- Brian
-----Original Message----- From: Brian Keefer [mailto:chort@smtps.net] Sent: Wednesday, January 06, 2010 11:38 AM To: Brian Johnson Cc: NANOG list Subject: Re: I don't need no stinking firewall!
On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote:
Like Roland, I've been doing this for over a decade as well, and I have seen some pretty strange things, even a statefull firewall in front of servers with IPS actually work.
What do you mean by "work"? If you mean "all three pieces ran for years without being seriously attacked", then that's really not the same thing as "continued to perform assigned duties effectively in the face of a determined DDoS".
By work I mean that it held-up under DDoS attack. The size of a DDoS attack is the question. If I have enough resources a person can DDoS an entire network, irrelevant of its equipment, that will make the network un-usable and unreachable. Statefull firewall or not. They simply need to fill up the inbound connection with traffic so that nothing else gets through. If your point is given unlimited inbound bandwidth that a stateful firewall will fail (not work correctly), I can say that about any piece of equipment. And even if it does fail, does it matter if your connection is full of useless traffic? DDoS attacks are not designed to compromise or gather data about networks. DDoS is the sledge hammer of the dubious to cause disruption. It doesn't matter what you put in there (Statefull Firewall, IDS, IPS, Router ACLS, et al...), if the connection is flooded, the network will be unreachable. Does it matter if the equipment can't handle it if no good traffic, that would need to be statefully inspected, is traversing the connection? - Brian CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.