[c-nsp] ASA Firewalls placement in the network!

nick hatch nicholas.hatch at gmail.com
Fri Oct 9 16:17:40 EDT 2009


On Thu, Oct 8, 2009 at 10:05 PM, Roland Dobbins <rdobbins at arbor.net> wrote:

>
> On Oct 9, 2009, at 11:39 AM, zafar ullah wrote:
>
>  What you guys suggest, which is best approach for robust & scalable secure
>> network?
>>
>
> Firewalls have no place in front of servers at all.  They add no security
> value at all, and make the servers behind them vastly more vulnerable to
> DDoS, as well as greatly increasing the attack surface if so-called
> 'protocol inspectors' are enabled.
>

That is unless you're talking about an Arbor Peakflow SP Threat Managment
System, right? I hear its "a fully integrated component [... which] conducts
surgical mitigation of network and service-layer attacks that threaten your
Internet Data Center." This glossy website in front of me also says that for
Web 2.0 apps, the Peakflow device fully protects a server's Web services by
stopping malformed HTTP packets and rate-limiting HTTP requests. And its
abilities to protect VoIP and DNS servers, as well as generic TCP
normalization techniques are well-advertised.

Are you saying that Arbor networks is misguided about their server
protection devices, Roland?

(add an appropriate grain of salt or two...)

-Nick


More information about the cisco-nsp mailing list