On Jan 6, 2010, at 11:29 AM, Brian Johnson wrote:
> If your point is given unlimited inbound bandwidth that a stateful
> firewall will fail (not work correctly), I can say that about any piece
> of equipment. And even if it does fail, does it matter if your
> connection is full of useless traffic?
>
It's a lot easier to fill up a state table than to fill up a pipe, which I
believe was Roland's point.
It's quite possible to flood the state table on a device with a fraction of the
pipe's capacity, in which case a stateful device will fall over where a
stateless device would not have. This type of attack will definitely degrade
the service it's aimed at, and probably degrade other services sharing the same
pipe, but won't _necessarily_ kill them as is the case when a stateful gateway
falls over.
Typical scenario is $badguys DDoS one of your webservers. If the gateway is
stateless, your webservers grind to a crawl, but your DNS, e-mail, VOIP, etc
probably still function to a degree. Contrast that with site-wide outage if
your gateway was stateful and crashed/rebooted/refused to pass traffic due to
having the state table filled.
You're not going to be able to stop $sophisticated_badguy from enumerating your
services no matter how fancy your gear is. Could you detect a distributed
portscan that looks at 5000 proto/IP/port combos per day, across your IP space,
each probe coming from a different IP? I really doubt it. If you have services
listening, someone is going to find them.
IMO you're better off making sure only the services you intend to provide are
listening, and that those services are hardened appropriately for public
exposure.
This topic has probably run it's course; everyone has different opinions and
takes away different lessons from their experience. I think it's valuable to
challenge the common assumptions (everyone knows you need a stateful firewall!)
now and then to make sure they actually make sense.
--
bk