I don't need no stinking firewall!

Dobbins, Roland rdobbins at arbor.net
Tue Jan 5 21:33:00 UTC 2010


On Jan 6, 2010, at 4:07 AM, Mark Foster wrote:

> I'm interested by this assertion; surely Stateful Inspection is meant to 
> facilitate the blocking of out-of-sequence packets, ones which aren't part 
> of valid + recognised existing sessions - whilst of course allowing valid 
> SYN session-starters, etc?
> 
> So thus, there may still be some value in catching 'injected' packets 
> which don't actually belong in a session... ?

Nope - the hosts handle this better on their own.

> 
> Some might argue that DoS is preferred to the other degrees of risk that 
> many webservers hold... (trying not to point the finger in any one 
> specific direction.)

Except that the firewalls don't mitigate any of the other degrees of risk, either.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken







More information about the NANOG mailing list