Requirements for IPv6 Firewalls
Doug Barton
dougb at dougbarton.us
Tue Apr 22 20:02:43 UTC 2014
On 04/22/2014 12:18 PM, Christopher Morrow wrote:
> Roland's saying basically:
> 1) if you deploy something on 'the internet' you should secure that something
> 2) the securing of that 'thing' should NOT be be placing a stateful
> device between your users and the 'thing'.
>
> In a simple case of:
> "Put a web server on the internet"
>
> Roland's advice breaks down to:
> 1) deploy server
> 2) put acl on upstream router like:
> permit tcp any any eq 80
> deny ip any any
> 3) profit
>
> The router + acl will process line-rate traffic without care.
A key part of this overall strategy is also "Harden the system to run
only those services it needs to do its job." And the above implies that
things like ssh (i.e., management services) should be ACL'ed to only
allow access from inside .... etc.
But otherwise, yes; and yes, this strategy is very successful. It
removes the stateful firewall as the SPOF.
Doug
More information about the NANOG
mailing list