D/DoS mitigation hardware/software needed.
Dobbins, Roland
rdobbins at arbor.net
Tue Jan 5 07:47:46 UTC 2010
On Jan 5, 2010, at 2:38 PM, Darren Bolding wrote:
> * Defense in depth. You've never had a host that received external traffic ever accidentally have iptables or windows firewall turned off? Even when debugging a production outage or on accident?
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps. 'Stateful inspection' where in fact there is no useful state to inspect is pointless.
> * Location for IDS/IDP.
Non-sequitur, as these things have nothing to do with one another (plus, these devices are useless, anyways, heh).
> * Connection cleanup, re-assembling fragments, etc.
Far, far, far better and more scalably handled by the hosts themselves and/or load-balancers.
> * SYN flood protection, etc.
Firewalls simply don't handle this well, marketing claims aside. They crash and burn.
> * Single choke point to block incoming traffic deemed undesirable.
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.
> * Single log point for inbound connections for analysis and auditing requirements.
Contextless, arbitrary syslog from firewalls and other such devices is largely useless for this purpose. NetFlow combined with server/app/service logs is the answer to this requirement.
> * Allows outbound traffic enforcement.
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.
> * Allows conditional inbound traffic from specific approved external hosts- e.g. a partner.
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.
> * Some firewalls allow programmatic modification of configurations with all the benefits/pain that brings. This is alongside traditional CLI and GUI interfaces.
Ugly, brittle, siloed, to be avoided at all costs.
> * In some/many cases a zone based firewall configuration can be much easier to work with than a large iptables config. Certainly the management tools are better.
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.
> * Yeah, auditors like it.
Education is the answer here.
;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the NANOG
mailing list