[c-nsp] ASA Firewalls placement in the network!
Mark Tinka
mtinka at globaltransit.net
Mon Oct 12 00:39:29 EDT 2009
On Monday 12 October 2009 01:00:29 am Gert Doering wrote:
> So, if you put a fiewall in front of a well-maintained
> server, all you add is "extra state table handling" with
> all the problems it brings - state table overflow (=new
> connections getting dropped), state getting
> desynchronized with the server, firewall CPU exploding
> long before the server is hitting any load boundaries,
> and worst of all, weaknesses in the firewall products
> that can be used to crash the firewall, DoSing the
> server.
>
> The worst thing you can do is put a stateful firewall in
> front of a busy DNS server - every single packet creating
> new state will bring most hardware-based firewalls to
> their knees, because "session churn" is usually handled
> at much lower packet rate as "pure packet throughput for
> existing state"...
Agree.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20091012/e747f1b3/attachment.bin>
More information about the cisco-nsp
mailing list