I don't need no stinking firewall!

Brian Johnson bjohnson at drtel.com
Wed Jan 6 08:51:37 CST 2010


I will not argue the more complete statement about the architectural
premise that statefull firewalls are being produced under. That would be
fruitless and I would concede to Roland and his statements on that.

It appears that the real argument is whether statefull inspection is
useful, and whether the firewall causes other issues to the network
design. If this is so, then I would say that it depends on the network
and it's design as to whether a statefull firewall is useful. One could
put ACLs in routers and switches, but when you break it down and turn
off statefull inspection, that is what a firewall is.

As always, you should always consider your network design before
implementing any network appliance that will/may affect traffic. I don't
think that discarding ideas like signature based analysis and DPI are
wise. Depending on the network, the staff running the network, the users
using the network, external exposure and many other metrics, I don't
think that anyone should be making broad statements on equipment
decisions.

I'm glad that I can go to lists like NANOG with this type of question
and not get the clue bat across the head. Like Roland, I've been doing
this for over a decade as well, and I have seen some pretty strange
things, even a statefull firewall in front of servers with IPS actually
work.

This thread is a tribute to different ideas and beliefs as well as
experience on this topic. Please keep up the conversation and down the
condescension and rhetoric.

Thank you.

- Brian

> -----Original Message-----
> From: Dobbins, Roland [mailto:rdobbins at arbor.net]
> Sent: Wednesday, January 06, 2010 7:52 AM
> To: NANOG list
> Subject: Re: I don't need no stinking firewall!
> 
> 
> On Jan 6, 2010, at 8:42 PM, Jared Mauch wrote:
> 
> > The reality is they just have not been attacked yet, and hence have
> no experience in what to do about the problem...
> 
> And they've been bombarded with misinformation for years by 'security'
> vendors, wildly unrealistic certification training courses, and the
> 'compliance' mafia; you're right, of course.
> 
> ;>
> 
>
-----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
>     Injustice is relatively easy to bear; what stings is justice.
> 
>                         -- H.L. Mencken
> 
> 
> 


 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,
copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original message. Thank you.




More information about the NANOG mailing list