[c-nsp] ASA Firewalls placement in the network!

Brian Johnson bjohnson at drtel.com
Fri Oct 9 23:06:49 EDT 2009


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Roland Dobbins
> Sent: Friday, October 09, 2009 12:06 AM
> To: Cisco-nsp
> Subject: Re: [c-nsp] ASA Firewalls placement in the network!
> 
> 
> On Oct 9, 2009, at 11:39 AM, zafar ullah wrote:
> 
> > What you guys suggest, which is best approach for robust & scalable
> > secure network?
> 
> Firewalls have no place in front of servers at all.  They add no
> security value at all, and make the servers behind them vastly more
> vulnerable to DDoS, as well as greatly increasing the attack surface
> if so-called 'protocol inspectors' are enabled.  Server access
> policies should be enforced via a mixture of host/OS/app BCPs and
> stateless filtering via ACLs in hardware-based routers.

So are you actually saying that DPI is a bad thing relative to server
protection? What makes this a bad idea? In what way does it make them
more vulnerable to attacks?

My experience with crafted packet attacks (being attacked, not attacking
others :P) tells me that this is a good layer of protection.

<sarcasm> What Arbor product would you like to sell me to accomplish
this type of protection?</sarcasm>


> 
> Firewalls do make sense for protecting access LANs for enterprises.
> Firewalls deployed for this purpose must by definition be placed
> behind the enterprise edge router(s) and in front of the internal
> enterprise access network.
> 

Ok... So it's ok to protect end users from the Internet? Gotcha.

Not trying to be snide here (at least not anymore ;P), but I doubt that
the majority of CFOs would be fine leaving their servers behind simple
ACLs. I would never do that.

- Brian


More information about the cisco-nsp mailing list