Re: I don't need no stinking firewall!

On Wed, Jan 13, 2010 at 9:37 PM, Warren Kumari wrote: > I can now place a checkbox in the "Is there a firewall?" column of the > audit. In most cases, you can check the same box if you use an appropriately designed stateless firewall instead of an inappropriate stateful firewall.(Not always,

Re: I don't need no stinking firewall!

Dobbins, Roland wrote: On Jan 10, 2010, at 1:22 PM, harbor235 wrote: Again, a firewall has it's place just like any other device in the network, defense in>>> depth is a prudent philosophy to reduce the chances of compromise, it does not>>>eliminate it nor does any architecture you can th

Re: I don't need no stinking firewall!

>> Replace all the routers on the Internet with stateful firewalls. What >> happens? > the same thing that happened with flow-cached routers, they melt, you go > out of business, the end.^ a bunch of us LOAO, ^

Re: I don't need no stinking firewall!

On Jan 14, 2010, at 12:37 PM, Warren Kumari wrote: > I can now place a checkbox in the "Is there a firewall?" column of the > audit. mod_security is your friend. ;> --- Roland Dobbins //

Re: I don't need no stinking firewall!

On Jan 10, 2010, at 1:32 AM, Dobbins, Roland wrote: On Jan 10, 2010, at 1:22 PM, harbor235 wrote: Again, a firewall has it's place just like any other device in the network, defense in >>> depth is a prudent philosophy to reduce the chances of compromise, it does not >>>eliminate it nor d

Re: I don't need no stinking firewall!

Tim Durack wrote: > Replace all the routers on the Internet with stateful firewalls. What happens? the same thing that happened with flow-cached routers, they melt, you go out of business, the end.

Re: I don't need no stinking firewall!

Lots of interesting technical information in this thread. Mixed with a healthy dose of religion/politics :-) I suspect that most people are going to keep doing what they are doing. In our environment, at the transport level, we have moved from stateful towards stateless, as it has proved to be op

RE: I don't need no stinking firewall!

> -Original Message- > From: Bruce Curtis [mailto:bruce.cur...@ndsu.edu] > Sent: Tuesday, January 12, 2010 5:14 PM > To: NANOG list > Subject: Re: I don't need no stinking firewall! > >> > >> IMO you're better off making sure only the servic

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 3:56 PM, Brian Johnson wrote: >> -Original Message- >> From: Brian Keefer [mailto:ch...@smtps.net] >> Sent: Wednesday, January 06, 2010 3:12 PM >> To: Brian Johnson >> Cc: NANOG list >> Subject: Re: I don't need no stinking fi

Re: I don't need no stinking firewall!

On Thu, Jan 07, 2010 at 22:55:25PM -0800, Jay Hennigan wrote: > Nenad Andric wrote: > > On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan wrote: > > >> Or better: > >> - Allow from anywhere port 80 to server port > 1023 established > > > > Adding "established" brings us back to stateful

RE: I don't need no stinking firewall!

> I believe that these comments were more along the lines of 'servers can > better handle this that stateful firewalls', not ruling out the use of > load-balancers, reverse-proxy caches, etc. as appropriate. > > --- > Roland Dobbi

Re: I don't need no stinking firewall!

On Jan 11, 2010, at 12:56 PM, George Bonser wrote: > One would probably have a load balancer of some sort in front of those > machines. That is the device that would be fielding any DoS. Yes, and as you've noted previously, it should be protected via stateless ACLs in hardware capable of han

RE: I don't need no stinking firewall!

> > And I don't believe anyone is necessarily advocating exposing > individual > > servers directly to the internet either. > > Actually, some of us are. That can be difficult to do when you have maybe 300 or 400 servers that handle one service. Let's say you have a site called www.foobar.com an

Re: I don't need no stinking firewall!

On Jan 10, 2010, at 5:40 PM, George Bonser wrote: > And I don't believe anyone is necessarily advocating exposing individual > servers directly to the internet either. Actually, some of us are. > There are other devices that > can handle isolation of the servers and protect them against such th

Re: I don't need no stinking firewall!

> And I don't believe anyone is necessarily advocating exposing > individual servers directly to the internet either. some of us do that takes all kinds :) randy

RE: I don't need no stinking firewall!

> I certainly understand and agree with your position, in most cases, but > there are some instances when a firewall serves an excellent purpose. > As an > example, we manage hundreds of heterogeneous servers where customers > also > have administrative access to the devices. As such, we can nev

Re: I don't need no stinking firewall!

On 1/9/10 10:32 PM, "Dobbins, Roland" wrote: > > On Jan 10, 2010, at 1:22 PM, harbor235 wrote: > >> Again, a firewall has it's place just like any other device in the network, >> defense in >>> depth is a prudent philosophy to reduce the chances of >> compromise, it does not >>>eliminate it

Re: I don't need no stinking firewall!

On Jan 11, 2010, at 4:55 AM, James Hess wrote: > I don't agree with "You never need a proxy in front of a server, it's only > there to fail". Again, reverse proxy *caches* are extremely useful in front of Web farms. Pure proxying makes no sense. -

Re: I don't need no stinking firewall!

On Sun, Jan 10, 2010 at 11:47 AM, William Herrin wrote: > On Sun, Jan 10, 2010 at 3:48 AM, James Hess wrote: >> there are a few different  things that can be >> done,  such as  the firewall answering on behalf of the server (using >> SYN cookies) and negotiating connection with the server after t

Re: I don't need no stinking firewall!

> On Fri, Jan 8, 2010 at 10:48 AM, Joe Greco wrote: > > Putting a stateful firewall in front of that would be dumb; the server > > is completely capable of coping with the superfluous SYN's in a much > > more competent manner than the firewall. > > The trouble with blanket statements about "all s

Re: I don't need no stinking firewall!

On Sun, Jan 10, 2010 at 12:47 PM, William Herrin wrote: > Even if it does > send an RST, most application developers aren't well enough versed in > sockets programming to block on the shutdown and check the success > status, Sorry, I got that wrong. shutdown() will succeed without waiting for a F

Re: I don't need no stinking firewall!

On Sun, Jan 10, 2010 at 3:48 AM, James Hess wrote: > there are a few different  things that can be > done,  such as  the firewall answering on behalf of the server (using > SYN cookies) and negotiating connection with the server after the > final ACK. James, That's called a proxy or sometimes an

Re: I don't need no stinking firewall!

On Jan 10, 2010, at 3:48 PM, James Hess wrote: > Firewalls do not need to build a state entry for > partial TCP sessions, there are a few different things that can be > done, such as the firewall answering on behalf of the server (using > SYN cookies) and negotiating connection with the serve

Re: I don't need no stinking firewall!

On Fri, Jan 8, 2010 at 10:48 AM, Joe Greco wrote: > Putting a stateful firewall in front of that would be dumb; the server > is completely capable of coping with the superfluous SYN's in a much > more competent manner than the firewall. The trouble with blanket statements about "all stateful fire

Re: I don't need no stinking firewall!

On Jan 10, 2010, at 1:32 PM, Dobbins, Roland wrote: > One can spout all the buzzwords and catchphrases one wishes, but at the end > of the day, it's all dead wrong - and anyone naive enough to fall for it is > setting himself up for a world of hurt. mike , You deserve a better response than t

Re: I don't need no stinking firewall!

On Jan 10, 2010, at 1:22 PM, harbor235 wrote: > Again, a firewall has it's place just like any other device in the network, > defense in >>> depth is a prudent philosophy to reduce the chances of > compromise, it does not >>>eliminate it nor does any architecture you can > think of, period Wh

Re: I don't need no stinking firewall!

> > Other security features in an Enterprise Class firewall; > >-Inside source based NAT, reinforces secure traffic flow by allowing > outside to inside flows based on > > configured translations and allowed security policies > > Terrible from an availability perspective, troubleshooting perspe

Re: I don't need no stinking firewall!

On Jan 10, 2010, at 5:51 AM, harbor235 wrote: > Other security features in an Enterprise Class firewall; >-Inside source based NAT, reinforces secure traffic flow by allowing > outside to inside flows based on >configured translations and allowed security policies Terrible from an a

Re: I don't need no stinking firewall!

I think we are over looking what an enterprise class firewall accomplishes from a security perspective and what a firewalls function is in the overall security posture of a network. First, statefull inspection by itself is not the only security feature of a firewall, it is one security feature of

Re: I don't need no stinking firewall!

Dobbins, Roland wrote: > On Jan 9, 2010, at 7:52 AM, Joel Jaeggli wrote: > >> see my post in the subject, a reasonably complete performance >> report for the device is a useful place to start. > > The problem is that one can't trust the stated vendor performance > figures, which is why actual

Re: I don't need no stinking firewall!

On Jan 9, 2010, at 7:52 AM, Joel Jaeggli wrote: > see my post in the subject, a reasonably complete performance report for the > device is a useful place to start. The problem is that one can't trust the stated vendor performance figures, which is why actual testing is required. I've seen in

Re: I don't need no stinking firewall!

Dobbins, Roland wrote: > On Jan 8, 2010, at 9:02 PM, bill from home wrote: > >> And maybe there is no way to tell, but I feel I need to ask the question. > > Situationally-dependent; the only way to really tell, not just theorize, is > to test the firewall to destruction during a maintenance w

Re: I don't need no stinking firewall!

bill from home wrote: > All, >This thread certainly has been educational, and has changed my > perception of what an appropriate outward facing architecture should be. > But seldom do I have the luxury of designing this from scratch, and also > the networks I administer are "small business's"

Re: I don't need no stinking firewall!

> All, > This thread certainly has been educational, and has changed my > perception of what an appropriate outward facing architecture should be. > But seldom do I have the luxury of designing this from scratch, and also > the networks I administer are "small business's". > My question is at

Re: I don't need no stinking firewall!

On Fri, 08 Jan 2010 08:22:00 EST, bill from home said: > My question is at what size connection does a state table become > vulnerable, are we talking 1mb dsl's with a soho firewall? Security - you're doing it wrong. ;) The question you *should* be asking yourself is "at what size connection am

RE: I don't need no stinking firewall!

On Thu Jan 07, 2010 at 01:04:01PM -0800, Jay Hennigan wrote: Or better: - Allow from anywhere port 80 to server port > 1023 established Adding "established" brings us back to stateful firewall! Not really. It only looks to see if the ACK or RST bits are set. This is different from

Re: I don't need no stinking firewall!

On Jan 8, 2010, at 9:02 PM, bill from home wrote: > And maybe there is no way to tell, but I feel I need to ask the question. Situationally-dependent; the only way to really tell, not just theorize, is to test the firewall to destruction during a maintenance window (or one like it, in the lab)

Re: I don't need no stinking firewall!

Roland, I understand, but at the site we are protecting, at what point is the bottleneck the connection speed, and at what point is the state table the bottle neck. It saves me the following uncomfortable conversation. ME> Mr customer, remember that firewall you bought a couple of years ago

Re: I don't need no stinking firewall!

On Jan 8, 2010, at 8:22 PM, bill from home wrote: > Or as I suspect we are talking about a larger scale? Even an attacker with relatively moderate resources can succeed simply by creating enough well-formed, programatically-generated traffic to 'crowd out' legitimate traffic.

Re: I don't need no stinking firewall!

All, This thread certainly has been educational, and has changed my perception of what an appropriate outward facing architecture should be. But seldom do I have the luxury of designing this from scratch, and also the networks I administer are "small business's". My question is at what size c

Re: I don't need no stinking firewall!

On Jan 8, 2010, at 3:21 PM, Arie Vayner wrote: > Further on, if you want to really protect against a real DDoS you would most > likely would have to look at a really distributed solution, where the > different geographical load balancing solutions come into play. GSLB or whatever we want to ca

Re: I don't need no stinking firewall!

list > > Subject: Re: I don't need no stinking firewall! > > > > > > On Jan 6, 2010, at 11:43 AM, George Bonser wrote: > > > > > Yes, you have to take some of the things that were done in one spot > > and do > > > them in different locati

Re: I don't need no stinking firewall!

Nenad Andric wrote: On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan wrote: Or better: - Allow from anywhere port 80 to server port > 1023 established Adding "established" brings us back to stateful firewall! Not really. It only looks to see if the ACK or RST bits are set. Thi

RE: I don't need no stinking firewall!

Don't think anyone has mentioned this yet, so I will All this debate over the pros and cons of firewalls brings the words "Jericho Forum" to mind.and their "principles for de-perimeterization (perimeter erosion)" http://www.opengroup.org/jericho/ Just my 2 worth !

RE: I don't need no stinking firewall!

> -Original Message- > From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] > Sent: Wednesday, January 06, 2010 3:46 PM > To: nanog@nanog.org > Subject: Re: I don't need no stinking firewall! > > On Tue, 05 Jan 2010 23:14:05 CST, Ryan Brooks said: >

RE: I don't need no stinking firewall!

> -Original Message- > From: Brian Keefer [mailto:ch...@smtps.net] > Sent: Wednesday, January 06, 2010 3:12 PM > To: Brian Johnson > Cc: NANOG list > Subject: Re: I don't need no stinking firewall! > > It's quite possible to flood the state table on

Re: I don't need no stinking firewall!

On Tue, 05 Jan 2010 23:14:05 CST, Ryan Brooks said: > Everyone needs to listen to Roland's mantra: "stateless ACLs in hardware > than can handle Mpps". It's more than just a hint. I suspect that more than a few need to be reminded that "stateless ACLs in switch hardware" is just another name fo

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 11:29 AM, Brian Johnson wrote: > If your point is given unlimited inbound bandwidth that a stateful > firewall will fail (not work correctly), I can say that about any piece > of equipment. And even if it does fail, does it matter if your > connection is full of useless traf

RE: I don't need no stinking firewall!

- Brian > -Original Message- > From: Brian Keefer [mailto:ch...@smtps.net] > Sent: Wednesday, January 06, 2010 11:38 AM > To: Brian Johnson > Cc: NANOG list > Subject: Re: I don't need no stinking firewall! > > > On Jan 6, 2010, at 6:51 AM, Brian Jo

Re: I don't need no stinking firewall!

As long as you raise the level of CAIN (Confidentiality, Availability, Integrity, Non-Repudiation) that your mission requires and funding permits, you can do it anywhere you like, with whatever you like, and call it whatever you like. David On Wed, Jan 6, 2010 at 9:38 AM, Brian Keefer wrote: >

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote: > Like Roland, I've been doing > this for over a decade as well, and I have seen some pretty strange > things, even a statefull firewall in front of servers with IPS actually > work. > What do you mean by "work"? If you mean "all three pieces

RE: I don't need no stinking firewall!

-Original Message- From: David Hiers [mailto:hie...@gmail.com] Sent: Wednesday, January 06, 2010 10:50 AM To: Brian Johnson Cc: nanog@nanog.org Subject: Re: I don't need no stinking firewall! >Poking the dragon a bit, aren't you? Fun. >If you really look at

Re: I don't need no stinking firewall!

Poking the dragon a bit, aren't you? Fun. If you really look at it, there is no quantitative difference between statefull and non-statefull. A non-stateful firewall can prevent a TCP session from entering the SYN_RECEIVED state by blocking the SYN packet, so it strongly impacts session state wit

Re: I don't need no stinking firewall!

> > (4) Rate limiting. The ability to rate limit incoming and outgoing data > > can prevent certain sorts of DoSes. > > I am not sure what makes you believe that. The ability to rate limit > incoming data at the server level would definitely not prevent a DoS. > > The ability to rate limit ou

RE: I don't need no stinking firewall!

ondescension and rhetoric. Thank you. - Brian > -Original Message- > From: Dobbins, Roland [mailto:rdobb...@arbor.net] > Sent: Wednesday, January 06, 2010 7:52 AM > To: NANOG list > Subject: Re: I don't need no stinking firewall! > > > On Jan 6, 2010, at 8:42

Re: I don't need no stinking firewall!

On Wed, 6 Jan 2010 04:53:17 + "Dobbins, Roland" wrote: > > On Jan 6, 2010, at 11:43 AM, George Bonser wrote: > > > Yes, you have to take some of the things that were done in one spot and do > > them in different locations now, but the results are an amazing increase > > in service capacity

Re: I don't need no stinking firewall!

On Tue, 5 Jan 2010, Kevin Oberman wrote: > > I suspect at least part of this will soon get fixed due to DNSSEC. > Blocking tcp/53 and packets over 512 bytes will cause user complaints > and, after enough education, the problem will get fixed. Yes. Remember the root zone is due to be signed within

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 8:42 PM, Jared Mauch wrote: > The reality is they just have not been attacked yet, and hence have no > experience in what to do about the problem... And they've been bombarded with misinformation for years by 'security' vendors, wildly unrealistic certification training cour

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 3:12 AM, Dobbins, Roland wrote: > Wrong. The attacker just programmatically generates semantically-valid > traffic which is indistinguishablle from real traffic, and crowds out the > real traffic. > > All those fancy timers and counters and what-not don't matter. > > I've

Re: I don't need no stinking firewall!

On Jan 5, 2010, at 4:24 PM, Robert Brockway wrote: > Do you have any evidence to support this assertion? You've just asserted > that all firewalls have a specific vulnerability. It isn't even possible to > know the complete set of architectures (hardware & software) used for > firewalls so I

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 8:25 PM, juttazalud wrote: > How do you define "firewall"? This threat was about stateful firewalls in particular. --- Roland Dobbins // Injustice is relatively easy to be

Re: I don't need no stinking firewall!

am Mittwoch, 06. Jänner 2010 um 13:43 schrieb Roland Dobbins: > On Jan 6, 2010, at 5:38 PM, William Waites wrote: >> A properly configured firewall will prevent latter. > So will stateless ACLs, running in hardware capable of handling mpps. How do you define "firewall"? I remember something li

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 5:38 PM, William Waites wrote: > A properly configured firewall will prevent latter. So will stateless ACLs, running in hardware capable of handling mpps. ;> --- Roland Dobbins //

Re: I don't need no stinking firewall!

Le 10-01-05 à 21:29, Dobbins, Roland a écrit : Stateful firewalls make absolutely no sense in front of servers, given that by definition, every packet coming into the server is unsolicited (some protocols like ftp work a bit differently in that there're multiple bidirectional/omnidirection

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 3:03 PM, William Pitcock wrote: > So, in fact, all incoming packets should > be considered unsolicited until proven otherwise. Concur - it works this way, as well. At one extreme, completely pathological, at the other extreme, perfectly normal - just faux. ;> > It should

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 2:47 PM, James Hess wrote: > "Overflowing the state table" then becomes only a possible > outcome that has some acceptable level of probability, assuming > that your other protections have already failed... Wrong. The attacker just programmatically generates semanti

Re: I don't need no stinking firewall!

On Wed, 2010-01-06 at 01:47 -0600, James Hess wrote: > On Tue, Jan 5, 2010 at 11:41 PM, Dobbins, Roland wrote: > > On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote: > > DDoS attacks are attacks against capacity and/or state. Start reducing > > DDoS, by its very nature is a type of attack tha

Re: I don't need no stinking firewall!

On Tue, Jan 5, 2010 at 11:41 PM, Dobbins, Roland wrote: > On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote: > DDoS attacks are attacks against capacity and/or state.  Start reducing DDoS, by its very nature is a type of attack that dances around common security measures like conventional fi

RE: I don't need no stinking firewall!

> See above; in front of the server, there's no state to track in the > first place, heh. > > Fish, meet bicycle. I think that is the part that some people aren't getting. You have a network just sitting there. A syn packet arrives for port 80 to an http server. You ARE going to allow it becaus

Re: I don't need no stinking firewall!

On Tue, Jan 5, 2010 at 9:20 PM, Rich Kulawiec wrote: > A firewall is another layer in a defense-in-depth strategy, but tends > to only be truly effective if the first rule in it is > >        deny all from any to any Not surprisingly, good network security starts with and incorporates the protect

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote: > However, the "well managed" part seems to be a sticking point for most > organizations I've seen. No doubt, shops that use this effectively have some > sort of homebrew or commercial firewall management platform that let's you > place poli

Re: I don't need no stinking firewall!

On 1/5/10 3:24 PM, Robert Brockway wrote: On Tue, 5 Jan 2010, Dobbins, Roland wrote: The problem is that your premise is wrong. Stateful firewalls (hereafter just called firewalls) offer several advantages. This list is not necessarily exhaustive. Great advantages list, but where's the di

RE: I don't need no stinking firewall!

> -Original Message- > From: Dobbins, Roland [mailto:rdobb...@arbor.net] > Sent: Tuesday, January 05, 2010 8:53 PM > To: NANOG list > Subject: Re: I don't need no stinking firewall! > > > On Jan 6, 2010, at 11:43 AM, George Bonser wrote: > > > Ye

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 11:43 AM, George Bonser wrote: > Yes, you have to take some of the things that were done in one spot and do > them in different locations now, but the results are an amazing increase > in service capacity per dollar spent on infrastructure. I strongly agree with the majority

Re: I don't need no stinking firewall!

Excerpts from Dobbins, Roland's message of Tue Jan 05 20:23:28 -0800 2010: Roland, On many of the points you've made, I totally agree. Well-managed hardware routers that have support for ACLs in hardware are a great firewall for things that have a relatively small set of rules (e.g. "any:any -> s

Re: I don't need no stinking firewall!

On Tue, 2010-01-05 at 16:24 -0500, Robert Brockway wrote: > On Tue, 5 Jan 2010, Dobbins, Roland wrote: > > > In the most basic terms, a stateful firewall performs bidirectional > > classification of communications between nodes, and makes a pass/fail > > determination on each packet based on a)

RE: I don't need no stinking firewall!

> -Original Message- > From: nanog-boun...@nanog.org [mailto:nanog-boun...@nanog.org] On > Behalf Of Robert Brockway > Sent: Tuesday, January 05, 2010 1:25 PM > To: NANOG list > > On Tue, 5 Jan 2010, Dobbins, Roland wrote: > > > Putting firewalls in front of servers is a Really Bad Idea

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 4:24 AM, Robert Brockway wrote: > Hi Roland. I disagree strongly with this position. You can disagree all you want, but it's still borne out by real-world operational experience. ;> > The problem is that your premise is wrong. Just what about my premise is wrong? Nothing

Re: I don't need no stinking firewall!

- A firewall is a partition structure that normally consists of two side walls with a fire retardant material between them. - A firewall does not prevent a fire. - A firewall does not extinguish a fire. - A firewall only delays the propagation of a fire event to the other side. - The characteristic

Re: I don't need no stinking firewall!

On Tue, 5 Jan 2010, Dobbins, Roland wrote: In the most basic terms, a stateful firewall performs bidirectional classification of communications between nodes, and makes a pass/fail determination on each packet based on a) whether or not a bidirectional communications session is already open be

Re: I don't need no stinking firewall!

A firewall is another layer in a defense-in-depth strategy, but tends to only be truly effective if the first rule in it is deny all from any to any which of course does not happen much of the time in the real world, with predictable results. Moreover, stateful packet inspection is not

Re: I don't need no stinking firewall!

On Tue, Jan 5, 2010 at 2:16 PM, Brian Johnson wrote: > I have my own idea of what a firewall is and what it does. I also A firewall is a term for a class of device (or software program). Ask different people and you should get different answers, depending on who you ask. Windows firewall... bp

Re: I don't need no stinking firewall!

> From: Jared Mauch > Date: Tue, 5 Jan 2010 16:20:56 -0500 > > On Jan 5, 2010, at 3:58 PM, Brielle Bruns wrote: > > > It's all how you configure and tweak the firewall. Recommending people run > > servers without a firewall is bad advice - do you really want your Win2k3 > > server exposed, SM

Re: I don't need no stinking firewall!

On Tue, 5 Jan 2010 20:51:47 + Tony Finch wrote: > On Tue, 5 Jan 2010, Brian Johnson wrote: > > > > Given this information, and not prejudging any responses, exactly what > > is a firewall for and when is statefull inspection useful? > > Stateful inspection is useful for breaking things in su

Re: I don't need no stinking firewall!

On Tue, 5 Jan 2010 14:16:58 -0600 "Brian Johnson" wrote: > Security Gurus, et al, > > I have my own idea of what a firewall is and what it does. I also > understand what statefull packet inspection is and what it does. Given > this information, and not prejudging any responses, exactly what is a

Re: I don't need no stinking firewall!

On Tue, Jan 5, 2010 at 12:16 PM, Brian Johnson wrote: > Security Gurus, et al, > > I have my own idea of what a firewall is and what it does. I also > understand what statefull packet inspection is and what it does. Given > this information, and not prejudging any responses, exactly what is a > f

Re: I don't need no stinking firewall!

On Tue, 5 Jan 2010, Fred Baker wrote: The primary value of a firewall is two-fold: - It enables a network administrator to define his "edge", the interior of which he is responsible for. - It enables a network administrator to isolate his network from externally-originated traffic per his whim

Re: I don't need no stinking firewall!

The primary value of a firewall is two-fold: - It enables a network administrator to define his "edge", the interior of which he is responsible for. - It enables a network administrator to isolate his network from externally-originated traffic per his whims and viewpoints. IMHO, it is not

Re: I don't need no stinking firewall!

On Tue, Jan 05, 2010 at 13:18:47PM -0800, Jay Hennigan wrote: > Jason Shearer wrote: > > Doesn't using the established allow any packet with ACK/RST set > > Yes, as would be expected for legitimate return traffic for a TCP > connection initiated from a browser inside the firewall. > > > and wou

Re: I don't need no stinking firewall!

On Tue, Jan 5, 2010 at 3:16 PM, Brian Johnson wrote: > I have my own idea of what a firewall is and what it does. I also > understand what statefull packet inspection is and what it does. Given > this information, and not prejudging any responses, exactly what is a > firewall for and when is state

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 4:07 AM, Mark Foster wrote: > I'm interested by this assertion; surely Stateful Inspection is meant to > facilitate the blocking of out-of-sequence packets, ones which aren't part > of valid + recognised existing sessions - whilst of course allowing valid > SYN session-start

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 3:58 AM, Brielle Bruns wrote: > It's all how you configure and tweak the firewall. Recommending people > run servers without a firewall is bad advice - do you really want your > Win2k3 server exposed, SMB, RPC, and all to the world? Nope - I use stateless ACLs in hardware,

Re: I don't need no stinking firewall!

On Jan 5, 2010, at 3:58 PM, Brielle Bruns wrote: > It's all how you configure and tweak the firewall. Recommending people run > servers without a firewall is bad advice - do you really want your Win2k3 > server exposed, SMB, RPC, and all to the world? Some people think that exposing any funct

Re: I don't need no stinking firewall!

Jason Shearer wrote: Doesn't using the established allow any packet with ACK/RST set Yes, as would be expected for legitimate return traffic for a TCP connection initiated from a browser inside the firewall. and wouldn't you have to allow all high ports? That's what the ">" is for. Cisco

Re: I don't need no stinking firewall!

On 1/5/10 2:06 PM, Simon Lockhart wrote: I have an answer to that problem, but not everyone would agree with it [1]. One of my biggest beefs with some people is that they'll stand there with their fingers in their ears yelling LA LA LA if you point out to them that not every person in the

RE: I don't need no stinking firewall!

Doesn't using the established allow any packet with ACK/RST set and wouldn't you have to allow all high ports? Jason -Original Message- From: Jay Hennigan [mailto:j...@west.net] Sent: Tuesday, January 05, 2010 3:04 PM To: nanog@nanog.org Subject: Re: I don't need no st

Re: I don't need no stinking firewall!

On Tue, 5 Jan 2010, Peter Hicks wrote: > > Is that really stateful inspection? Isn't the SMTP fixup on a PIX an > application-level gateway? Well, the bug I described is caused by it not being stateful enough. > I *though* most of the world turns SMTP fixup off because it's naff. Exactly my poi

Re: I don't need no stinking firewall!

Stateful firewalls make absolutely no sense in front of servers, given that by definition, every packet coming into the server is unsolicited (some protocols like ftp work a bit differently in that there're multiple bidirectional/omnidirectional communications sessions, but the key is that the

Re: I don't need no stinking firewall!

On Tue Jan 05, 2010 at 01:58:52PM -0700, Brielle Bruns wrote: > It's all how you configure and tweak the firewall. Recommending people > run servers without a firewall is bad advice - do you really want your > Win2k3 server exposed, SMB, RPC, and all to the world? I have an answer to that probl

Re: I don't need no stinking firewall!

On 1/5/10 2:01 PM, Peter Hicks wrote: Tony Finch wrote: Stateful inspection is useful for breaking things in subtle and hard-to-debug ways. > http://fanf.livejournal.com/102206.html http://fanf.livejournal.com/95831.html Is that really stateful inspection? Isn't the SMTP fixup on a PIX an

  1   2   >