I don't need no stinking firewall!

Brian Keefer chort at smtps.net
Wed Jan 6 21:12:24 UTC 2010




On Jan 6, 2010, at 11:29 AM, Brian Johnson wrote:

> If your point is given unlimited inbound bandwidth that a stateful
> firewall will fail (not work correctly), I can say that about any piece
> of equipment.  And even if it does fail, does it matter if your
> connection is full of useless traffic?
> 


It's a lot easier to fill up a state table than to fill up a pipe, which I believe was Roland's point.

It's quite possible to flood the state table on a device with a fraction of the pipe's capacity, in which case a stateful device will fall over where a stateless device would not have.  This type of attack will definitely degrade the service it's aimed at, and probably degrade other services sharing the same pipe, but won't _necessarily_ kill them as is the case when a stateful gateway falls over.

Typical scenario is $badguys DDoS one of your webservers.  If the gateway is stateless, your webservers grind to a crawl, but your DNS, e-mail, VOIP, etc probably still function to a degree.  Contrast that with site-wide outage if your gateway was stateful and crashed/rebooted/refused to pass traffic due to having the state table filled.

You're not going to be able to stop $sophisticated_badguy from enumerating your services no matter how fancy your gear is.  Could you detect a distributed portscan that looks at 5000 proto/IP/port combos per day, across your IP space, each probe coming from a different IP? I really doubt it.  If you have services listening, someone is going to find them.

IMO you're better off making sure only the services you intend to provide are listening, and that those services are hardened appropriately for public exposure.

This topic has probably run it's course; everyone has different opinions and takes away different lessons from their experience.  I think it's valuable to challenge the common assumptions (everyone knows you need a stateful firewall!) now and then to make sure they actually make sense.

--
bk




More information about the NANOG mailing list