[c-nsp] ASA Firewalls placement in the network!
Roland Dobbins
rdobbins at arbor.net
Sat Oct 10 05:05:52 EDT 2009
On Oct 10, 2009, at 3:17 AM, nick hatch wrote:
> Are you saying that Arbor networks is misguided about their server
> protection devices, Roland?
My position on this subject, based on hands-on operational experience,
was the same when I worked for the world's largest vendor of stateful
firewalls as it is now - namely, that policy enforcement for servers
should be handled by stateless ACLs on hardware-based routers, *not*
by stateful firewalls, because it makes no sense to put a stateful
inspection firewall in front of Web servers, DNS servers, et. al., as
*by definition*, every connection said servers receive is unsolicited,
and therefore simply not a candidate for stateful inspection in the
first place.
Note that my employer, Arbor Networks doesn't make routers of any
type, nor indeed any sort of policy-enforcement device at all; that's
not what we do. Our TMS does in fact protect firewalls and everything
behind them from DDoS; we've many customers who use them for this
purpose.
So, as you see, I've no pecuniary interest whatsoever in stating that
it makes no sense to put stateful firewalls in front of servers, as it
makes not one whit of difference to us - in fact, given the propensity
of firewalls to collapse under DDoS, one could say *quite the opposite*.
My purpose in stating that firewalls have no place in front of servers
was meant to be educational in nature, nothing more.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Sorry, sometimes I mistake your existential crises for technical
insights.
-- xkcd #625
More information about the cisco-nsp
mailing list