Requirements for IPv6 Firewalls
George Herbert
george.herbert at gmail.com
Tue Apr 22 20:49:29 UTC 2014
As long as the various stateful firewalls and IDS systems offer hostile
action detection and blocking capabilities that raw webservers lack, there
are certainly counterarguments to the "port filter only" approach being
advocated here.
Focusing only on DDOS prevention from one narrow range of attack vectors
targeting the firewalls themselves is narrowminded. The security threat
envelope is pretty wide. Vulnerabilities of similar nature exist on the
webservers themselves, and on load balancer devices you will likely need
anyways.
Any number of enterprises have chosen that if a DDOS or other advanced
attack is going to be successful, to let that be successful in bringing
down a firewall on the external shell of the security envelope rather than
having penetrated to the servers level.
Smart design can also handle transparently failing over should such a
vendor-specific attack succeed. The idea that anyone doing real, big
complex networks would or has to accept any SPOF is ludicrous. The
question is, how important is avoiding SPOFs, and how committed you are.
If the answer is "absolutely must, and we have enough budget to do so"
then it's entirely doable.
On Tue, Apr 22, 2014 at 1:28 PM, Doug Barton <dougb at dougbarton.us> wrote:
> On 04/22/2014 01:15 PM, Matthew Huff wrote:
>
>> I wouldn't manage a corporate network without a centrally managed
>> firewall (stateful; or not).
>>
>
> Matthew,
>
> No one is saying that. What Roland is saying, and the position that I
> agree with, is that putting a firewall in front of a system _that is
> intended to be ON the Internet, serving external users_, is a bad idea.
>
> I think it's a given that you'd want to protect your internal systems with
> a firewall (except for the aforementioned IPv6 illuminati, of whom I am not
> one).
>
> Doug
>
>
>
--
-george william herbert
george.herbert at gmail.com
More information about the NANOG
mailing list