Requirements for IPv6 Firewalls

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 04/22/2014 12:18 PM, Christopher Morrow wrote:
> Roland's saying basically:
>    1) if you deploy something on 'the internet' you should secure that something
>    2) the securing of that 'thing' should NOT be be placing a stateful
> device between your users and the 'thing'.
>
> In a simple case of:
>    "Put a web server on the internet"
>
> Roland's advice breaks down to:
>    1) deploy server
>    2) put acl on upstream router like:
>        permit tcp any any eq 80
>        deny ip any any
>    3) profit
>
> The router + acl will process line-rate traffic without care.

A key part of this overall strategy is also "Harden the system to run 
only those services it needs to do its job." And the above implies that 
things like ssh (i.e., management services) should be ACL'ed to only 
allow access from inside .... etc.

But otherwise, yes; and yes, this strategy is very successful. It 
removes the stateful firewall as the SPOF.

Doug

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]