nanog mailing list archives
RE: Requirements for IPv6 Firewalls
From: Brian Johnson <bjohnson () drtel com>
Date: Tue, 22 Apr 2014 18:55:03 +0000
Eric, If you read what he posted and really believe that is what he is saying, you need to re-think your career decision. It is obvious that he is not saying that. I hate it when threads breakdown to this type of tripe and ridiculous restatement of untruths. - Brian
-----Original Message----- From: Eric Wieling [mailto:EWieling () nyigc com] Sent: Tuesday, April 22, 2014 1:16 PM To: Dobbins, Roland; nanog () nanog org Subject: RE: Requirements for IPv6 Firewalls It seems to me you are saying we should get rid of firewalls and rely on applications network security. This is so utterly idiotic I must be misunderstanding something. There are a few things we can count on in life, death, taxes, and application developers leaving giant security holes in their applications. -----Original Message----- From: Dobbins, Roland [mailto:rdobbins () arbor net] Sent: Saturday, April 19, 2014 12:10 AM To: nanog () nanog org Subject: Re: Requirements for IPv6 Firewalls You can 'call' it all you like - but people who actually want to keep their servers up and running don't put stateful firewalls in front of them, because it's very easy to knock them over due to state exhaustion. In fact, it's far easier to knock them over than to knock over properly-tuned naked hosts. Also, you might want to search the NANOG email archive on this topic. There's lots of previous discussion, which boils down to the fact that serious organizations running serious applications/services don't put stateful firewalls (or 'IPS', or NATs, et. al.) in front of their servers. The only way to secure hosts/applications/service against compromise is via those hosts/applications/services themselves. Inserting stateful middleboxes doesn't actually accomplish anything to enhance confidentiality and integrity, actually increases the attack surface due to middlebox exploits (read the numerous security notices for various commercial and open-source stateful firewalls for compromise exploits), and has a negative impact on availability.
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Jeff Kell (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls George William Herbert (Apr 19)
- Re: Requirements for IPv6 Firewalls Ćukasz Bromirski (Apr 19)
- Re: Requirements for IPv6 Firewalls Jimmy Hess (Apr 19)
- Re: Requirements for IPv6 Firewalls George William Herbert (Apr 19)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 19)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Eric Wieling (Apr 22)
- RE: Requirements for IPv6 Firewalls Brian Johnson (Apr 22)
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- Message not available
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- RE: Requirements for IPv6 Firewalls Matthew Huff (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Lukasz Bromirski (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Peter Kristolaitis (Apr 18)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)