On Fri, Apr 18, 2014 at 6:53 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Apr 19, 2014, at 1:20 AM, William Herrin <bill@herrin.us> wrote:
There isn't much a firewall can do to break it.
As someone who sees firewalls break the Internet all the time for those whose packets have the misfortune to traverse one, I must respectfully disagree.
;>
Yep. I have seen many more security / availability events caused by a firewall tipping over than anything else. Firewalls tend to be put in as single points of failure so that there is one point of inspection / policy enforcement. And, HA pairs are generally a joke. 2 failure mode i have seen: Firewall ALG saw a SIP packet option that it did not like, so it reloaded itself. In the process, it reflected the session state with fatal information to it's HA mate, which immediately failed. Same story with SYN floods, too many sessions coming in, FW cannot keep up with figuring out what is good, what is bad... Kablamoo. The firewall is the weakest link in the chain. Oh, and, then there is this... where the firewall, which is the one point of security control is in fact an open tap to your entire network http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-... But, it leads to clever things like this where home routers get hijacked as proxies...for whatever ... http://danmcinerney.org/how-to-exploit-home-routers-for-anonymity/ I think stateful network based firewalls are more harm than good and I would like host and applications to be the ultimate front line of defense. To each their own. Just a data point. Enjoy CB
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton