nanog mailing list archives

RE: I don't need no stinking firewall!

From: "Brian Johnson" <bjohnson () drtel com>
Date: Wed, 6 Jan 2010 13:29:39 -0600



- Brian

-----Original Message-----
From: Brian Keefer [mailto:chort () smtps net]
Sent: Wednesday, January 06, 2010 11:38 AM
To: Brian Johnson
Cc: NANOG list
Subject: Re: I don't need no stinking firewall!


On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote:

 Like Roland, I've been doing
this for over a decade as well, and I have seen some pretty strange
things, even a statefull firewall in front of servers with IPS

actually

work.



What do you mean by "work"?  If you mean "all three pieces ran for
years without being seriously attacked", then that's really not the
same thing as "continued to perform assigned duties effectively in the
face of a determined DDoS".


By work I mean that it held-up under DDoS attack. The size of a DDoS
attack is the question. If I have enough resources a person can DDoS an
entire network, irrelevant of its equipment, that will make the network
un-usable and unreachable. Statefull firewall or not. They simply need
to fill up the inbound connection with traffic so that nothing else gets
through.

If your point is given unlimited inbound bandwidth that a stateful
firewall will fail (not work correctly), I can say that about any piece
of equipment.  And even if it does fail, does it matter if your
connection is full of useless traffic?

DDoS attacks are not designed to compromise or gather data about
networks. DDoS is the sledge hammer of the dubious to cause disruption.
It doesn't matter what you put in there (Statefull Firewall, IDS, IPS,
Router ACLS, et al...), if the connection is flooded, the network will
be unreachable. Does it matter if the equipment can't handle it if no
good traffic, that would need to be statefully inspected, is traversing
the connection?

 - Brian


 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,
copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original message. Thank you.

Current thread:

RE: I don't need no stinking firewall!, (continued)
- - - RE: I don't need no stinking firewall! George Bonser (Jan 05)
    - Re: I don't need no stinking firewall! James Hess (Jan 05)
    - Re: I don't need no stinking firewall! William Pitcock (Jan 06)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
    - Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
    - RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
    - Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
    - Re: I don't need no stinking firewall! David Hiers (Jan 06)
    - RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
    - Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
    - RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
    - Re: I don't need no stinking firewall! Bruce Curtis (Jan 12)
    - RE: I don't need no stinking firewall! Brian Johnson (Jan 13)
    - Re: I don't need no stinking firewall! Tim Durack (Jan 13)
    - Re: I don't need no stinking firewall! Joel Jaeggli (Jan 13)
    - Re: I don't need no stinking firewall! Randy Bush (Jan 14)
    - RE: I don't need no stinking firewall! George Bonser (Jan 05)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
    - RE: I don't need no stinking firewall! George Bonser (Jan 05)

(Thread continues...)