[c-nsp] ASA Firewalls placement in the network!
Roland Dobbins
rdobbins at arbor.net
Fri Oct 9 01:05:41 EDT 2009
On Oct 9, 2009, at 11:39 AM, zafar ullah wrote:
> What you guys suggest, which is best approach for robust & scalable
> secure network?
Firewalls have no place in front of servers at all. They add no
security value at all, and make the servers behind them vastly more
vulnerable to DDoS, as well as greatly increasing the attack surface
if so-called 'protocol inspectors' are enabled. Server access
policies should be enforced via a mixture of host/OS/app BCPs and
stateless filtering via ACLs in hardware-based routers.
Firewalls do make sense for protecting access LANs for enterprises.
Firewalls deployed for this purpose must by definition be placed
behind the enterprise edge router(s) and in front of the internal
enterprise access network.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Sorry, sometimes I mistake your existential crises for technical
insights.
-- xkcd #625
More information about the cisco-nsp
mailing list