I don't need no stinking firewall!

Dobbins, Roland rdobbins at arbor.net
Sun Jan 10 01:31:05 UTC 2010

On Jan 10, 2010, at 5:51 AM, harbor235 wrote:

> Other security features in an Enterprise Class firewall;
>    -Inside source based NAT, reinforces secure traffic flow by allowing outside to inside flows based on
>        configured translations and allowed security policies

Terrible from an availability perspective, troubleshooting perspective, too.  Just dumb, dumb, dumb - NATted servers fall over at the drop of a hat due to the NAT device choking.

>    -TCP sequence number randomization (to prevent TCP seq number guessing)

Server IP stack does this itself just fine.

>    -Intrusion Detection and Prevention (subset of most common signatures)
>        recognize scanning attempts and mitigate
>        recognize common attacks and mitigate


>    -Deep packet inspection (application aware inspection for common network services)

Terrible from an availability perspective, snake-oil.

>    - Policy based tools for custom traffic classification and filtering

Can be done statelessly, no firewall required.

>    -Layer 3 segmentation (creates inspection and enforcement points)

Doesn't require a firewall.

>    -Full/Partial Proxy services with authentication

If needed, can be better handled by transparent reverse-proxy farms; auth handled on the servers themselves.

>    - Alarm/Logging capabilities providing info on potential attacks
>    -etc ......

NetFlow from the network infrastructure, the OS/apps/services on the server itself do this, etc.

> Statefull inspection further enhances the security capabilities of a firewall.

No, it doesn't, not in front of servers where there's no state to inspect, in the first place, given that every incoming packet is unsolicited.

> You may choose not to use a firewall or implement a sound security posture utilizing the "Defense in Depth" philosophy, however you chances of being compromised are dramatically increased.

Choosing not to make the mistake of putting a useless, counterproductive firewall in front of a server doesn't mean one isn't employing a sound, multi-faceted opsec strategy.

I know that all the firewall propaganda denoted above is repeated endlessly, ad nauseam, in the Confused Information Systems Security Professional self-study comic books, but I've found that a bit of real-world operational experience serves as a wonderful antidote, heh.


Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

More information about the NANOG mailing list