[c-nsp] ASA Firewalls placement in the network!
Roland Dobbins
rdobbins at arbor.net
Sat Oct 10 04:49:52 EDT 2009
On Oct 10, 2009, at 10:06 AM, Brian Johnson wrote:
> So are you actually saying that DPI is a bad thing relative to server
> protection? What makes this a bad idea? In what way does it make them
> more vulnerable to attacks?
DPI <> firewalls.
> My experience with crafted packet attacks (being attacked, not
> attacking
> others :P) tells me that this is a good layer of protection.
Concur. Again, it has nothing to do with stateful firewalls.
>
> <sarcasm> What Arbor product would you like to sell me to accomplish
> this type of protection?</sarcasm>
I publicly held this position when I worked for the world's largest
vendor of stateful firewalls. My position was based upon operational
experience then, as now.
In this threat, I stated that enforcing policy should be handled by
stateless ACLs in hardware. Arbor Networks doesn't make routers.
> Not trying to be snide here (at least not anymore ;P), but I doubt
> that
> the majority of CFOs would be fine leaving their servers behind simple
> ACLs. I would never do that
That's because you, like your hypothetical CFOs, obviously have no
experience running large-scale public-facing Internet properties. Any
large-scale, publicly-visible Web site you can name doesn't have
stateful firewalls in front of its servers.
For a server like a DNS server, a Web server, and so forth, every
connection which comes into said server is by definition unsolicited.
So, the entire purpose of stateful inspection in front of such servers
is moot.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Sorry, sometimes I mistake your existential crises for technical
insights.
-- xkcd #625
More information about the cisco-nsp
mailing list