On Wed, Apr 08, 2009 at 08:32:02AM +1000, Karl Auer wrote: > On Wed, 2009-04-08 at 07:04 +0930, Mark Smith wrote: > > It seems there is a trend towards moving host protection on to the > > hosts themselves, onto or closer to the resource or entity being > > protected. It's basically following the cliche, "If you want something > > to be done properly, you need to do it yourself." > > And IPv6 tends to push security back onto hosts, too. > > > If you move to the host-based firewalling model, plain packet > > filtering ACLs at the perimeter would be quite an adequate form of a > > first level of defence, while also avoiding the performance overhead > > of (or resources required to perform) stateful tracking of large > > amounts of traffic. > > And a combination of the two - if you *are* performing more complex > checks deeper inside the network, packet filtering can reduce the load > that actually reaches those inner check points.
Which would address my concern of just passing along the [D]DOS to the host. Mitigating attacks at the border and letting the hosts allow what they specifically need is a good model. > I'd be interested to hear why people use firewalls. I've never felt the > need, myself - am I living in a fool's paradise? By your email I'll assume you've never had to deal with HIPPA[1] or SOx[2]. That aside I see a value in using a stateful FW that does packet inspection to validate the type of traffic over a certain port should really be there. -r [1] http://en.wikipedia.org/wiki/HIPPA [2] http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
