"th" == Tony Hain <alh-ietf@tndh.net> writes:
th> Eric Brandwine wrote:
Please, tell your vendors you want line-rate filtering up to layer 4.
th> And when you do so, be prepared to pay what it will cost to deliver th> that. Absolutely! And it'll be well worth it too. The up-front cost is higher, but economy of scale will bring it down. Having routers that can protect themselves, protect devices behind them, track attacks, and provide vastly improved visibility into your network will pay for itself quickly. Imagine, a router that cannot be knocked over! I have this argument with Chris any my management all the time. Up through layer 4, headers are well defined, bit fields, 16/32 bit ints, etc. Filtering at this point is just making a decision to do so, and designing it into hardware. Juniper did it from the beginning (mostly), and does it well. More recent Cisco GSR line cards (Engine 4, etc) come close. It's just another ASIC. Filtering past layer 5 is open to argument, that's a much harder job, but up till 4, it's almost free. When we installed CF chips in all our M40s, the amount of extra information that we gained about our network was amazing. We regularly see multi-gigabit attack flows in the network, and are now able to mitigate/filter/track them. It's a good thing, and with general purpose filtering capabilities, you're always finding new uses for them. ericb -- Eric Brandwine | Doing what little one can to increase the general stock UUNetwork Security | of knowledge is as respectable an object of life, as one ericb@uu.net | can in any likelihood pursue. +1 703 886 6038 | - Charles Darwin Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
participants (1)
-
Eric Brandwine