On 22 Apr 2014, at 22:49, George Herbert <george.herbert@gmail.com> wrote:
Any number of enterprises have chosen that if a DDOS or other advanced attack is going to be successful, to let that be successful in bringing down a firewall on the external shell of the security envelope rather than having penetrated to the servers level.
And I don’t think there’s problem with that approach. The problem starts, when those anonymous enterprises “silently" expect, that: a) firewall will somehow magically defend the network, scrub the “bad” traffic and let good traffic pass (“that’s why we’ve paid for state of the art firewall, right?!”) b) firewall will fail gracefully, taking down all services, and doing real hole in the transport and not jabbing some packets there and there, maybe malformed, maybe parts of different connections crammed in wrong headers… until reboot; and the reboot may not be also totally transparent, as links will go up, down, init, and so on c) insert your own horror-story here …and using those assumptions to advocate for stateful firewall everywhere. If you’re aware of that assumptions, and you’re aware of the constraints we’re facing with actually developing working edge defence for the network, you’ll be anyway advocating creation of a funnel - with stateless first lines od defense, taking care of all the trash that can come from the internet, and rate-limiting the traffic that seems to be legitimate if above certain thresholds. And at that point - stateful firewall may not be needed anymore, because service itself can scale better. Nowadays, enterprise networks are picking up best practices from SPs, where scale does matter and networks are built to actually have that characteristics. Anycast DNS is often found in enterprise networks, as well as other anycasted services (usually in “shared IP” model) - mail, web, AAA and other services. The same goes for actually protecting the internet edge. How often your network is being DDoSed? Be it 300kpps or 5Mpps, how will your stateful firewall at the edge of it deal with it? And by the way, when we’re speaking about internet visible services - how many stateful firewalls defend www.google.com? Or www.amazon.com? Or OpenDNS servers? Or 8.8.8.8/8.8.4.4? I bet none. But would love to hear from people maintaining them. -- "There's no sense in being precise when | Łukasz Bromirski you don't know what you're talking | jid:lbromirski@jabber.org about." John von Neumann | http://lukasz.bromirski.net