I don't need no stinking firewall!

• Previous message (by thread): I don't need no stinking firewall!
• Next message (by thread): I don't need no stinking firewall!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 11, 2010, at 12:56 PM, George Bonser wrote:

>  One would probably have a load balancer of some sort in front of those machines.  That is the device that would be fielding any DoS.

Yes, and as you've noted previously, it should be protected via stateless ACLs in hardware capable of handling mpps, S/RTBH, flow-spec, IDMS, whatever.  And of course the load-balancer should also be fronted by a reverse-proxy cache farm, if the servers in question are Web servers.

> I have a feeling you are talking about relatively small amounts of traffic.  

I believe that these comments were more along the lines of 'servers can better handle this that stateful firewalls', not ruling out the use of load-balancers, reverse-proxy caches, etc. as appropriate.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

• Previous message (by thread): I don't need no stinking firewall!
• Next message (by thread): I don't need no stinking firewall!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]