I don't need no stinking firewall!

bill from home bill at kruchas.com
Fri Jan 8 07:22:00 CST 2010


All,
    This thread certainly has been educational, and has changed my 
perception of what an appropriate outward facing architecture should be.
But seldom do I have the luxury of designing this from scratch, and also 
the networks I administer are "small business's".
My question is at what size connection does a state table become 
vulnerable, are we talking 1mb dsl's with a soho firewall?
Or as I suspect we are talking about a larger scale?
I know there are variables, I am just looking for a "rule of thumb".
I would not want to recommend a change if it is not warranted.
But when fatter and fatter pipes become available at what point would a 
change be warranted.

Thanks
Bill Kruchas


Dobbins, Roland wrote:
> On Jan 8, 2010, at 3:21 PM, Arie Vayner wrote:
>
>   
>> Further on, if you want to really protect against a real DDoS you would most likely would have to look at a really distributed solution, where the different geographical load balancing solutions come into play.
>>     
>
> GSLB or whatever we want to call it is extremely useful from a general availability standpoint; however, the attackers can always scale up and really distribute their already-DDoS even further (they learned about routeservers and DNS tinkering years ago).  
>
> Architecture, visibility, and control are key, as are vendor/customer/peer/upstream/opsec community relationships.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>     Injustice is relatively easy to bear; what stings is justice.
>
>                         -- H.L. Mencken
>
>
>
>
>   



More information about the NANOG mailing list