On May 12, 2011, at 3:49 AM, phocean wrote: > To go back to my point: an application server (IIS, Apache) cannot sustain as > many connections as a firewall (of course in a sane and standard environment).
Sorry, but my operational experience is quite the opposite. And one generally deploys clusters of servers, in any kind of even semi-important site. > So you cannot tell that a firewall will increase the risk of DoS. I can and do tell you that. I further tell you that enforcing network access policies for servers in stateless ACLs instantiated in ASIC-based routers and layer-3 switches is the way to go. I tell you this based upon my direct experience working for the largest manufacturer of firewalls in the world, and on my day-to-day operational experience with people calling up and screaming that 'the data center is down' and the proximate cause being a stateful firewall which gave up the ghost to trivial amounts of traffic. For example, I've seen 80kpps of SYN-flood take down a stateful firewall rated for 2.5gb/sec. > From what I have seen so far as arguments, I think the discussion is over. The folks cited on pp. 41 - 42 of the survey in question have reached a different conclusion: <http://www.eweek.com/index2.php?option=content&task=view&id=66503&pop=1&hide_ads=1&page=0&hide_js=1&catid=45> ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
