Requirements for IPv6 Firewalls
Doug Barton
dougb at dougbarton.us
Tue Apr 22 22:28:08 UTC 2014
On 04/22/2014 01:49 PM, George Herbert wrote:
> As long as the various stateful firewalls and IDS systems offer hostile
> action detection and blocking capabilities that raw webservers lack,
> there are certainly counterarguments to the "port filter only" approach
> being advocated here.
Right, but now you're talking about something other than just a firewall.
> Focusing only on DDOS prevention from one narrow range of attack vectors
> targeting the firewalls themselves is narrowminded. The security threat
> envelope is pretty wide. Vulnerabilities of similar nature exist on the
> webservers themselves, and on load balancer devices you will likely need
> anyways.
Again, sure, but removing a needless firewall from the equation is one
less thing to worry about.
> Any number of enterprises have chosen that if a DDOS or other advanced
> attack is going to be successful, to let that be successful in bringing
> down a firewall on the external shell of the security envelope rather
> than having penetrated to the servers level.
And if they are making that choice proactively who am I to argue? I
disagree, but their network, their rules.
What usually happens though is that enterprises believe that the
firewall will protect them, without understanding that it can actually
create a SPOF instead.
> Smart design can also handle transparently failing over should such a
> vendor-specific attack succeed. The idea that anyone doing real, big
> complex networks would or has to accept any SPOF is ludicrous. The
> question is, how important is avoiding SPOFs, and how committed you are.
> If the answer is "absolutely must, and we have enough budget to do so"
> then it's entirely doable.
Of course.
Doug
More information about the NANOG
mailing list