I don't need no stinking firewall!
Dobbins, Roland
rdobbins at arbor.net
Tue Jan 5 21:33:00 UTC 2010
On Jan 6, 2010, at 4:07 AM, Mark Foster wrote:
> I'm interested by this assertion; surely Stateful Inspection is meant to
> facilitate the blocking of out-of-sequence packets, ones which aren't part
> of valid + recognised existing sessions - whilst of course allowing valid
> SYN session-starters, etc?
>
> So thus, there may still be some value in catching 'injected' packets
> which don't actually belong in a session... ?
Nope - the hosts handle this better on their own.
>
> Some might argue that DoS is preferred to the other degrees of risk that
> many webservers hold... (trying not to point the finger in any one
> specific direction.)
Except that the firewalls don't mitigate any of the other degrees of risk, either.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the NANOG
mailing list