On May 10, 2011, at 6:03 AM, Thor (Hammer of God) wrote: > Maybe they should call that "You don't have to patch" genius!
Stateful firewalls have no place in front of servers, where every incoming request is unsolicited, and therefore there is no state to inspect in the first place. Stateful firewalls in front of servers merely serve as DDoS chokepoints due to the large amount of unnecessary state they instantiate. Instead, network access policies for servers should be implemented utilizing stateless ACLs on hardware-based routers and/or layer-3 switches capable of handling mpps of traffic. Keeping OSes and apps/services up-to-date with patches and configured securely is extremely important, of course; and network access policies should be implemented per the above. But blindly sticking stateful firewalls in places where there's no state to inspect and where they actually do more harm than good in terms of actual security posture isn't a solution. Where stateful firewalls in front of Web servers are incorrectly mandated by various regulatory frameworks, making use of mod_security or its equivalent on the Web servers themselves ensures compliance without creating a DDoS chokepoint. See <http://www.nanog.org/meetings/nanog48/presentations/Monday/Kaeo_FilterTrend_ISPSec_N48.pdf> and <http://www.eweek.com/index2.php?option=content&task=view&id=66503&pop=1&hide_ads=1&page=0&hide_js=1&catid=45> for more details on this particular sub-topic. ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
