Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Sony: No firewall and no patches
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Thu, 12 May 2011 01:30:32 +0000

On May 12, 2011, at 3:49 AM, phocean wrote:

To go back to my point: an application server (IIS, Apache) cannot sustain as many connections as a firewall (of 
course in a sane and standard environment).

Sorry, but my operational experience is quite the opposite.  And one generally deploys clusters of servers, in any kind 
of even semi-important site.

So you cannot tell that a firewall will increase the risk of DoS.

I can and do tell you that.  I further tell you that enforcing network access policies for servers in stateless ACLs 
instantiated in ASIC-based routers and layer-3 switches is the way to go.  I tell you this based upon my direct 
experience working for the largest manufacturer of firewalls in the world, and on my day-to-day operational experience 
with people calling up and screaming that 'the data center is down' and the proximate cause being a stateful firewall 
which gave up the ghost to trivial amounts of traffic.

For example, I've seen 80kpps of SYN-flood take down a stateful firewall rated for 2.5gb/sec.

From what I have seen so far as arguments, I think the discussion is over.

The folks cited on pp. 41 - 42 of the survey in question have reached a different conclusion:


Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]