[c-nsp] What's the value of ASA/FWSM TCP state bypass?

Dobbins, Roland rdobbins at arbor.net
Tue Nov 10 18:31:44 EST 2009


On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote:

> I've read about this, but I fail to see what the point is.

The point is that there shouldn't be firewalls in front of servers in the first place, given that every packet which comes in is unsolicited and therefore the stateful inspection is both completely obviated and forms a DDoS chokepoint; and yet folks have been so conditioned by security snake-oil marketing to put firewalls in front of their servers that they do it anyways, complain to their vendors when said firewalls fall over with relatively small amounts of traffic due to state-table exhaustion, and thus need a way to disable the stateful inspection they paid so much to achieve so that they can still claim that they've a firewall in front of their servers, even though said firewalls are iatrogenic in nature.

;>

Folks should do as you say, hardening their servers/apps/services, enforcing policy via stateless ACLs in hardware, and deploying reaction tools such as S/RTBH.  Firewalls in front of servers is generally a Bad Idea, period.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken





More information about the cisco-nsp mailing list