On Wed, Apr 08, 2009 at 08:32:02AM +1000, Karl Auer wrote:
On Wed, 2009-04-08 at 07:04 +0930, Mark Smith wrote:
It seems there is a trend towards moving host protection on to the hosts themselves, onto or closer to the resource or entity being protected. It's basically following the cliche, "If you want something to be done properly, you need to do it yourself."
And IPv6 tends to push security back onto hosts, too.
If you move to the host-based firewalling model, plain packet filtering ACLs at the perimeter would be quite an adequate form of a first level of defence, while also avoiding the performance overhead of (or resources required to perform) stateful tracking of large amounts of traffic.
And a combination of the two - if you *are* performing more complex checks deeper inside the network, packet filtering can reduce the load that actually reaches those inner check points.
Which would address my concern of just passing along the [D]DOS to the host. Mitigating attacks at the border and letting the hosts allow what they specifically need is a good model.
I'd be interested to hear why people use firewalls. I've never felt the need, myself - am I living in a fool's paradise?
By your email I'll assume you've never had to deal with HIPPA[1] or SOx[2]. That aside I see a value in using a stateful FW that does packet inspection to validate the type of traffic over a certain port should really be there. -r [1] http://en.wikipedia.org/wiki/HIPPA [2] http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act