[c-nsp] ASA Firewalls placement in the network!

Ge Moua moua0100 at umn.edu
Mon Oct 12 13:09:43 EDT 2009 

Joel M Snyder -
 >> If you do the job right, from a security point of view, you can 
certainly put a fine firewall in front of a very busy DNS server.  (and 
when I say "very busy" I'm talking 10K queries a second, which is to say 
about 20Mbit/second sustained round-the-clock load, for less than $10K)

what you recommend for this?  Some of my colleague have suggested a 
redundant open-bsd cluster (with plenty of RAM b/c memory is cheap these 
days) with PF; I can see a scalable home grown solution that can address 
the "exhausted state table" issue; I'm just wondering if cheap fast CPU 
will be on par (performance and throughput wise) with fast ASIC like the 
big box vendor uses on their firewall products.

What do you think?



Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Joel M Snyder wrote:
> > The worst thing you can do is put a stateful firewall in
> > front of a
> > busy DNS server
>
> Well, as a security guy (rather than as a network guy), I would 
> respectfully disagree.
>
> First of all, if your firewall is underspecified or underrated, then 
> yes, you'll have problems.   Secondly, if your firewall is 
> misconfigured  or mistuned, then yes, you'll have problems.  Of 
> course, both of these things are true of the network itself as 
> everyone on this list knows very well.
>
> If you do the job right, from a security point of view, you can 
> certainly put a fine firewall in front of a very busy DNS server.  
> (and when I say "very busy" I'm talking 10K queries a second, which is 
> to say about 20Mbit/second sustained round-the-clock load, for less 
> than $10K)
>
> So then the question comes: well, what's the point?  I think that a 
> lot of the folks on this list feel that throwing an ACL in front of a 
> box is effectively the same, from a security point of view, as a 
> firewall and a hell of a lot cheaper.
>
> If you have a lousy firewall (i.e., one that is doing nothing more 
> than keeping a UDP session open), yes, absolutely.  However, good 
> firewalls are doing a lot more than that.
>
> You may remember last year's "the Internet is falling and only Dan 
> Kaminsky can explain it" flap around DNS.  Well, a lot of the 
> discussion around this bug/problem/issue ignored the truth that a good 
> firewall prevented the attack directly, by knowing enough 'deep packet 
> smarts' around the DNS protocol that the attack scenario was 
> effectively blocked (hey, that's why we have a session table in the 
> first place!). Similarly, a well-configured firewall would have per-IP 
> rate limits in it, which would have been a second line of defense.
>
> Now, if you put in a piece-o-crap firewall that is misconfigured, too 
> slow, doesn't have a big enough session table, and doesn't do anything 
> more than your average reflexive access control list, then you're 
> right on: rip that junk out and go bareback.
>
> But if you do it right, there is value to be provided by a firewall.
>
> jms
>
>

More information about the cisco-nsp mailing list