[c-nsp] ASA Firewalls placement in the network!

[Brian Johnson]

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Roland Dobbins
> Sent: Saturday, October 10, 2009 3:50 AM
> To: Cisco-nsp
> Subject: Re: [c-nsp] ASA Firewalls placement in the network!
> 
> 
> On Oct 10, 2009, at 10:06 AM, Brian Johnson wrote:
> 
> > So are you actually saying that DPI is a bad thing relative to
server
> > protection? What makes this a bad idea? In what way does it make
them
> > more vulnerable to attacks?
> 
> DPI <> firewalls.

Agreed, but are you saying that DPI is a bad thing relative to
unsolicited server connections?

> 
> > My experience with crafted packet attacks (being attacked, not
> > attacking
> > others :P) tells me that this is a good layer of protection.
> 
> Concur.  Again, it has nothing to do with stateful firewalls.

OK, So I know that DPI can be done with other devices, including
routers, but you never mentioned DPI in your solution.

> 
> >
> > <sarcasm> What Arbor product would you like to sell me to accomplish
> > this type of protection?</sarcasm>
> 
> I publicly held this position when I worked for the world's largest
> vendor of stateful firewalls.  My position was based upon operational
> experience then, as now.

Working at the big C must have been such a burden. :) 

> 
> In this threat, I stated that enforcing policy should be handled by
> stateless ACLs in hardware.  Arbor Networks doesn't make routers.

OK. No problem with this idea and in fact this is the only way to
enforce access policy at the edge of a network that I'm aware of. Good
call.

> 
> > Not trying to be snide here (at least not anymore ;P), but I doubt
> > that
> > the majority of CFOs would be fine leaving their servers behind
> simple
> > ACLs. I would never do that
> 
> That's because you, like your hypothetical CFOs, obviously have no
> experience running large-scale public-facing Internet properties.  Any
> large-scale, publicly-visible Web site you can name doesn't have
> stateful firewalls in front of its servers.

OOPS.. I meant CTOs.

No, I do have such experience (depending on your definition of large
scale) and know real CTOs (or their equivalent). They might not be the
"biggest players" in the arena, but they are a small volume compared to
the other players who will use these technologies.

> 
> For a server like a DNS server, a Web server, and so forth, every
> connection which comes into said server is by definition unsolicited.
> So, the entire purpose of stateful inspection in front of such servers
> is moot.
> 

<vent> Thanks for knowing me so well and assigning my experience from a
single post. Can you tell the future and bring back the dead too?
</vent>

I would agree that a "miss-sized" security appliance (be it a firewall
or router with security features like ACLS and DPI), can be problematic.
I disagree that its purpose is "moot". A security appliance in front of
servers can help to stop crafted packet attacks and SYN floods. Why
attack a target that is being defended when there are so many targets
that aren't

I have worked with this stuff for a long time (>10 years). I am MOT an
expert and distrust statements from people/vendors who make finite
statements that I can prove wrong out of hand.

Let's try to be respectful of people and ideas. Disagreeing is fine, but
insisting that one's opinion is correct in all circumstances is
foolhardy and only negates your opinion.

I agree that you are right in some circumstances, but not all. Also that
the circumstances that I would follow your opinion are few and far
between.

Just my, and my hypothetical CTOs, $.02

- Brian