On Tue, Apr 22, 2014 at 2:55 PM, Brian Johnson <bjohn...@drtel.com> wrote:
> Eric,
>
> If you read what he posted and really believe that is what he is saying, you
> need to re-think your career decision. It is obvious that he is not saying
> that.
>
Roland's saying basically:
1) if you deploy something on 'the internet' you should secure that something
2) the securing of that 'thing' should NOT be be placing a stateful
device between your users and the 'thing'.
In a simple case of:
"Put a web server on the internet"
Roland's advice breaks down to:
1) deploy server
2) put acl on upstream router like:
permit tcp any any eq 80
deny ip any any
3) profit
The router + acl will process line-rate traffic without care.
-chris
> I hate it when threads breakdown to this type of tripe and ridiculous
> restatement of untruths.
>
> - Brian
>
>> -----Original Message-----
>> From: Eric Wieling [mailto:ewiel...@nyigc.com]
>> Sent: Tuesday, April 22, 2014 1:16 PM
>> To: Dobbins, Roland; nanog@nanog.org
>> Subject: RE: Requirements for IPv6 Firewalls
>>
>> It seems to me you are saying we should get rid of firewalls and rely on
>> applications network security.
>>
>> This is so utterly idiotic I must be misunderstanding something. There
>> are a
>> few things we can count on in life, death, taxes, and application developers
>> leaving giant security holes in their applications.
>>
>> -----Original Message-----
>> From: Dobbins, Roland [mailto:rdobb...@arbor.net]
>> Sent: Saturday, April 19, 2014 12:10 AM
>> To: nanog@nanog.org
>> Subject: Re: Requirements for IPv6 Firewalls
>>
>> You can 'call' it all you like - but people who actually want to keep their
>> servers up and running don't put stateful firewalls in front of them, because
>> it's very easy to knock them over due to state exhaustion. In fact, it's far
>> easier to knock them over than to knock over properly-tuned naked hosts.
>>
>> Also, you might want to search the NANOG email archive on this topic.
>> There's lots of previous discussion, which boils down to the fact that
>> serious
>> organizations running serious applications/services don't put stateful
>> firewalls (or 'IPS', or NATs, et. al.) in front of their servers.
>>
>> The only way to secure hosts/applications/service against compromise is via
>> those hosts/applications/services themselves. Inserting stateful
>> middleboxes doesn't actually accomplish anything to enhance confidentiality
>> and integrity, actually increases the attack surface due to middlebox
>> exploits
>> (read the numerous security notices for various commercial and open-source
>> stateful firewalls for compromise exploits), and has a negative impact on
>> availability.
>>
>>
>
>
