nanog mailing list archives
RE: Requirements for IPv6 Firewalls
From: Seamus Ryan <s.ryan () uber com au>
Date: Sun, 20 Apr 2014 13:52:27 +0000
Every time I see a Firewall related thread on one of the *NOG lists I count how many replies Roland will make before posting his State of Danger presentation. We got to 10 this time :-) FYI not having a go here Roland, it's a very insightful, interesting and well put together preso that I have forwarded on many times! I totally agree with the better part of it. However.... While ACL's on stateless devices in the right place (routers/switches etc) are certainly the way to protect against "a 3mb/sec of spoofed SYN-flooding taking down a supposedly 20gb/sec stateful firewall", the truth is that if I spend all day every day chopping wood, I would probably buy an electric saw. But if I only hammer two pieces of wood together a few times a year, im not going to waste my money on a nail gun, I would probably just get a hammer. Similarly if most of the time I just need to protect my relatively simple network by implementing a few separate zones I will get a firewall, im not going to deploy expensive stateless devices that can push a billion pps everywhere and send flow stats to expensive DDoS mitigation hardware *cough* arbor *cough* just so I can protect against an attack that many only happen a few times a year. If you're the type of enterprise that IS seeing those types of attacks on a regular basis, unless they only started in the last few weeks the chances are you already know who the DDoS mitigation players are and how to implement them correctly (if not pre-sales aren't doing their job right!). That's how I see it anyhow. The right tool for the right job... though in most cases you still need the whole toolbox. Regards, Seamus Thoughts are entirely my own -----Original Message----- From: Dobbins, Roland [mailto:rdobbins () arbor net] Sent: Saturday, 19 April 2014 12:11 PM To: nanog () nanog org Subject: Re: Requirements for IPv6 Firewalls On Apr 19, 2014, at 9:04 AM, Jeff Kell <jeff-kell () utc edu> wrote:
It's how we provide access control.
Firewalls <> 'access control'. Firewalls are one (generally, very poor and grossly misused) way of providing access control. They're often wedged in where stateless ACLs in hardware-based routers and/or layer-3 switches would do a much better job, such as in front of servers: <https://app.box.com/s/a3oqqlgwe15j8svojvzl> ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
Current thread:
- RE: Requirements for IPv6 Firewalls, (continued)
- RE: Requirements for IPv6 Firewalls Brian Johnson (Apr 22)
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- Message not available
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- RE: Requirements for IPv6 Firewalls Matthew Huff (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Lukasz Bromirski (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Peter Kristolaitis (Apr 18)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 21)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls joel jaeggli (Apr 19)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 19)
- Re: Requirements for IPv6 Firewalls TheIpv6guy . (Apr 18)