I will not argue the more complete statement about the architectural premise that statefull firewalls are being produced under. That would be fruitless and I would concede to Roland and his statements on that. It appears that the real argument is whether statefull inspection is useful, and whether the firewall causes other issues to the network design. If this is so, then I would say that it depends on the network and it's design as to whether a statefull firewall is useful. One could put ACLs in routers and switches, but when you break it down and turn off statefull inspection, that is what a firewall is. As always, you should always consider your network design before implementing any network appliance that will/may affect traffic. I don't think that discarding ideas like signature based analysis and DPI are wise. Depending on the network, the staff running the network, the users using the network, external exposure and many other metrics, I don't think that anyone should be making broad statements on equipment decisions. I'm glad that I can go to lists like NANOG with this type of question and not get the clue bat across the head. Like Roland, I've been doing this for over a decade as well, and I have seen some pretty strange things, even a statefull firewall in front of servers with IPS actually work. This thread is a tribute to different ideas and beliefs as well as experience on this topic. Please keep up the conversation and down the condescension and rhetoric. Thank you. - Brian
-----Original Message----- From: Dobbins, Roland [mailto:rdobbins@arbor.net] Sent: Wednesday, January 06, 2010 7:52 AM To: NANOG list Subject: Re: I don't need no stinking firewall!
On Jan 6, 2010, at 8:42 PM, Jared Mauch wrote:
The reality is they just have not been attacked yet, and hence have no experience in what to do about the problem...
And they've been bombarded with misinformation for years by 'security' vendors, wildly unrealistic certification training courses, and the 'compliance' mafia; you're right, of course.
;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.