nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Doug Barton <dougb () dougbarton us>
Date: Tue, 22 Apr 2014 15:28:08 -0700
On 04/22/2014 01:49 PM, George Herbert wrote:
As long as the various stateful firewalls and IDS systems offer hostile action detection and blocking capabilities that raw webservers lack, there are certainly counterarguments to the "port filter only" approach being advocated here.
Right, but now you're talking about something other than just a firewall.
Focusing only on DDOS prevention from one narrow range of attack vectors targeting the firewalls themselves is narrowminded. The security threat envelope is pretty wide. Vulnerabilities of similar nature exist on the webservers themselves, and on load balancer devices you will likely need anyways.
Again, sure, but removing a needless firewall from the equation is one less thing to worry about.
Any number of enterprises have chosen that if a DDOS or other advanced attack is going to be successful, to let that be successful in bringing down a firewall on the external shell of the security envelope rather than having penetrated to the servers level.
And if they are making that choice proactively who am I to argue? I disagree, but their network, their rules.
What usually happens though is that enterprises believe that the firewall will protect them, without understanding that it can actually create a SPOF instead.
Smart design can also handle transparently failing over should such a vendor-specific attack succeed. The idea that anyone doing real, big complex networks would or has to accept any SPOF is ludicrous. The question is, how important is avoiding SPOFs, and how committed you are. If the answer is "absolutely must, and we have enough budget to do so" then it's entirely doable.
Of course. Doug
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 19)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Eric Wieling (Apr 22)
- RE: Requirements for IPv6 Firewalls Brian Johnson (Apr 22)
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- Message not available
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- RE: Requirements for IPv6 Firewalls Matthew Huff (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Lukasz Bromirski (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Peter Kristolaitis (Apr 18)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 21)