Roland, iatrogenic. induced inadvertently ... http://www.merriam-webster.com/dictionary/IATROGENIC
It is not often I have to look up a word on this board. Well played sir. On Tue, Nov 10, 2009 at 6:31 PM, Dobbins, Roland <[email protected]> wrote: > > On Nov 11, 2009, at 4:26 AM, Peter Rathlev wrote: > > > I've read about this, but I fail to see what the point is. > > The point is that there shouldn't be firewalls in front of servers in the > first place, given that every packet which comes in is unsolicited and > therefore the stateful inspection is both completely obviated and forms a > DDoS chokepoint; and yet folks have been so conditioned by security > snake-oil marketing to put firewalls in front of their servers that they do > it anyways, complain to their vendors when said firewalls fall over with > relatively small amounts of traffic due to state-table exhaustion, and thus > need a way to disable the stateful inspection they paid so much to achieve > so that they can still claim that they've a firewall in front of their > servers, even though said firewalls are iatrogenic in nature. > > ;> > > Folks should do as you say, hardening their servers/apps/services, > enforcing policy via stateless ACLs in hardware, and deploying reaction > tools such as S/RTBH. Firewalls in front of servers is generally a Bad > Idea, period. > > ----------------------------------------------------------------------- > Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> > > Injustice is relatively easy to bear; what stings is justice. > > -- H.L. Mencken > > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Gregory Wendel Springfield VA, 22153 _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
