I don't need no stinking firewall!

George Bonser gbonser at seven.com
Sun Jan 10 23:56:14 CST 2010


> > And I don't believe anyone is necessarily advocating exposing
> individual
> > servers directly to the internet either.
> 
> Actually, some of us are.

That can be difficult to do when you have maybe 300 or 400 servers that
handle one service.  Let's say you have a site called www.foobar.com and
you have several hundred servers on the front end that handle that
domain.  You aren't going to put several hundred A records in DNS; at
least I hope you aren't.  One would probably have a load balancer of
some sort in front of those machines.  That is the device that would be
fielding any DoS.


> > There are other devices that
> > can handle isolation of the servers and protect them against such
> things
> > as syn floods.
> 
> What is the point of that when the servers can do it themselves?

I have a feeling you are talking about relatively small amounts of
traffic.  






More information about the NANOG mailing list