Replace all the routers on the Internet with stateful firewalls. What
happens?
the same thing that happened with flow-cached routers, they melt, you go
out of business, the end.^
a bunch of us LOAO, ^
Dobbins, Roland wrote:
On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
Again, a firewall has it's place just like any other device in the network, defense
in depth is a prudent philosophy to reduce the chances of compromise, it does
noteliminate it nor does any architecture you can think
On Wed, Jan 13, 2010 at 9:37 PM, Warren Kumari war...@kumari.net wrote:
I can now place a checkbox in the Is there a firewall? column of the
insert random acronym here audit.
In most cases, you can check the same box if you use an appropriately
designed stateless firewall
instead of an
-Original Message-
From: Bruce Curtis [mailto:bruce.cur...@ndsu.edu]
Sent: Tuesday, January 12, 2010 5:14 PM
To: NANOG list
Subject: Re: I don't need no stinking firewall!
SNIP
IMO you're better off making sure only the services you intend to
provide are listening
Lots of interesting technical information in this thread. Mixed with a
healthy dose of religion/politics :-)
I suspect that most people are going to keep doing what they are doing.
In our environment, at the transport level, we have moved from
stateful towards stateless, as it has proved to be
Tim Durack wrote:
Replace all the routers on the Internet with stateful firewalls. What happens?
the same thing that happened with flow-cached routers, they melt, you go
out of business, the end.
On Jan 10, 2010, at 1:32 AM, Dobbins, Roland wrote:
On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
Again, a firewall has it's place just like any other device in the
network, defense in depth is a prudent philosophy to reduce the
chances of compromise, it does not eliminate it nor does
On Jan 14, 2010, at 12:37 PM, Warren Kumari wrote:
I can now place a checkbox in the Is there a firewall? column of the
insert random acronym here audit.
mod_security is your friend.
;
---
Roland Dobbins rdobb...@arbor.net
On Jan 6, 2010, at 3:56 PM, Brian Johnson wrote:
-Original Message-
From: Brian Keefer [mailto:ch...@smtps.net]
Sent: Wednesday, January 06, 2010 3:12 PM
To: Brian Johnson
Cc: NANOG list
Subject: Re: I don't need no stinking firewall!
SNIP
SNIP
IMO you're better off making
On Thu, Jan 07, 2010 at 22:55:25PM -0800, Jay Hennigan wrote:
Nenad Andric wrote:
On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan j...@west.net wrote:
Or better:
- Allow from anywhere port 80 to server port 1023 established
Adding established brings us back to stateful
On Fri, Jan 8, 2010 at 10:48 AM, Joe Greco jgr...@ns.sol.net wrote:
Putting a stateful firewall in front of that would be dumb; the server
is completely capable of coping with the superfluous SYN's in a much
more competent manner than the firewall.
The trouble with blanket statements about all
On Jan 10, 2010, at 3:48 PM, James Hess wrote:
Firewalls do not need to build a state entry for
partial TCP sessions, there are a few different things that can be
done, such as the firewall answering on behalf of the server (using
SYN cookies) and negotiating connection with the server
On Sun, Jan 10, 2010 at 3:48 AM, James Hess mysi...@gmail.com wrote:
there are a few different things that can be
done, such as the firewall answering on behalf of the server (using
SYN cookies) and negotiating connection with the server after the
final ACK.
James,
That's called a proxy
On Sun, Jan 10, 2010 at 12:47 PM, William Herrin b...@herrin.us wrote:
Even if it does
send an RST, most application developers aren't well enough versed in
sockets programming to block on the shutdown and check the success
status,
Sorry, I got that wrong. shutdown() will succeed without
On Fri, Jan 8, 2010 at 10:48 AM, Joe Greco jgr...@ns.sol.net wrote:
Putting a stateful firewall in front of that would be dumb; the server
is completely capable of coping with the superfluous SYN's in a much
more competent manner than the firewall.
The trouble with blanket statements
On Sun, Jan 10, 2010 at 11:47 AM, William Herrin b...@herrin.us wrote:
On Sun, Jan 10, 2010 at 3:48 AM, James Hess mysi...@gmail.com wrote:
there are a few different things that can be
done, such as the firewall answering on behalf of the server (using
SYN cookies) and negotiating
On Jan 11, 2010, at 4:55 AM, James Hess wrote:
I don't agree with You never need a proxy in front of a server, it's only
there to fail.
Again, reverse proxy *caches* are extremely useful in front of Web farms. Pure
proxying makes no sense.
On 1/9/10 10:32 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
Again, a firewall has it's place just like any other device in the network,
defense in depth is a prudent philosophy to reduce the chances of
compromise, it does not eliminate
I certainly understand and agree with your position, in most cases,
but
there are some instances when a firewall serves an excellent purpose.
As an
example, we manage hundreds of heterogeneous servers where customers
also
have administrative access to the devices. As such, we can never be
And I don't believe anyone is necessarily advocating exposing
individual servers directly to the internet either.
some of us do that
takes all kinds :)
randy
On Jan 10, 2010, at 5:40 PM, George Bonser wrote:
And I don't believe anyone is necessarily advocating exposing individual
servers directly to the internet either.
Actually, some of us are.
There are other devices that
can handle isolation of the servers and protect them against such
And I don't believe anyone is necessarily advocating exposing
individual
servers directly to the internet either.
Actually, some of us are.
That can be difficult to do when you have maybe 300 or 400 servers that
handle one service. Let's say you have a site called www.foobar.com and
you
On Jan 11, 2010, at 12:56 PM, George Bonser wrote:
One would probably have a load balancer of some sort in front of those
machines. That is the device that would be fielding any DoS.
Yes, and as you've noted previously, it should be protected via stateless ACLs
in hardware capable of
I believe that these comments were more along the lines of 'servers
can
better handle this that stateful firewalls', not ruling out the use of
load-balancers, reverse-proxy caches, etc. as appropriate.
---
Roland Dobbins
I think we are over looking what an enterprise class firewall accomplishes
from a security perspective and what a firewalls function is in the overall
security posture of a network.
First, statefull inspection by itself is not the only security feature of a
firewall, it is one security feature of
On Jan 10, 2010, at 5:51 AM, harbor235 wrote:
Other security features in an Enterprise Class firewall;
-Inside source based NAT, reinforces secure traffic flow by allowing
outside to inside flows based on
configured translations and allowed security policies
Terrible from an
Other security features in an Enterprise Class firewall;
-Inside source based NAT, reinforces secure traffic flow by allowing
outside to inside flows based on
configured translations and allowed security policies
Terrible from an availability perspective, troubleshooting perspective,
On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
Again, a firewall has it's place just like any other device in the network,
defense in depth is a prudent philosophy to reduce the chances of
compromise, it does not eliminate it nor does any architecture you can
think of, period
What a
On Jan 10, 2010, at 1:32 PM, Dobbins, Roland wrote:
One can spout all the buzzwords and catchphrases one wishes, but at the end
of the day, it's all dead wrong - and anyone naive enough to fall for it is
setting himself up for a world of hurt.
mike harbor...@gmail.com,
You deserve a
don't need no stinking firewall!
On Jan 6, 2010, at 11:43 AM, George Bonser wrote:
Yes, you have to take some of the things that were done in one spot
and do
them in different locations now, but the results are an amazing
increase
in service capacity per dollar spent
On Jan 8, 2010, at 3:21 PM, Arie Vayner wrote:
Further on, if you want to really protect against a real DDoS you would most
likely would have to look at a really distributed solution, where the
different geographical load balancing solutions come into play.
GSLB or whatever we want to call
All,
This thread certainly has been educational, and has changed my
perception of what an appropriate outward facing architecture should be.
But seldom do I have the luxury of designing this from scratch, and also
the networks I administer are small business's.
My question is at what size
On Jan 8, 2010, at 8:22 PM, bill from home wrote:
Or as I suspect we are talking about a larger scale?
Even an attacker with relatively moderate resources can succeed simply by
creating enough well-formed, programatically-generated traffic to 'crowd out'
legitimate traffic.
Roland,
I understand, but at the site we are protecting, at what point is
the bottleneck the connection speed, and at what point is the state
table the bottle neck.
It saves me the following uncomfortable conversation.
ME Mr customer, remember that firewall you bought a couple of years ago
On Jan 8, 2010, at 9:02 PM, bill from home wrote:
And maybe there is no way to tell, but I feel I need to ask the question.
Situationally-dependent; the only way to really tell, not just theorize, is to
test the firewall to destruction during a maintenance window (or one like it,
in the
On Thu Jan 07, 2010 at 01:04:01PM -0800, Jay Hennigan j...@west.net wrote:
Or better:
- Allow from anywhere port 80 to server port 1023 established
Adding established brings us back to stateful firewall!
Not really. It only looks to see if the ACK or RST bits are set. This
is
On Fri, 08 Jan 2010 08:22:00 EST, bill from home said:
My question is at what size connection does a state table become
vulnerable, are we talking 1mb dsl's with a soho firewall?
Security - you're doing it wrong. ;)
The question you *should* be asking yourself is at what size connection am I
All,
This thread certainly has been educational, and has changed my
perception of what an appropriate outward facing architecture should be.
But seldom do I have the luxury of designing this from scratch, and also
the networks I administer are small business's.
My question is at what
bill from home wrote:
All,
This thread certainly has been educational, and has changed my
perception of what an appropriate outward facing architecture should be.
But seldom do I have the luxury of designing this from scratch, and also
the networks I administer are small business's.
My
Dobbins, Roland wrote:
On Jan 8, 2010, at 9:02 PM, bill from home wrote:
And maybe there is no way to tell, but I feel I need to ask the question.
Situationally-dependent; the only way to really tell, not just theorize, is
to test the firewall to destruction during a maintenance window
On Jan 9, 2010, at 7:52 AM, Joel Jaeggli wrote:
see my post in the subject, a reasonably complete performance report for the
device is a useful place to start.
The problem is that one can't trust the stated vendor performance figures,
which is why actual testing is required. I've seen
Dobbins, Roland wrote:
On Jan 9, 2010, at 7:52 AM, Joel Jaeggli wrote:
see my post in the subject, a reasonably complete performance
report for the device is a useful place to start.
The problem is that one can't trust the stated vendor performance
figures, which is why actual testing
Nenad Andric wrote:
On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan j...@west.net wrote:
Or better:
- Allow from anywhere port 80 to server port 1023 established
Adding established brings us back to stateful firewall!
Not really. It only looks to see if the ACK or RST bits
On Wed, 2010-01-06 at 01:47 -0600, James Hess wrote:
On Tue, Jan 5, 2010 at 11:41 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote:
DDoS attacks are attacks against capacity and/or state. Start reducing
DDoS, by its very nature is a type
On Jan 6, 2010, at 2:47 PM, James Hess wrote:
Overflowing the state table then becomes only a possible
outcome that has some acceptable level of probability, assuming
that your other protections have already failed...
Wrong. The attacker just programmatically generates
On Jan 6, 2010, at 3:03 PM, William Pitcock wrote:
So, in fact, all incoming packets should
be considered unsolicited until proven otherwise.
Concur - it works this way, as well. At one extreme, completely pathological,
at the other extreme, perfectly normal - just faux.
;
It should be
Le 10-01-05 à 21:29, Dobbins, Roland a écrit :
Stateful firewalls make absolutely no sense in front of servers,
given that by definition, every packet coming into the server is
unsolicited (some protocols like ftp work a bit differently in that
there're multiple
On Jan 6, 2010, at 5:38 PM, William Waites wrote:
A properly configured firewall will prevent latter.
So will stateless ACLs, running in hardware capable of handling mpps.
;
---
Roland Dobbins rdobb...@arbor.net //
am Mittwoch, 06. Jänner 2010 um 13:43 schrieb Roland Dobbins:
On Jan 6, 2010, at 5:38 PM, William Waites wrote:
A properly configured firewall will prevent latter.
So will stateless ACLs, running in hardware capable of handling mpps.
How do you define firewall?
I remember something like a
On Jan 6, 2010, at 8:25 PM, juttazalud wrote:
How do you define firewall?
This threat was about stateful firewalls in particular.
---
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
Injustice is
On Jan 5, 2010, at 4:24 PM, Robert Brockway wrote:
Do you have any evidence to support this assertion? You've just asserted
that all firewalls have a specific vulnerability. It isn't even possible to
know the complete set of architectures (hardware software) used for
firewalls so I
On Jan 6, 2010, at 3:12 AM, Dobbins, Roland wrote:
Wrong. The attacker just programmatically generates semantically-valid
traffic which is indistinguishablle from real traffic, and crowds out the
real traffic.
All those fancy timers and counters and what-not don't matter.
I've seen
On Jan 6, 2010, at 8:42 PM, Jared Mauch wrote:
The reality is they just have not been attacked yet, and hence have no
experience in what to do about the problem...
And they've been bombarded with misinformation for years by 'security' vendors,
wildly unrealistic certification training
On Tue, 5 Jan 2010, Kevin Oberman wrote:
I suspect at least part of this will soon get fixed due to DNSSEC.
Blocking tcp/53 and packets over 512 bytes will cause user complaints
and, after enough education, the problem will get fixed.
Yes. Remember the root zone is due to be signed within the
Poking the dragon a bit, aren't you? Fun.
If you really look at it, there is no quantitative difference between
statefull and non-statefull. A non-stateful firewall can prevent a
TCP session from entering the SYN_RECEIVED state by blocking the SYN
packet, so it strongly impacts session state
-Original Message-
From: David Hiers [mailto:hie...@gmail.com]
Sent: Wednesday, January 06, 2010 10:50 AM
To: Brian Johnson
Cc: nanog@nanog.org
Subject: Re: I don't need no stinking firewall!
Poking the dragon a bit, aren't you? Fun.
If you really look at it, there is no quantitative
On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote:
Like Roland, I've been doing
this for over a decade as well, and I have seen some pretty strange
things, even a statefull firewall in front of servers with IPS actually
work.
What do you mean by work? If you mean all three pieces ran for
- Brian
-Original Message-
From: Brian Keefer [mailto:ch...@smtps.net]
Sent: Wednesday, January 06, 2010 11:38 AM
To: Brian Johnson
Cc: NANOG list
Subject: Re: I don't need no stinking firewall!
On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote:
Like Roland, I've been
On Tue, 05 Jan 2010 23:14:05 CST, Ryan Brooks said:
Everyone needs to listen to Roland's mantra: stateless ACLs in hardware
than can handle Mpps. It's more than just a hint.
I suspect that more than a few need to be reminded that stateless ACLs in
switch hardware is just another name for
-Original Message-
From: Brian Keefer [mailto:ch...@smtps.net]
Sent: Wednesday, January 06, 2010 3:12 PM
To: Brian Johnson
Cc: NANOG list
Subject: Re: I don't need no stinking firewall!
SNIP
It's quite possible to flood the state table on a device with a
fraction of the pipe's
-Original Message-
From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
Sent: Wednesday, January 06, 2010 3:46 PM
To: nanog@nanog.org
Subject: Re: I don't need no stinking firewall!
On Tue, 05 Jan 2010 23:14:05 CST, Ryan Brooks said:
Everyone needs to listen
Don't think anyone has mentioned this yet, so I will
All this debate over the pros and cons of firewalls brings the words Jericho
Forum to mind.and their principles for de-perimeterization (perimeter
erosion)
http://www.opengroup.org/jericho/
Just my 2insert_currency worth !
Security Gurus, et al,
I have my own idea of what a firewall is and what it does. I also
understand what statefull packet inspection is and what it does. Given
this information, and not prejudging any responses, exactly what is a
firewall for and when is statefull inspection useful?
Please
On Jan 6, 2010, at 3:16 AM, Brian Johnson wrote:
Given this information, and not prejudging any responses, exactly what is a
firewall for and when is statefull inspection useful?
In the most basic terms, a stateful firewall performs bidirectional
classification of communications between
On Tue, 5 Jan 2010, Brian Johnson wrote:
Given this information, and not prejudging any responses, exactly what
is a firewall for and when is statefull inspection useful?
Stateful inspection is useful for breaking things in subtle and
hard-to-debug ways.
http://fanf.livejournal.com/102206.html
On 1/5/10 1:29 PM, Dobbins, Roland wrote:
Putting firewalls in front of servers is a Really Bad Idea - besides
the fact that the stateful inspection premise doesn't apply (see
above), rendering the stateful firewall superfluous, even the
biggest, baddest firewalls out there can be easily taken
Tony Finch wrote:
Stateful inspection is useful for breaking things in subtle and
hard-to-debug ways.
http://fanf.livejournal.com/102206.html
http://fanf.livejournal.com/95831.html
Is that really stateful inspection? Isn't the SMTP fixup on a PIX an
application-level gateway?
I
Simon Lockhart wrote:
Generally, I just use stateless ACLs when I need additional network level
security. However, they do have one big disadvantage. Say you've got a server
where you want to allow outbound HTTP access to anywhere on the Internet, but
only SSH inbound from your home DSL. To do
On 1/5/10 2:01 PM, Peter Hicks wrote:
Tony Finch wrote:
Stateful inspection is useful for breaking things in subtle and
hard-to-debug ways.
http://fanf.livejournal.com/102206.html
http://fanf.livejournal.com/95831.html
Is that really stateful inspection? Isn't the SMTP fixup on a PIX an
On Tue Jan 05, 2010 at 01:58:52PM -0700, Brielle Bruns wrote:
It's all how you configure and tweak the firewall. Recommending people
run servers without a firewall is bad advice - do you really want your
Win2k3 server exposed, SMB, RPC, and all to the world?
I have an answer to that
Stateful firewalls make absolutely no sense in front of servers, given that by
definition, every packet coming into the server is unsolicited (some protocols
like ftp work a bit differently in that there're multiple
bidirectional/omnidirectional communications sessions, but the key is that the
On Tue, 5 Jan 2010, Peter Hicks wrote:
Is that really stateful inspection? Isn't the SMTP fixup on a PIX an
application-level gateway?
Well, the bug I described is caused by it not being stateful enough.
I *though* most of the world turns SMTP fixup off because it's naff.
Exactly my point
On 1/5/10 2:06 PM, Simon Lockhart wrote:
I have an answer to that problem, but not everyone would agree with it [1].
One of my biggest beefs with some people is that they'll stand there
with their fingers in their ears yelling LA LA LA if you point out to
them that not every person in the
On Jan 5, 2010, at 3:58 PM, Brielle Bruns wrote:
It's all how you configure and tweak the firewall. Recommending people run
servers without a firewall is bad advice - do you really want your Win2k3
server exposed, SMB, RPC, and all to the world?
Some people think that exposing any
On Jan 6, 2010, at 3:58 AM, Brielle Bruns wrote:
It's all how you configure and tweak the firewall. Recommending people
run servers without a firewall is bad advice - do you really want your
Win2k3 server exposed, SMB, RPC, and all to the world?
Nope - I use stateless ACLs in hardware,
On Jan 6, 2010, at 4:07 AM, Mark Foster wrote:
I'm interested by this assertion; surely Stateful Inspection is meant to
facilitate the blocking of out-of-sequence packets, ones which aren't part
of valid + recognised existing sessions - whilst of course allowing valid
SYN
On Tue, Jan 5, 2010 at 3:16 PM, Brian Johnson bjohn...@drtel.com wrote:
I have my own idea of what a firewall is and what it does. I also
understand what statefull packet inspection is and what it does. Given
this information, and not prejudging any responses, exactly what is a
firewall for
On Tue, Jan 05, 2010 at 13:18:47PM -0800, Jay Hennigan wrote:
Jason Shearer wrote:
Doesn't using the established allow any packet with ACK/RST set
Yes, as would be expected for legitimate return traffic for a TCP
connection initiated from a browser inside the firewall.
and wouldn't
The primary value of a firewall is two-fold:
- It enables a network administrator to define his edge, the
interior of which he is responsible for.
- It enables a network administrator to isolate his network from
externally-originated traffic per his whims and viewpoints.
IMHO, it is not
On Tue, 5 Jan 2010, Fred Baker wrote:
The primary value of a firewall is two-fold:
- It enables a network administrator to define his edge, the interior of
which he is responsible for.
- It enables a network administrator to isolate his network from
externally-originated traffic per his whims
On Tue, Jan 5, 2010 at 12:16 PM, Brian Johnson bjohn...@drtel.com wrote:
Security Gurus, et al,
I have my own idea of what a firewall is and what it does. I also
understand what statefull packet inspection is and what it does. Given
this information, and not prejudging any responses, exactly
On Tue, 5 Jan 2010 14:16:58 -0600
Brian Johnson bjohn...@drtel.com wrote:
Security Gurus, et al,
I have my own idea of what a firewall is and what it does. I also
understand what statefull packet inspection is and what it does. Given
this information, and not prejudging any responses,
On Tue, 5 Jan 2010 20:51:47 +
Tony Finch d...@dotat.at wrote:
On Tue, 5 Jan 2010, Brian Johnson wrote:
Given this information, and not prejudging any responses, exactly what
is a firewall for and when is statefull inspection useful?
Stateful inspection is useful for breaking things
From: Jared Mauch ja...@puck.nether.net
Date: Tue, 5 Jan 2010 16:20:56 -0500
On Jan 5, 2010, at 3:58 PM, Brielle Bruns wrote:
It's all how you configure and tweak the firewall. Recommending people run
servers without a firewall is bad advice - do you really want your Win2k3
server
A firewall is another layer in a defense-in-depth strategy, but tends
to only be truly effective if the first rule in it is
deny all from any to any
which of course does not happen much of the time in the real world,
with predictable results.
Moreover, stateful packet inspection is not
On Tue, 5 Jan 2010, Dobbins, Roland wrote:
In the most basic terms, a stateful firewall performs bidirectional
classification of communications between nodes, and makes a pass/fail
determination on each packet based on a) whether or not a bidirectional
communications session is already open
- A firewall is a partition structure that normally consists of two
side walls with a fire retardant material between them.
- A firewall does not prevent a fire.
- A firewall does not extinguish a fire.
- A firewall only delays the propagation of a fire event to the other side.
- The
On Jan 6, 2010, at 4:24 AM, Robert Brockway wrote:
Hi Roland. I disagree strongly with this position.
You can disagree all you want, but it's still borne out by real-world
operational experience.
;
The problem is that your premise is wrong.
Just what about my premise is wrong? Nothing
On Tue, 2010-01-05 at 16:24 -0500, Robert Brockway wrote:
On Tue, 5 Jan 2010, Dobbins, Roland wrote:
In the most basic terms, a stateful firewall performs bidirectional
classification of communications between nodes, and makes a pass/fail
determination on each packet based on a) whether
On 1/5/10 3:24 PM, Robert Brockway wrote:
On Tue, 5 Jan 2010, Dobbins, Roland wrote:
The problem is that your premise is wrong. Stateful firewalls
(hereafter just called firewalls) offer several advantages. This list
is not necessarily exhaustive.
Great advantages list, but where's the
On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote:
However, the well managed part seems to be a sticking point for most
organizations I've seen. No doubt, shops that use this effectively have some
sort of homebrew or commercial firewall management platform that let's you
place policy in
On Tue, Jan 5, 2010 at 9:20 PM, Rich Kulawiec r...@gsp.org wrote:
A firewall is another layer in a defense-in-depth strategy, but tends
to only be truly effective if the first rule in it is
deny all from any to any
Not surprisingly, good network security starts with and incorporates
See above; in front of the server, there's no state to track in the
first place, heh.
Fish, meet bicycle.
I think that is the part that some people aren't getting. You have a
network just sitting there. A syn packet arrives for port 80 to an http
server. You ARE going to allow it because
On Tue, Jan 5, 2010 at 11:41 PM, Dobbins, Roland rdobb...@arbor.net wrote:
On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote:
DDoS attacks are attacks against capacity and/or state. Start reducing
DDoS, by its very nature is a type of attack that dances around
common security measures like
94 matches
Mail list logo
