On Jan 5, 2010, at 2:38 PM, Darren Bolding wrote:
* Defense in depth. You've never had a host that received external traffic ever accidentally have iptables or windows firewall turned off? Even when debugging a production outage or on accident?
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps. 'Stateful inspection' where in fact there is no useful state to inspect is pointless.
* Location for IDS/IDP.
Non-sequitur, as these things have nothing to do with one another (plus, these devices are useless, anyways, heh).
* Connection cleanup, re-assembling fragments, etc.
Far, far, far better and more scalably handled by the hosts themselves and/or load-balancers.
* SYN flood protection, etc.
Firewalls simply don't handle this well, marketing claims aside. They crash and burn.
* Single choke point to block incoming traffic deemed undesirable.
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.
* Single log point for inbound connections for analysis and auditing requirements.
Contextless, arbitrary syslog from firewalls and other such devices is largely useless for this purpose. NetFlow combined with server/app/service logs is the answer to this requirement.
* Allows outbound traffic enforcement.
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.
* Allows conditional inbound traffic from specific approved external hosts- e.g. a partner.
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.
* Some firewalls allow programmatic modification of configurations with all the benefits/pain that brings. This is alongside traditional CLI and GUI interfaces.
Ugly, brittle, siloed, to be avoided at all costs.
* In some/many cases a zone based firewall configuration can be much easier to work with than a large iptables config. Certainly the management tools are better.
Again, policy should be enforced via stateless ACLs in router/switch hardware capable of handling mpps.
* Yeah, auditors like it.
Education is the answer here. ;> ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken