Dobbins, Roland wrote:
Firewalls do have their place in DDoS mitigation scenarios, but if used as
the "ultimate" solution you're asking for trouble.
In my experience, their role is to fall over and die, without
exception.
That hasn't been my experience but then I'm not selling anything that
might have a lower ROI than firewalls, in small to mid-sized
installations.
I can't imagine what possible use a stateful firewall has being
placed in front of servers under normal conditions, much less
during a DDoS attack; it just doesn't make sense.
Firewalls are not designed to mitigate large scale DDoS, unlike Arbors,
but they do a damn good job of mitigating small scale attacks of all
kinds including DDoS. Firewalls actually do a better job for small to
medium sites whereas you need an Arbor-like solution for large scale
server farms.
Firewalls do a good job of protecting servers, when properly configured,
because they are designed exclusively for the task. Their CAM tables,
realtime ASICs and low latencies are very much unlike the CPU-driven,
interrupt-bound hardware and kernel-locking, multi-tasking software on a
typical web server. IME it is a rare firewall that doesn't fail long,
long after (that's after, not before) the hosts behind them would have
otherwise gone belly-up.
Rebooting a hosed firewall is also considerably easier than repairing
corrupt database tables, cleaning full log partitions, identifying
zombie processes, and closing their open file handles.
Perhaps a rhetorical question but, does systems administration or
operations staff agree with netop's assertion they 'don't need no
stinking firewall'?
Roger Marquis
