HI Quin & Roland,
It's a known fact that both "state" tracking and bandwidth are finite
resources... the other finite resource that isn't talked about much is
dollars for arbor boxes :-) The point I think is to balance the
architecture in a manner that leaves bandwidth as the final
bottle
On Jul 1, 2009, at 2:05 PM, Quinn Mahoney wrote:
That's not saying a whole lot. You could always get more bandwidth
and
more servers. That doesn't mean it's not helpful to have a
specialized
device multiplexing the connections to the servers, and doing more
sophisticated analysis of the p
e legitimate traffic, either, being overwhelmed by
the DDoS.
"
Not really saying a whole lot again. My argument was not that the
products you refer to aren't a part of an effective security solution.
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisc
On Jul 1, 2009, at 12:09 PM, Quinn Mahoney wrote:
Without a firewall proxying the tcp connection? That would depend
on how many servers
there are and what the firewalls can handle. The server never gets
traffic from the spoofed addresses with the firewall, or from a
load-balancer that multi
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Roland Dobbins
Sent: Wednesday, July 01, 2009 12:10 AM
To: Cisco-nsp
Subject: Re: [c-nsp] DNS rewrite & global capabilities
On Jul 1, 2009, at 11:02 AM, Quinn Mahone
On Jul 1, 2009, at 11:02 AM, Quinn Mahoney wrote:
irewalls do have features,
for instance, they can proxy a tcp-syn connection and not send it to
the
server if it doesn't get an ack.
Doesn't scale. Server alone handle this much better, even without syn-
cookies.
Also they obviously bl
27;t look like a one thing fits solution.
-Original Message-
From: cisco-nsp-boun...@puck.nether.net
[mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Roland Dobbins
Sent: Monday, June 29, 2009 10:17 AM
To: Cisco-nsp
Subject: Re: [c-nsp] DNS rewrite & global capabilities
On
Sam Stickland wrote:
Roland Dobbins wrote:
But even more than that, putting your public-facing DNS (or any other
kind of server) behind a firewall is a very serious architectural
mistake; firewalls in front of public-facing servers provide no
security value whatsoever, and degrade the overal
On Jun 29, 2009, at 9:40 PM, sth...@nethelp.no wrote:
SSH through the regular Internet-facing interface, with appropriate
restrictions (hosts.allow or similar) also works very well. We have
our DNS servers configured this way, and see no problems.
OOB management through a dedicated DCN has ma
> > But even more than that, putting your public-facing DNS (or any other
> > kind of server) behind a firewall is a very serious architectural
> > mistake; firewalls in front of public-facing servers provide no
> > security value whatsoever, and degrade the overall security posture
> > due to
Roland Dobbins wrote:
But even more than that, putting your public-facing DNS (or any other
kind of server) behind a firewall is a very serious architectural
mistake; firewalls in front of public-facing servers provide no
security value whatsoever, and degrade the overall security posture
due
On Jun 29, 2009, at 8:33 PM, Jonathan Brashear wrote:
t seems like the ability to rewrite DNS against certain DDoS attacks
Marketing claims aside, firewalls have no utility whatsoever in terms
of defending against DDoS attacks, and actually tend to make the
situation worse and the server
I recently went through a Cisco security course and learned about the ASA's
'DNS Rewrite' function which seems like a handy tool internally. I'm curious
if there's ever been an effort to re-work that function outward; it seems like
the ability to rewrite DNS against certain DDoS attacks(like, r
13 matches
Mail list logo
