On Jan 5, 2010, at 2:38 PM, Darren Bolding wrote: > * Defense in depth. You've never had a host that received external traffic > ever accidentally have iptables or windows firewall turned off? Even when > debugging a production outage or on accident?
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps. 'Stateful inspection' where in fact there is no useful state to inspect is pointless. > * Location for IDS/IDP. Non-sequitur, as these things have nothing to do with one another (plus, these devices are useless, anyways, heh). > * Connection cleanup, re-assembling fragments, etc. Far, far, far better and more scalably handled by the hosts themselves and/or load-balancers. > * SYN flood protection, etc. Firewalls simply don't handle this well, marketing claims aside. They crash and burn. > * Single choke point to block incoming traffic deemed undesirable. Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps. > * Single log point for inbound connections for analysis and auditing > requirements. Contextless, arbitrary syslog from firewalls and other such devices is largely useless for this purpose. NetFlow combined with server/app/service logs is the answer to this requirement. > * Allows outbound traffic enforcement. Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps. > * Allows conditional inbound traffic from specific approved external hosts- > e.g. a partner. Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps. > * Some firewalls allow programmatic modification of configurations with all > the benefits/pain that brings. This is alongside traditional CLI and GUI > interfaces. Ugly, brittle, siloed, to be avoided at all costs. > * In some/many cases a zone based firewall configuration can be much easier > to work with than a large iptables config. Certainly the management tools > are better. Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps. > * Yeah, auditors like it. Education is the answer here. ;> ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken