nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I don't need no stinking firewall!

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Tue, 5 Jan 2010 21:33:00 +0000

On Jan 6, 2010, at 4:07 AM, Mark Foster wrote:


I'm interested by this assertion; surely Stateful Inspection is meant to 
facilitate the blocking of out-of-sequence packets, ones which aren't part 
of valid + recognised existing sessions - whilst of course allowing valid 
SYN session-starters, etc?

So thus, there may still be some value in catching 'injected' packets 
which don't actually belong in a session... ?


Nope - the hosts handle this better on their own.



Some might argue that DoS is preferred to the other degrees of risk that 
many webservers hold... (trying not to point the finger in any one 
specific direction.)


Except that the firewalls don't mitigate any of the other degrees of risk, either.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken
Previous By Date Next
Previous By Thread Next

Current thread: