[c-nsp] What's the value of ASA/FWSM TCP state bypass?

Scott Granados gsgranados at comcast.net
Tue Nov 10 18:44:26 EST 2009 

And don't forget stop running Microsoft products!


Secure and Microsoft can't be used in the same text let alone sentence 
unless it's in the negative.  This is a big part of the firewall 
conditioning.  People are so used to hopelessly insecure operating 
environments that this makes sense as a solution when in reality all one 
need do is run a real OS properly hardened.


----- Original Message ----- 
From: "Dobbins, Roland" <rdobbins at arbor.net>
To: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Tuesday, November 10, 2009 3:31 PM
Subject: Re: [c-nsp] What's the value of ASA/FWSM TCP state bypass?


>
> On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote:
>
>> I've read about this, but I fail to see what the point is.
>
> The point is that there shouldn't be firewalls in front of servers in the 
> first place, given that every packet which comes in is unsolicited and 
> therefore the stateful inspection is both completely obviated and forms a 
> DDoS chokepoint; and yet folks have been so conditioned by security 
> snake-oil marketing to put firewalls in front of their servers that they 
> do it anyways, complain to their vendors when said firewalls fall over 
> with relatively small amounts of traffic due to state-table exhaustion, 
> and thus need a way to disable the stateful inspection they paid so much 
> to achieve so that they can still claim that they've a firewall in front 
> of their servers, even though said firewalls are iatrogenic in nature.
>
> ;>
>
> Folks should do as you say, hardening their servers/apps/services, 
> enforcing policy via stateless ACLs in hardware, and deploying reaction 
> tools such as S/RTBH.  Firewalls in front of servers is generally a Bad 
> Idea, period.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
>    Injustice is relatively easy to bear; what stings is justice.
>
>                        -- H.L. Mencken
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list