mitigation hardware/software needed.

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Tue, 5 Jan 2010 07:47:46 +0000

On Jan 5, 2010, at 2:38 PM, Darren Bolding wrote:


* Defense in depth.  You've never had a host that received external traffic ever accidentally have iptables or 
windows firewall turned off?  Even when debugging a production outage or on accident?


Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.  'Stateful 
inspection' where in fact there is no useful state to inspect is pointless.


* Location for IDS/IDP.


Non-sequitur, as these things have nothing to do with one another (plus, these devices are useless, anyways, heh).


* Connection cleanup, re-assembling fragments, etc.


Far, far, far better and more scalably handled by the hosts themselves and/or load-balancers.


* SYN flood protection, etc.


Firewalls simply don't handle this well, marketing claims aside.  They crash and burn.


* Single choke point to block incoming traffic deemed undesirable.


Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.


* Single log point for inbound connections for analysis and auditing requirements.


Contextless, arbitrary syslog from firewalls and other such devices is largely useless for this purpose.  NetFlow 
combined with server/app/service logs is the answer to this requirement.


* Allows outbound traffic enforcement.


Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.


* Allows conditional inbound traffic from specific approved external hosts- e.g. a partner.


Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.


* Some firewalls allow programmatic modification of configurations with all the benefits/pain that brings.  This is 
alongside traditional CLI and GUI interfaces.


Ugly, brittle, siloed, to be avoided at all costs.


* In some/many cases a zone based firewall configuration can be much easier to work with than a large iptables 
config.  Certainly the management tools are better.


Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.


* Yeah, auditors like it.


Education is the answer here.

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken
Previous By Date Next
Previous By Thread Next

Current thread: