[no subject]

> There are stateful firewalls in the security packages in front of all the internet facing servers in all the major service providers I've worked at.  Not *just* stateful firewalls, but they're in there.

There?s no sense in putting stateful firewall in front of DNS server,
unless the DNS server is underperforming, and then it should be
exchanged and not protected by stateful firewall.

You can try to protect mail/WWW servers with stateful firewalls, but
it often achieves nothing but makes the firewalls weakest link in
the setup. And tuning it to perform reasonably well in normal and
peak traffic is usually not achievable.

In case of DDoS attack, the stateful firewall goes out first. I?ve
seen them burn too. To protect high-performance services, you do
stateless filtering + NetFlow based QoS policies, or shunt to
dedicated DDoS filtering boxes.

Adding state where it?s not needed, is sign of bad design. And just
because a lot of people do that, doesn?t make it any better.

-- 
"There's no sense in being precise when |               ?ukasz Bromirski
 you don't know what you're talking     |      jid:lbromirski at jabber.org
 about."               John von Neumann |    http://lukasz.bromirski.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140419/5df07781/attachment.bin>