D/DoS mitigation hardware/software needed.

Dobbins, Roland rdobbins at arbor.net
Tue Jan 5 01:47:46 CST 2010


On Jan 5, 2010, at 2:38 PM, Darren Bolding wrote:

> * Defense in depth.  You've never had a host that received external traffic ever accidentally have iptables or windows firewall turned off?  Even when debugging a production outage or on accident?

Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.  'Stateful inspection' where in fact there is no useful state to inspect is pointless.

> * Location for IDS/IDP.

Non-sequitur, as these things have nothing to do with one another (plus, these devices are useless, anyways, heh).

> * Connection cleanup, re-assembling fragments, etc.

Far, far, far better and more scalably handled by the hosts themselves and/or load-balancers.

> * SYN flood protection, etc.

Firewalls simply don't handle this well, marketing claims aside.  They crash and burn.

> * Single choke point to block incoming traffic deemed undesirable.

Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.

> * Single log point for inbound connections for analysis and auditing requirements.

Contextless, arbitrary syslog from firewalls and other such devices is largely useless for this purpose.  NetFlow combined with server/app/service logs is the answer to this requirement.

> * Allows outbound traffic enforcement.

Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.

> * Allows conditional inbound traffic from specific approved external hosts- e.g. a partner.

Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.

> * Some firewalls allow programmatic modification of configurations with all the benefits/pain that brings.  This is alongside traditional CLI and GUI interfaces.

Ugly, brittle, siloed, to be avoided at all costs.

> * In some/many cases a zone based firewall configuration can be much easier to work with than a large iptables config.  Certainly the management tools are better.

Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.

> * Yeah, auditors like it.

Education is the answer here.

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken







More information about the NANOG mailing list