[c-nsp] ASA Firewalls placement in the network!
Brian Johnson
bjohnson at drtel.com
Fri Oct 9 23:06:49 EDT 2009
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Roland Dobbins
> Sent: Friday, October 09, 2009 12:06 AM
> To: Cisco-nsp
> Subject: Re: [c-nsp] ASA Firewalls placement in the network!
>
>
> On Oct 9, 2009, at 11:39 AM, zafar ullah wrote:
>
> > What you guys suggest, which is best approach for robust & scalable
> > secure network?
>
> Firewalls have no place in front of servers at all. They add no
> security value at all, and make the servers behind them vastly more
> vulnerable to DDoS, as well as greatly increasing the attack surface
> if so-called 'protocol inspectors' are enabled. Server access
> policies should be enforced via a mixture of host/OS/app BCPs and
> stateless filtering via ACLs in hardware-based routers.
So are you actually saying that DPI is a bad thing relative to server
protection? What makes this a bad idea? In what way does it make them
more vulnerable to attacks?
My experience with crafted packet attacks (being attacked, not attacking
others :P) tells me that this is a good layer of protection.
<sarcasm> What Arbor product would you like to sell me to accomplish
this type of protection?</sarcasm>
>
> Firewalls do make sense for protecting access LANs for enterprises.
> Firewalls deployed for this purpose must by definition be placed
> behind the enterprise edge router(s) and in front of the internal
> enterprise access network.
>
Ok... So it's ok to protect end users from the Internet? Gotcha.
Not trying to be snide here (at least not anymore ;P), but I doubt that
the majority of CFOs would be fine leaving their servers behind simple
ACLs. I would never do that.
- Brian
More information about the cisco-nsp
mailing list