[c-nsp] What's the value of ASA/FWSM TCP state bypass?
Greg Wendel
gwendel at gmail.com
Wed Nov 11 21:07:50 EST 2009
Roland,
iatrogenic. induced inadvertently ...
http://www.merriam-webster.com/dictionary/IATROGENIC
It is not often I have to look up a word on this board. Well played sir.
On Tue, Nov 10, 2009 at 6:31 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>
> On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote:
>
> > I've read about this, but I fail to see what the point is.
>
> The point is that there shouldn't be firewalls in front of servers in the
> first place, given that every packet which comes in is unsolicited and
> therefore the stateful inspection is both completely obviated and forms a
> DDoS chokepoint; and yet folks have been so conditioned by security
> snake-oil marketing to put firewalls in front of their servers that they do
> it anyways, complain to their vendors when said firewalls fall over with
> relatively small amounts of traffic due to state-table exhaustion, and thus
> need a way to disable the stateful inspection they paid so much to achieve
> so that they can still claim that they've a firewall in front of their
> servers, even though said firewalls are iatrogenic in nature.
>
> ;>
>
> Folks should do as you say, hardening their servers/apps/services,
> enforcing policy via stateless ACLs in hardware, and deploying reaction
> tools such as S/RTBH. Firewalls in front of servers is generally a Bad
> Idea, period.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Injustice is relatively easy to bear; what stings is justice.
>
> -- H.L. Mencken
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
Gregory Wendel
Springfield VA, 22153
More information about the cisco-nsp
mailing list