I don't need no stinking firewall!

Brian Keefer chort at smtps.net
Wed Jan 6 17:38:01 UTC 2010

On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote:

>  Like Roland, I've been doing
> this for over a decade as well, and I have seen some pretty strange
> things, even a statefull firewall in front of servers with IPS actually
> work.

What do you mean by "work"?  If you mean "all three pieces ran for years without being seriously attacked", then that's really not the same thing as "continued to perform assigned duties effectively in the face of a determined DDoS".

I'd venture to say the vast majority of network operators, including myself, have never faced a DoS worse than a miscreant kid with a cable modem.  The few customers I've talked to who have been DDoS'd have all said the firewall died first.

It's pretty simple.  Of the devices on your network that have to keep state, a firewall has to maintain far more of them, since it's the aggregate of many down-stream hosts.  The resources to maintain state are finite.  At some point, those finite resources will be exceeded, and that will happen to a device holding the aggregate before any other device succumbs to the same problem.

If the firewall goes down, that DoS's everything behind it.  Is that really better than having only a portion of the down-stream hosts unavailable?

IMO firewalls have been a crutch for far too long.  They're an excuse for not having tight host-based security and (more importantly) good patch-management.  There really isn't a network perimeter any more any way.  If any of your hosts gets infected, they're going to attempt to infect their neighbors.  Worms have been doing this since they were invented and a network firewall offers very little protection against it.

Put another way:  Is it clear that spending money on fancy network firewalls and IPS is more effective at mitigating risk than investing the same money in patch-management and host-hardening?  I don't think so.

I'd also like to add a +1 to the statement "firewalls break things in subtle and hard-to-debug ways".  The longest support calls are always those trying to figure out how the customer's firewall is breaking things, and then how to prove this to their $management so they'll approve disabling the offending "feature".  Speaking of which, there are about 700MB of PCAPs that I'm supposed to be looking at right now...


More information about the NANOG mailing list