Joel M Snyder -
>> If you do the job right, from a security point of view, you can
certainly put a fine firewall in front of a very busy DNS server. (and
when I say "very busy" I'm talking 10K queries a second, which is to say
about 20Mbit/second sustained round-the-clock load, for less than $10K)
what you recommend for this? Some of my colleague have suggested a
redundant open-bsd cluster (with plenty of RAM b/c memory is cheap these
days) with PF; I can see a scalable home grown solution that can address
the "exhausted state table" issue; I'm just wondering if cheap fast CPU
will be on par (performance and throughput wise) with fast ASIC like the
big box vendor uses on their firewall products.
What do you think?
Regards,
Ge Moua | Email: [email protected]
Network Design Engineer
University of Minnesota | Networking & Telecommunications Services
Joel M Snyder wrote:
> The worst thing you can do is put a stateful firewall in
> front of a
> busy DNS server
Well, as a security guy (rather than as a network guy), I would
respectfully disagree.
First of all, if your firewall is underspecified or underrated, then
yes, you'll have problems. Secondly, if your firewall is
misconfigured or mistuned, then yes, you'll have problems. Of
course, both of these things are true of the network itself as
everyone on this list knows very well.
If you do the job right, from a security point of view, you can
certainly put a fine firewall in front of a very busy DNS server.
(and when I say "very busy" I'm talking 10K queries a second, which is
to say about 20Mbit/second sustained round-the-clock load, for less
than $10K)
So then the question comes: well, what's the point? I think that a
lot of the folks on this list feel that throwing an ACL in front of a
box is effectively the same, from a security point of view, as a
firewall and a hell of a lot cheaper.
If you have a lousy firewall (i.e., one that is doing nothing more
than keeping a UDP session open), yes, absolutely. However, good
firewalls are doing a lot more than that.
You may remember last year's "the Internet is falling and only Dan
Kaminsky can explain it" flap around DNS. Well, a lot of the
discussion around this bug/problem/issue ignored the truth that a good
firewall prevented the attack directly, by knowing enough 'deep packet
smarts' around the DNS protocol that the attack scenario was
effectively blocked (hey, that's why we have a session table in the
first place!). Similarly, a well-configured firewall would have per-IP
rate limits in it, which would have been a second line of defense.
Now, if you put in a piece-o-crap firewall that is misconfigured, too
slow, doesn't have a big enough session table, and doesn't do anything
more than your average reflexive access control list, then you're
right on: rip that junk out and go bareback.
But if you do it right, there is value to be provided by a firewall.
jms
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
