Requirements for IPv6 Firewalls

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 22, 2014 at 2:55 PM, Brian Johnson <bjohnson at drtel.com> wrote:
> Eric,
>
> If you read what he posted and really believe that is what he is saying, you need to re-think your career decision. It is obvious that he is not saying that.
>

Roland's saying basically:
  1) if you deploy something on 'the internet' you should secure that something
  2) the securing of that 'thing' should NOT be be placing a stateful
device between your users and the 'thing'.

In a simple case of:
  "Put a web server on the internet"

Roland's advice breaks down to:
  1) deploy server
  2) put acl on upstream router like:
      permit tcp any any eq 80
      deny ip any any
  3) profit

The router + acl will process line-rate traffic without care.

-chris

> I hate it when threads breakdown to this type of tripe and ridiculous restatement of untruths.
>
> - Brian
>
>> -----Original Message-----
>> From: Eric Wieling [mailto:EWieling at nyigc.com]
>> Sent: Tuesday, April 22, 2014 1:16 PM
>> To: Dobbins, Roland; nanog at nanog.org
>> Subject: RE: Requirements for IPv6 Firewalls
>>
>> It seems to me you are saying we should get rid of firewalls and rely on
>> applications network security.
>>
>> This is so utterly idiotic I must be misunderstanding something.    There are a
>> few things we can count on in life, death, taxes, and application developers
>> leaving giant security holes in their applications.
>>
>> -----Original Message-----
>> From: Dobbins, Roland [mailto:rdobbins at arbor.net]
>> Sent: Saturday, April 19, 2014 12:10 AM
>> To: nanog at nanog.org
>> Subject: Re: Requirements for IPv6 Firewalls
>>
>> You can 'call' it all you like - but people who actually want to keep their
>> servers up and running don't put stateful firewalls in front of them, because
>> it's very easy to knock them over due to state exhaustion.  In fact, it's far
>> easier to knock them over than to knock over properly-tuned naked hosts.
>>
>> Also, you might want to search the NANOG email archive on this topic.
>> There's lots of previous discussion, which boils down to the fact that serious
>> organizations running serious applications/services don't put stateful
>> firewalls (or 'IPS', or NATs, et. al.) in front of their servers.
>>
>> The only way to secure hosts/applications/service against compromise is via
>> those hosts/applications/services themselves.  Inserting stateful
>> middleboxes doesn't actually accomplish anything to enhance confidentiality
>> and integrity, actually increases the attack surface due to middlebox exploits
>> (read the numerous security notices for various commercial and open-source
>> stateful firewalls for compromise exploits), and has a negative impact on
>> availability.
>>
>>
>
>

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]