[c-nsp] cisco-nsp Digest, Vol 83, Issue 39

Joel M Snyder Joel.Snyder at Opus1.COM
Mon Oct 12 12:19:53 EDT 2009 

 > The worst thing you can do is put a stateful firewall in
 > front of a
 > busy DNS server

Well, as a security guy (rather than as a network guy), I would 
respectfully disagree.

First of all, if your firewall is underspecified or underrated, then 
yes, you'll have problems.   Secondly, if your firewall is misconfigured 
  or mistuned, then yes, you'll have problems.  Of course, both of these 
things are true of the network itself as everyone on this list knows 
very well.

If you do the job right, from a security point of view, you can 
certainly put a fine firewall in front of a very busy DNS server.  (and 
when I say "very busy" I'm talking 10K queries a second, which is to say 
about 20Mbit/second sustained round-the-clock load, for less than $10K)

So then the question comes: well, what's the point?  I think that a lot 
of the folks on this list feel that throwing an ACL in front of a box is 
effectively the same, from a security point of view, as a firewall and a 
hell of a lot cheaper.

If you have a lousy firewall (i.e., one that is doing nothing more than 
keeping a UDP session open), yes, absolutely.  However, good firewalls 
are doing a lot more than that.

You may remember last year's "the Internet is falling and only Dan 
Kaminsky can explain it" flap around DNS.  Well, a lot of the discussion 
around this bug/problem/issue ignored the truth that a good firewall 
prevented the attack directly, by knowing enough 'deep packet smarts' 
around the DNS protocol that the attack scenario was effectively blocked 
(hey, that's why we have a session table in the first place!). 
Similarly, a well-configured firewall would have per-IP rate limits in 
it, which would have been a second line of defense.

Now, if you put in a piece-o-crap firewall that is misconfigured, too 
slow, doesn't have a big enough session table, and doesn't do anything 
more than your average reflexive access control list, then you're right 
on: rip that junk out and go bareback.

But if you do it right, there is value to be provided by a firewall.

jms


-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms

More information about the cisco-nsp mailing list