On 04/22/2014 01:49 PM, George Herbert wrote:
As long as the various stateful firewalls and IDS systems offer hostile action detection and blocking capabilities that raw webservers lack, there are certainly counterarguments to the "port filter only" approach being advocated here.
Right, but now you're talking about something other than just a firewall.
Focusing only on DDOS prevention from one narrow range of attack vectors targeting the firewalls themselves is narrowminded. The security threat envelope is pretty wide. Vulnerabilities of similar nature exist on the webservers themselves, and on load balancer devices you will likely need anyways.
Again, sure, but removing a needless firewall from the equation is one less thing to worry about.
Any number of enterprises have chosen that if a DDOS or other advanced attack is going to be successful, to let that be successful in bringing down a firewall on the external shell of the security envelope rather than having penetrated to the servers level.
And if they are making that choice proactively who am I to argue? I disagree, but their network, their rules. What usually happens though is that enterprises believe that the firewall will protect them, without understanding that it can actually create a SPOF instead.
Smart design can also handle transparently failing over should such a vendor-specific attack succeed. The idea that anyone doing real, big complex networks would or has to accept any SPOF is ludicrous. The question is, how important is avoiding SPOFs, and how committed you are. If the answer is "absolutely must, and we have enough budget to do so" then it's entirely doable.
Of course. Doug