On 10 May 2011 15:07, Dobbins, Roland <[email protected]> wrote: > On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote: > > > Maybe they should call that "You don't have to patch" genius! > > > Stateful firewalls have no place in front of servers, where every incoming > request is unsolicited, and therefore there is no state to inspect in the > first place. Stateful firewalls in front of servers merely serve as DDoS > chokepoints due to the large amount of unnecessary state they instantiate. > > This statement is only true for unauthenticated services which are not dealing with financial information. Would you suggest a bank not protect their internet banking service with a firewall because a DDoS might take the service off line? Or would you tell them to use a firewall in conjunction with a specific upstream device which may even be installed installed at the ISP end of the link to deal with DDoS?
As Tracy mentioned having a stateful firewall is useful to block outgoing traffic, using an ACL just doesn't cut it, if an attacker initiates a connection dest port higher than 2048 (to some other server the attacker controls) and source port of 80 that will pass through an ACL without issues, this would not be so on a stateful firewall. mod_security might be good practice to use in a layered approach... but if you're running old versions of apache (like sony were) then it's not hard for an attacker to control the memory space used by mod_security and allow all packets, if the webserver is owned, then it's owned, no controls implemented on that server can be trusted or relied on. Pete
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
