nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: "TheIpv6guy ." <cb.list6 () gmail com>
Date: Fri, 18 Apr 2014 19:10:44 -0700
On Fri, Apr 18, 2014 at 6:53 PM, Dobbins, Roland <rdobbins () arbor net> wrote:
On Apr 19, 2014, at 1:20 AM, William Herrin <bill () herrin us> wrote:There isn't much a firewall can do to break it.As someone who sees firewalls break the Internet all the time for those whose packets have the misfortune to traverse one, I must respectfully disagree. ;>
Yep. I have seen many more security / availability events caused by a firewall tipping over than anything else. Firewalls tend to be put in as single points of failure so that there is one point of inspection / policy enforcement. And, HA pairs are generally a joke. 2 failure mode i have seen: Firewall ALG saw a SIP packet option that it did not like, so it reloaded itself. In the process, it reflected the session state with fatal information to it's HA mate, which immediately failed. Same story with SYN floods, too many sessions coming in, FW cannot keep up with figuring out what is good, what is bad... Kablamoo. The firewall is the weakest link in the chain. Oh, and, then there is this... where the firewall, which is the one point of security control is in fact an open tap to your entire network http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140110-sbd But, it leads to clever things like this where home routers get hijacked as proxies...for whatever ... http://danmcinerney.org/how-to-exploit-home-routers-for-anonymity/ I think stateful network based firewalls are more harm than good and I would like host and applications to be the ultimate front line of defense. To each their own. Just a data point. Enjoy CB
----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Current thread:
- RE: Requirements for IPv6 Firewalls, (continued)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 21)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls joel jaeggli (Apr 19)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 19)
- Re: Requirements for IPv6 Firewalls TheIpv6guy . (Apr 18)
- Re: Requirements for IPv6 Firewalls Florian Weimer (Apr 19)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 22)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
- Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)