Requirements for IPv6 Firewalls

Dobbins, Roland rdobbins at
Sun Apr 20 14:04:28 UTC 2014

On Apr 20, 2014, at 8:52 PM, Seamus Ryan <s.ryan at> wrote:

> Similarly if most of the time I just need to protect my relatively simple network by implementing a few separate zones I will get a firewall, im not going to deploy expensive stateless devices that can push a billion pps everywhere and send flow stats to expensive DDoS mitigation hardware *cough* arbor *cough* just so I can protect against an attack that many only happen a few times a year.

I'm talking about stateless ACLs on hardware-based routers and switches for enforcing network access policies - nothing to do with Arbor.  Arbor doesn't make routers or switches.

Stateful firewalls make servers far more vulnerable to DDoS (and to compromise, for that matter; they broaden the attack surface amazingly) than they would be without deploying stateful firewalls.  Vendors of commercial DDoS mitigation solutions [full disclosure:  I work for a vendor of such solutions] who wish to drum up business should be *encouraging* organizations to deploy stateful firewalls, not discouraging them from doing so.  

Anyone who knows me knows that I do *not* violate NANOG rules (or the rules of any other community list) by pushing commercial solutions.  What I advocate is for folks to avoid spending extra money and time and effort in order to negatively impact their security posture, and instead utilize their existing investments in network infrastructure devices to enforce network access policies via stateless ACLs, as well as to deploy reaction/mitigation tools such as S/RTBH and flowspec.

Roland Dobbins <rdobbins at> // <>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the NANOG mailing list