Requirements for IPv6 Firewalls

Seamus Ryan s.ryan at uber.com.au
Sun Apr 20 13:52:27 UTC 2014


Every time I see a Firewall related thread on one of the *NOG lists I count how many replies Roland will make before posting his State of Danger presentation.

We got to 10 this time :-)

FYI not having a go here Roland, it's a very insightful, interesting and well put together preso that I have forwarded on many times! I totally agree with the better part of it.

However....
While ACL's on stateless devices in the right place (routers/switches etc) are certainly the way to protect against "a 3mb/sec of spoofed SYN-flooding taking down a supposedly 20gb/sec stateful firewall", the truth is that if I spend all day every day chopping wood, I would probably buy an electric saw. But if I only hammer two pieces of wood together a few times a year, im not going to waste my money on a nail gun, I would probably just get a hammer.

Similarly if most of the time I just need to protect my relatively simple network by implementing a few separate zones I will get a firewall, im not going to deploy expensive stateless devices that can push a billion pps everywhere and send flow stats to expensive DDoS mitigation hardware *cough* arbor *cough* just so I can protect against an attack that many only happen a few times a year. If you're the type of enterprise that IS  seeing those types of attacks on a regular basis, unless they only started in the last few weeks the chances are you already know who the DDoS mitigation players are and how to implement them correctly (if not pre-sales aren't doing their job right!).

That's how I see it anyhow. The right tool for the right job... though in most cases you still need the whole toolbox.

Regards,
Seamus

Thoughts are entirely my own


-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins at arbor.net] 
Sent: Saturday, 19 April 2014 12:11 PM
To: nanog at nanog.org
Subject: Re: Requirements for IPv6 Firewalls


On Apr 19, 2014, at 9:04 AM, Jeff Kell <jeff-kell at utc.edu> wrote:

> It's how we provide access control.

Firewalls <> 'access control'.

Firewalls are one (generally, very poor and grossly misused) way of providing access control.  They're often wedged in where stateless ACLs in hardware-based routers and/or layer-3 switches would do a much better job, such as in front of servers:

<https://app.box.com/s/a3oqqlgwe15j8svojvzl>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton






More information about the NANOG mailing list