On May 11, 2011, at 6:51 AM, Thor (Hammer of God) wrote: My experience is quite different, and I have personally seen too many instances to count where the use of firewalls has, without question, been what has saved a company.
I would be extremely interested to learn details of how a stateful firewall in front of a server saved a company, when stateless ACLs in hardware-based network infrastructure devices would've led to failure. Seriously, if you don't mind outlining the scenario, I think it would be very instructive. > So, to wrap up my input in this regard, people should use what works for them > assuming they know what problems they are trying to solve and how they are > solving them. If an attacker is already in a position to issue commands and induce your box to do things, he *already has his covert channel over which he can exfiltrate data*. So the outbound stateful checking of server response traffic is moot, and simply constitutes a stateful DDoS chokepoint which makes it trivial for an attacker to take down the server in question by filling up the state-tables of said firewall with well-formed, programatically-generated traffic. That's my point, in a nutshell. ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
