Requirements for IPv6 Firewalls

Lukasz Bromirski lukasz at bromirski.net
Tue Apr 22 22:50:57 UTC 2014


On 22 Apr 2014, at 22:49, George Herbert <george.herbert at gmail.com> wrote:

> Any number of enterprises have chosen that if a DDOS or other advanced
> attack is going to be successful, to let that be successful in bringing
> down a firewall on the external shell of the security envelope rather than
> having penetrated to the servers level.

And I don’t think there’s problem with that approach.

The problem starts, when those anonymous enterprises “silently" expect,
that:

a) firewall will somehow magically defend the network, scrub the
   “bad” traffic and let good traffic pass (“that’s why we’ve paid for
   state of the art firewall, right?!”)
b) firewall will fail gracefully, taking down all services, and doing
   real hole in the transport and not jabbing some packets there and
   there, maybe malformed, maybe parts of different connections
   crammed in wrong headers… until reboot; and the reboot may not
   be also totally transparent, as links will go up, down, init, and so
   on
c) insert your own horror-story here

…and using those assumptions to advocate for stateful firewall
everywhere.

If you’re aware of that assumptions, and you’re aware of the
constraints we’re facing with actually developing working edge defence
for the network, you’ll be anyway advocating creation of a funnel -
with stateless first lines od defense, taking care of all the trash
that can come from the internet, and rate-limiting the traffic
that seems to be legitimate if above certain thresholds. And at that
point - stateful firewall may not be needed anymore, because service
itself can scale better.

Nowadays, enterprise networks are picking up best practices from SPs,
where scale does matter and networks are built to actually have that
characteristics. Anycast DNS is often found in enterprise networks,
as well as other anycasted services (usually in “shared IP” model) -
mail, web, AAA and other services.

The same goes for actually protecting the internet edge. How often
your network is being DDoSed? Be it 300kpps or 5Mpps, how will your
stateful firewall at the edge of it deal with it?

And by the way, when we’re speaking about internet visible services -
how many stateful firewalls defend www.google.com? Or www.amazon.com?
Or OpenDNS servers? Or 8.8.8.8/8.8.4.4? I bet none. But would love
to hear from people maintaining them.

-- 
"There's no sense in being precise when |               Łukasz Bromirski
 you don't know what you're talking     |      jid:lbromirski at jabber.org
 about."               John von Neumann |    http://lukasz.bromirski.net



More information about the NANOG mailing list