[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Requirements for IPv6 Firewalls

Subject: Requirements for IPv6 Firewalls
From: bjohnson at drtel.com (Brian Johnson)
Date: Tue, 22 Apr 2014 18:55:03 +0000
In-reply-to: <616B4ECE1290D441AD56124FEBB03D0818EB7AE0B9@mailserver2007.nyigc.globe>
References: <[email protected]> <[email protected]> <CAP-guGUquwcsESnKbe9QKE79NzfSBNsye4Sq4cFgjwr8xLODSw@mail.gmail.com> <CALgc3C6v_u3Xrjf1rQ=u+62ctExOEfYWUsor-DzfamLVv+z+uA@mail.gmail.com> <CAK__Kzs7_tY0HggT7PG2STorHqcV-3BAXHmYF=pia0bPa6YXzg@mail.gmail.com> <CALgc3C7Fi0rhBODH+kc2Vk6pE9s9TAoa303TFftTCN_K4G77kA@mail.gmail.com> <CAP-guGXia-YLnN0LN8FrQnQFC7gRQMbbiGXh=OLK+4cz02p+Rg@mail.gmail.com> <CAFy81rnw-Q7gYb8eSz-0LqH+kRgSS6+vWieMH=AL9Ay-x2KPDg@mail.gmail.com> <CAN3um4xY-jtZ23--yBMy=WfjH1kzhgQ2+2DLn8=MNAcuE-ZdKA@mail.gmail.com> <[email protected]> <CAP-guGVevjt4upAtt9bvbWjmARkL7=_D4L38OuBqSs1J69tLkQ@mail.gmail.com> <[email protected]> <CAP-guGW51yRY_2GPBRw6N_1665Nw9qS+d4Drhhp-eLWjuR1ioA@mail.gmail.com> <[email protected]> <CAP-guGUh1LPE8U6yqKRVQzEHVbiu9c6Sb0Np9kRqQh4fLPDxXA@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <616B4ECE1290D441AD56124FEBB03D0818EB7AE0B9@mailserver2007.nyigc.globe>

Eric,

If you read what he posted and really believe that is what he is saying, you need to re-think your career decision. It is obvious that he is not saying that.

I hate it when threads breakdown to this type of tripe and ridiculous restatement of untruths.

- Brian

> -----Original Message-----
> From: Eric Wieling [mailto:EWieling at nyigc.com]
> Sent: Tuesday, April 22, 2014 1:16 PM
> To: Dobbins, Roland; nanog at nanog.org
> Subject: RE: Requirements for IPv6 Firewalls
> 
> It seems to me you are saying we should get rid of firewalls and rely on
> applications network security.
> 
> This is so utterly idiotic I must be misunderstanding something.    There are a
> few things we can count on in life, death, taxes, and application developers
> leaving giant security holes in their applications.
> 
> -----Original Message-----
> From: Dobbins, Roland [mailto:rdobbins at arbor.net]
> Sent: Saturday, April 19, 2014 12:10 AM
> To: nanog at nanog.org
> Subject: Re: Requirements for IPv6 Firewalls
> 
> You can 'call' it all you like - but people who actually want to keep their
> servers up and running don't put stateful firewalls in front of them, because
> it's very easy to knock them over due to state exhaustion.  In fact, it's far
> easier to knock them over than to knock over properly-tuned naked hosts.
> 
> Also, you might want to search the NANOG email archive on this topic.
> There's lots of previous discussion, which boils down to the fact that serious
> organizations running serious applications/services don't put stateful
> firewalls (or 'IPS', or NATs, et. al.) in front of their servers.
> 
> The only way to secure hosts/applications/service against compromise is via
> those hosts/applications/services themselves.  Inserting stateful
> middleboxes doesn't actually accomplish anything to enhance confidentiality
> and integrity, actually increases the attack surface due to middlebox exploits
> (read the numerous security notices for various commercial and open-source
> stateful firewalls for compromise exploits), and has a negative impact on
> availability.
> 
>

Follow-Ups:
- Requirements for IPv6 Firewalls
  - From: morrowc.lists at gmail.com (Christopher Morrow)

References:
- Requirements for IPv6 Firewalls
  - From: fernando at gont.com.ar (Fernando Gont)
- Requirements for IPv6 Firewalls
  - From: fernando at gont.com.ar (Fernando Gont)
- Requirements for IPv6 Firewalls
  - From: bill at herrin.us (William Herrin)
- Requirements for IPv6 Firewalls
  - From: eugen at imacandi.net (Eugeniu Patrascu)
- Requirements for IPv6 Firewalls
  - From: george.herbert at gmail.com (George Herbert)
- Requirements for IPv6 Firewalls
  - From: eugen at imacandi.net (Eugeniu Patrascu)
- Requirements for IPv6 Firewalls
  - From: bill at herrin.us (William Herrin)
- Requirements for IPv6 Firewalls
  - From: tmorizot at gmail.com (Timothy Morizot)
- Requirements for IPv6 Firewalls
  - From: eyeronic.design at gmail.com (Mike Hale)
- Requirements for IPv6 Firewalls
  - From: simon at per.reau.lt (Simon Perreault)
- Requirements for IPv6 Firewalls
  - From: bill at herrin.us (William Herrin)
- Requirements for IPv6 Firewalls
  - From: simon at per.reau.lt (Simon Perreault)
- Requirements for IPv6 Firewalls
  - From: bill at herrin.us (William Herrin)
- Requirements for IPv6 Firewalls
  - From: simon at per.reau.lt (Simon Perreault)
- Requirements for IPv6 Firewalls
  - From: bill at herrin.us (William Herrin)
- Requirements for IPv6 Firewalls
  - From: rdobbins at arbor.net (Dobbins, Roland)
- Requirements for IPv6 Firewalls
  - From: jeff-kell at utc.edu (Jeff Kell)
- Requirements for IPv6 Firewalls
  - From: rdobbins at arbor.net (Dobbins, Roland)
- Requirements for IPv6 Firewalls
  - From: jeff-kell at utc.edu (Jeff Kell)
- Requirements for IPv6 Firewalls
  - From: rdobbins at arbor.net (Dobbins, Roland)
- Requirements for IPv6 Firewalls
  - From: EWieling at nyigc.com (Eric Wieling)

Prev by Date: Comcast transit problems?
Next by Date: Requirements for IPv6 Firewalls
Previous by thread: Requirements for IPv6 Firewalls
Next by thread: Requirements for IPv6 Firewalls
Index(es):
- Date
- Thread