As long as the various stateful firewalls and IDS systems offer hostile action detection and blocking capabilities that raw webservers lack, there are certainly counterarguments to the "port filter only" approach being advocated here. Focusing only on DDOS prevention from one narrow range of attack vectors targeting the firewalls themselves is narrowminded. The security threat envelope is pretty wide. Vulnerabilities of similar nature exist on the webservers themselves, and on load balancer devices you will likely need anyways. Any number of enterprises have chosen that if a DDOS or other advanced attack is going to be successful, to let that be successful in bringing down a firewall on the external shell of the security envelope rather than having penetrated to the servers level. Smart design can also handle transparently failing over should such a vendor-specific attack succeed. The idea that anyone doing real, big complex networks would or has to accept any SPOF is ludicrous. The question is, how important is avoiding SPOFs, and how committed you are. If the answer is "absolutely must, and we have enough budget to do so" then it's entirely doable. On Tue, Apr 22, 2014 at 1:28 PM, Doug Barton <dougb@dougbarton.us> wrote:
On 04/22/2014 01:15 PM, Matthew Huff wrote:
I wouldn't manage a corporate network without a centrally managed firewall (stateful; or not).
Matthew,
No one is saying that. What Roland is saying, and the position that I agree with, is that putting a firewall in front of a system _that is intended to be ON the Internet, serving external users_, is a bad idea.
I think it's a given that you'd want to protect your internal systems with a firewall (except for the aforementioned IPv6 illuminati, of whom I am not one).
Doug
-- -george william herbert george.herbert@gmail.com