On Dec 9, 2013, at 9:36 AM, Christoph Berthoud <christoph(a)zeebob.co.nz> wrote:
a) I will be hiding behind a dedicated firewall appliance and not relying on the OS firewalls
<https://app.box.com/s/a3oqqlgwe15j8svojvzl> Servers really should never be placed behind stateful firewalls - it doesn't actually do any good, it doesn't really make sense (all incoming connections are unsolicited, so there's no state to inspect), and renders them much more vulnerable to DDoS attacks than if the firewalls weren't there. Network access policy should typically be expressed using stateless ACLs in hardware-based routers or layer-3 switches. Same goes for NAT - I've seen horror story after horror story about NATted servers. ----------------------------------------------------------------------- Roland Dobbins <rdobbins(a)arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton