nanog mailing list archives

Re: Requirements for IPv6 Firewalls

From: Doug Barton <dougb () dougbarton us>
Date: Tue, 22 Apr 2014 13:02:43 -0700

On 04/22/2014 12:18 PM, Christopher Morrow wrote:

Roland's saying basically:
   1) if you deploy something on 'the internet' you should secure that something
   2) the securing of that 'thing' should NOT be be placing a stateful
device between your users and the 'thing'.

In a simple case of:
   "Put a web server on the internet"

Roland's advice breaks down to:
   1) deploy server
   2) put acl on upstream router like:
       permit tcp any any eq 80
       deny ip any any
   3) profit

The router + acl will process line-rate traffic without care.

A key part of this overall strategy is also "Harden the system to runonly those services it needs to do its job." And the above implies thatthings like ssh (i.e., management services) should be ACL'ed to onlyallow access from inside .... etc.

But otherwise, yes; and yes, this strategy is very successful. Itremoves the stateful firewall as the SPOF.


Doug

Current thread:

Re: Requirements for IPv6 Firewalls, (continued)
- - - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
    - RE: Requirements for IPv6 Firewalls Eric Wieling (Apr 22)
    - RE: Requirements for IPv6 Firewalls Brian Johnson (Apr 22)
    - Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
    - Message not available
    - Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
    - RE: Requirements for IPv6 Firewalls Matthew Huff (Apr 22)
    - Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
    - Re: Requirements for IPv6 Firewalls George Herbert (Apr 22)
    - Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
    - Re: Requirements for IPv6 Firewalls Lukasz Bromirski (Apr 22)
    - Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
    - Re: Requirements for IPv6 Firewalls Peter Kristolaitis (Apr 18)
    - RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
    - RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
    - Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
    - Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
    - Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 21)
    - Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
    - Re: Requirements for IPv6 Firewalls joel jaeggli (Apr 19)

(Thread continues...)