I don't need no stinking firewall!
George Bonser
gbonser at seven.com
Mon Jan 11 05:56:14 UTC 2010
> > And I don't believe anyone is necessarily advocating exposing
> individual
> > servers directly to the internet either.
>
> Actually, some of us are.
That can be difficult to do when you have maybe 300 or 400 servers that
handle one service. Let's say you have a site called www.foobar.com and
you have several hundred servers on the front end that handle that
domain. You aren't going to put several hundred A records in DNS; at
least I hope you aren't. One would probably have a load balancer of
some sort in front of those machines. That is the device that would be
fielding any DoS.
> > There are other devices that
> > can handle isolation of the servers and protect them against such
> things
> > as syn floods.
>
> What is the point of that when the servers can do it themselves?
I have a feeling you are talking about relatively small amounts of
traffic.
More information about the NANOG
mailing list