I don't need no stinking firewall!
bruns at 2mbit.com
Tue Jan 5 14:58:52 CST 2010
On 1/5/10 1:29 PM, Dobbins, Roland wrote:
> Putting firewalls in front of servers is a Really Bad Idea - besides
> the fact that the stateful inspection premise doesn't apply (see
> above), rendering the stateful firewall superfluous, even the
> biggest, baddest firewalls out there can be easily taken down via
> state-table exhaustion; an attacker can craft enough
> programmatically-generated, well-formed traffic which conforms to the
> firewall policies to 'crowd out' legitimate traffic, thus DoSing the
> server. Addtionally, the firewall can be made to collapse far
> quicker than the server itself would collapse, as the overhead on the
> state-tracking is less than what the server itself could handle on
> its own.
The trick is to not track ports/IPs that do not need it. On my combo
firewalls (that handle both NATing and serving websites, dns, etc) for
example, I'll do a NOTRACK on the LAN side to prevent connections to the
firewall itself from taking up valuable table space.
It's all how you configure and tweak the firewall. Recommending people
run servers without a firewall is bad advice - do you really want your
Win2k3 server exposed, SMB, RPC, and all to the world?
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org
More information about the NANOG