On 04/22/2014 12:18 PM, Christopher Morrow wrote:
Roland's saying basically: 1) if you deploy something on 'the internet' you should secure that something 2) the securing of that 'thing' should NOT be be placing a stateful device between your users and the 'thing'.
In a simple case of: "Put a web server on the internet"
Roland's advice breaks down to: 1) deploy server 2) put acl on upstream router like: permit tcp any any eq 80 deny ip any any 3) profit
The router + acl will process line-rate traffic without care.
A key part of this overall strategy is also "Harden the system to run only those services it needs to do its job." And the above implies that things like ssh (i.e., management services) should be ACL'ed to only allow access from inside .... etc. But otherwise, yes; and yes, this strategy is very successful. It removes the stateful firewall as the SPOF. Doug