Ge Moua wrote:
The worst thing you can do is put a stateful firewall in front of a
busy DNS server - every single packet creating new state will bring
most hardware-based firewalls to their knees, because session churn
is usually handled at much lower packet rate as pure packet throughput
for
Well, the point of a well-maintained server is that it is
*open* to
the world - if you want a web server to be visible by the
world, then
there isn't much you can do, besides open HTTP to
it. And other
services should not be running in the first place.
Agree. Focusing server resource on
Doering
g...@greenie.muc.de
Cc: Cisco-nsp cisco-nsp@puck.nether.net
Sent: Monday, October 12, 2009 7:46 AM
Subject: Re: [c-nsp] ASA Firewalls placement in the network!
Well, the point of a well-maintained server is that it is
*open* to
the world - if you want a web server to be visible
yes, but the whole point of public NTP services is to allow any IPv4 to
do NTP sync.
Regards,
Ge Moua | Email: moua0...@umn.edu
Network Design Engineer
University of Minnesota | Networking Telecommunications Services
Adrian Minta wrote:
Ge Moua wrote:
The worst thing you can do is put a
Joel M Snyder -
If you do the job right, from a security point of view, you can
certainly put a fine firewall in front of a very busy DNS server. (and
when I say very busy I'm talking 10K queries a second, which is to say
about 20Mbit/second sustained round-the-clock load, for less than
Hi,
On Fri, Oct 09, 2009 at 10:06:49PM -0500, Brian Johnson wrote:
So are you actually saying that DPI is a bad thing relative to server
protection? What makes this a bad idea? In what way does it make them
more vulnerable to attacks?
Well, the point of a well-maintained server is that it is
The worst thing you can do is put a stateful firewall in front of a
busy DNS server - every single packet creating new state will bring
most hardware-based firewalls to their knees, because session churn
is usually handled at much lower packet rate as pure packet throughput
for existing state...
-Original Message-
From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
boun...@puck.nether.net] On Behalf Of Roland Dobbins
Sent: Saturday, October 10, 2009 3:50 AM
To: Cisco-nsp
Subject: Re: [c-nsp] ASA Firewalls placement in the network!
On Oct 10, 2009, at 10:06 AM
On Monday 12 October 2009 01:00:29 am Gert Doering wrote:
So, if you put a fiewall in front of a well-maintained
server, all you add is extra state table handling with
all the problems it brings - state table overflow (=new
connections getting dropped), state getting
desynchronized with the
On Oct 10, 2009, at 10:06 AM, Brian Johnson wrote:
So are you actually saying that DPI is a bad thing relative to server
protection? What makes this a bad idea? In what way does it make them
more vulnerable to attacks?
DPI firewalls.
My experience with crafted packet attacks (being
On Oct 10, 2009, at 3:17 AM, nick hatch wrote:
Are you saying that Arbor networks is misguided about their server
protection devices, Roland?
My position on this subject, based on hands-on operational experience,
was the same when I worked for the world's largest vendor of stateful
On Oct 10, 2009, at 4:05 PM, Roland Dobbins wrote:
nor indeed any sort of policy-enforcement device at all
This should read ' . . . any sort of server-oriented policy-
enforcement device at all . . .', apologies for the typo.
On Thu, Oct 8, 2009 at 10:05 PM, Roland Dobbins rdobb...@arbor.net wrote:
On Oct 9, 2009, at 11:39 AM, zafar ullah wrote:
What you guys suggest, which is best approach for robust scalable secure
network?
Firewalls have no place in front of servers at all. They add no security
value at
-Original Message-
From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-
boun...@puck.nether.net] On Behalf Of Roland Dobbins
Sent: Friday, October 09, 2009 12:06 AM
To: Cisco-nsp
Subject: Re: [c-nsp] ASA Firewalls placement in the network!
On Oct 9, 2009, at 11:39 AM
That is unless you're talking about an Arbor Peakflow SP
Threat Managment
System, right? I hear its a fully integrated component
[... which] conducts
surgical mitigation of network and service-layer attacks
that threaten your
Internet Data Center. This glossy website in front of me
also
On Oct 9, 2009, at 11:39 AM, zafar ullah wrote:
What you guys suggest, which is best approach for robust scalable
secure network?
Firewalls have no place in front of servers at all. They add no
security value at all, and make the servers behind them vastly more
vulnerable to DDoS, as
16 matches
Mail list logo
