I don't need no stinking firewall!

Jared Mauch jared at puck.nether.net
Wed Jan 6 07:36:59 CST 2010


On Jan 5, 2010, at 4:24 PM, Robert Brockway wrote:

> Do you have any evidence to support this assertion?  You've just asserted that all firewalls have a specific vulnerability.  It isn't even possible to know the complete set of architectures (hardware & software) used for firewalls so I don't see how you can assert they all have this vulnerability.

Just about every ddos i've ever been involved in mitigation results in some device labeled "firewall" blowing it's brains and crippling the company further than if they had utilized a more distributed model.

When combined with various other layers of mitigation that are either integrated or inline with another device we've spent lots of time troubleshooting which exact device was causing the most trouble.

I can't cite specific cases unless my customers say I can, but it's somewhat amusing to watch some C* of a company realize they've wasted money on a device/service that actually made the problem worse in the face of an attack.

There are those that might say the protection devices were not properly used, configured, etc... and if that's the case, it reflects the sad state of the lack of maturity of the industry/tech.  (Or that it's obsolete).

- Jared



More information about the NANOG mailing list