On Mon, Jan 4, 2010 at 9:18 PM, jim deleskie <deleskie@gmail.com> wrote:
What Roland said, I've seen people do this, no rules in place, still was able to kill the box (firewall) with a single CPU server.
not to pile on, but... +1 to roland here as well. I've seen more than enough folks put in a 'firewall' in front of their 'server' (say a mail server) and then watch that die long before the rest of the system did. Now, if you have equipment capable today of doing a few million session creates/second and you feel comfortable that you can keep track of how attacks grow vs your capacity stays the same and move ahead of the curve well enough, then... by all means do as you want :) There's a cost analysis which Roland sidestepped here as well, state-tracking at the rates required is expensive, as compared to relatively simple acls in hardware with no state on the upstream router. Spend where it matters, and make sure you understand where the failure points are that you place into your network. -chris
-jim
On Mon, Jan 4, 2010 at 10:04 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Jan 5, 2010, at 4:25 AM, Jeffrey Lyon wrote:
Use a robust firewall such as a Netscreen in front of your mitigation tool.
Absolutely not - the firewall will fall over due to state-table exhaustion before the mitigation system will. Firewalls (which have no place in front of servers in the first place), load-balancers, and any other stateful devices should be southbound of the mitigation system.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken