I don't need no stinking firewall!
Dobbins, Roland
rdobbins at arbor.net
Sun Jan 10 01:31:05 UTC 2010
On Jan 10, 2010, at 5:51 AM, harbor235 wrote:
> Other security features in an Enterprise Class firewall;
> -Inside source based NAT, reinforces secure traffic flow by allowing outside to inside flows based on
> configured translations and allowed security policies
Terrible from an availability perspective, troubleshooting perspective, too. Just dumb, dumb, dumb - NATted servers fall over at the drop of a hat due to the NAT device choking.
> -TCP sequence number randomization (to prevent TCP seq number guessing)
Server IP stack does this itself just fine.
> -Intrusion Detection and Prevention (subset of most common signatures)
> recognize scanning attempts and mitigate
> recognize common attacks and mitigate
Snake-oil.
> -Deep packet inspection (application aware inspection for common network services)
Terrible from an availability perspective, snake-oil.
> - Policy based tools for custom traffic classification and filtering
Can be done statelessly, no firewall required.
> -Layer 3 segmentation (creates inspection and enforcement points)
Doesn't require a firewall.
> -Full/Partial Proxy services with authentication
If needed, can be better handled by transparent reverse-proxy farms; auth handled on the servers themselves.
> - Alarm/Logging capabilities providing info on potential attacks
> -etc ......
NetFlow from the network infrastructure, the OS/apps/services on the server itself do this, etc.
>
> Statefull inspection further enhances the security capabilities of a firewall.
No, it doesn't, not in front of servers where there's no state to inspect, in the first place, given that every incoming packet is unsolicited.
> You may choose not to use a firewall or implement a sound security posture utilizing the "Defense in Depth" philosophy, however you chances of being compromised are dramatically increased.
Choosing not to make the mistake of putting a useless, counterproductive firewall in front of a server doesn't mean one isn't employing a sound, multi-faceted opsec strategy.
I know that all the firewall propaganda denoted above is repeated endlessly, ad nauseam, in the Confused Information Systems Security Professional self-study comic books, but I've found that a bit of real-world operational experience serves as a wonderful antidote, heh.
;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the NANOG
mailing list