Le 05/02/2015 14:15, jim deleskie a écrit : > mh, Hi there Jim :-)
> > you know that forcing traffic to be symmetrical is evil, Voilà ! > and while backbone traffic and inspection don't play nice, there are > very legit reasons why, in many cases edge traffic must be open for > inspection. Yes, right, often some such `control' is on wish-lists. > I'm on my way to the office, feel free to ping me if you want to > discuss. Or maybe I could use it as a reason to come visit its been > a while since we've had a chance to vis-a-vis :) With pleasure! Yes, too long time... TTYS, mh > > > -jim > > On Thu, Feb 5, 2015 at 8:57 AM, Terry Baranski > <terry.baranski.l...@gmail.com <mailto:terry.baranski.l...@gmail.com>> > wrote: > > On 5 Feb 2015, at 01:56, Michael Hallgren wrote: > > Le 04/02/2015 17:19, Roland Dobbins a écrit : > >> > >> Real life limitations? > >> https://app.box.com/s/a3oqqlgwe15j8svojvzl > > > > Right ;-) Among many other nice ones, I like: > > > > `` ‘IPS’ devices require artificially-engineered topological > symmetry- > > can have a negative impact on resiliency via path diversity.'' > > Dang, I thought this quote was from an April 1st RFC when I first > read it. > > I hate to be the bearer of bad news, but everything we do is > "artificial". > There are no routers in nature, no IP packets, no fiber optics. > There is no > such thing as "natural engineering" -- engineering is "artificial" by > definition. > > So when you're configuring artificially-engineered protocols on your > artificially-engineered router so that your > artificially-engineered network > can transmit artificially-engineered packets, adding some extra > artificially-engineered logic to enforce symmetry won't break the > bank, I > promise. And when done properly it has absolutely no impact on > resilience > and path diversity, and will do you all the good in the world from a > troubleshooting perspective (those of you who operate networks). > > The whole presentation is frankly just odd to me. It looks at one > specific > CND thread (DDoS), and attempts to address it by throwing out the > baby with > the bathwater. It says to eliminate state at all costs, but then > at the end > advocates for reverse proxies -- which are stateful, and which > therefore > create the same "problems" as firewalls and IPSs. > > The idea of ripping out firewall/IPS devices and replacing them > with router > ACLs is something that, if I were an attacker, I would definitely > encourage > all of my targets to do. Firewalls aren't so much the big issue -- > one can > theoretically use router ACLs for basic L3/L4 blocks, though they > scale > horribly from an O&M perspective, are more prone to configuration > errors, > and their manageability is poor. But there's no overstating the > usefulness > of a properly-tuned IPS for attack prevention, and the comment in > the brief > comparing an IPS to "[Having] your email client set to alert you > to incoming > mail" is so bizarre that I wouldn't even know how to counter it. > > (I know you're out there Roland and my intention isn't to get into > a big > thing with you. But the artificial-engineering thing gave me a > chuckle.) > > On 5 Feb 2015, at 02:49, Michael Hallgren wrote: > > Le 05/02/2015 08:01, Roland Dobbins a écrit : > >> > >> The real question is, why 'inspect', at all? > > > > Yes, that's an even more interesting discussion! > > Only if your assets aren't targets. :-) > > -Terry > > >
