nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Lukasz Bromirski <lukasz () bromirski net>
Date: Wed, 23 Apr 2014 00:50:57 +0200
On 22 Apr 2014, at 22:49, George Herbert <george.herbert () gmail com> wrote:
Any number of enterprises have chosen that if a DDOS or other advanced attack is going to be successful, to let that be successful in bringing down a firewall on the external shell of the security envelope rather than having penetrated to the servers level.
And I don’t think there’s problem with that approach. The problem starts, when those anonymous enterprises “silently" expect, that: a) firewall will somehow magically defend the network, scrub the “bad” traffic and let good traffic pass (“that’s why we’ve paid for state of the art firewall, right?!”) b) firewall will fail gracefully, taking down all services, and doing real hole in the transport and not jabbing some packets there and there, maybe malformed, maybe parts of different connections crammed in wrong headers… until reboot; and the reboot may not be also totally transparent, as links will go up, down, init, and so on c) insert your own horror-story here …and using those assumptions to advocate for stateful firewall everywhere. If you’re aware of that assumptions, and you’re aware of the constraints we’re facing with actually developing working edge defence for the network, you’ll be anyway advocating creation of a funnel - with stateless first lines od defense, taking care of all the trash that can come from the internet, and rate-limiting the traffic that seems to be legitimate if above certain thresholds. And at that point - stateful firewall may not be needed anymore, because service itself can scale better. Nowadays, enterprise networks are picking up best practices from SPs, where scale does matter and networks are built to actually have that characteristics. Anycast DNS is often found in enterprise networks, as well as other anycasted services (usually in “shared IP” model) - mail, web, AAA and other services. The same goes for actually protecting the internet edge. How often your network is being DDoSed? Be it 300kpps or 5Mpps, how will your stateful firewall at the edge of it deal with it? And by the way, when we’re speaking about internet visible services - how many stateful firewalls defend www.google.com? Or www.amazon.com? Or OpenDNS servers? Or 8.8.8.8/8.8.4.4? I bet none. But would love to hear from people maintaining them. -- "There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromirski () jabber org about." John von Neumann | http://lukasz.bromirski.net
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Eric Wieling (Apr 22)
- RE: Requirements for IPv6 Firewalls Brian Johnson (Apr 22)
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- Message not available
- Re: Requirements for IPv6 Firewalls Christopher Morrow (Apr 22)
- RE: Requirements for IPv6 Firewalls Matthew Huff (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Lukasz Bromirski (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Peter Kristolaitis (Apr 18)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 21)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)