On 19 Apr 2014, at 20:08, George William Herbert <george.herbert@gmail.com> wrote:
On Apr 18, 2014, at 9:10 PM, "Dobbins, Roland" <rdobbins@arbor.net> wrote:
You can 'call' it all you like - but people who actually want to keep their servers up and running don't put stateful firewalls in front of them,
I don't know where you find ideas like this.
From real world.
There are stateful firewalls in the security packages in front of all the internet facing servers in all the major service providers I've worked at. Not *just* stateful firewalls, but they're in there.
There’s no sense in putting stateful firewall in front of DNS server, unless the DNS server is underperforming, and then it should be exchanged and not protected by stateful firewall. You can try to protect mail/WWW servers with stateful firewalls, but it often achieves nothing but makes the firewalls weakest link in the setup. And tuning it to perform reasonably well in normal and peak traffic is usually not achievable. In case of DDoS attack, the stateful firewall goes out first. I’ve seen them burn too. To protect high-performance services, you do stateless filtering + NetFlow based QoS policies, or shunt to dedicated DDoS filtering boxes. Adding state where it’s not needed, is sign of bad design. And just because a lot of people do that, doesn’t make it any better. -- "There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromirski@jabber.org about." John von Neumann | http://lukasz.bromirski.net