On Feb 25, 2010, at 10:09 AM, Shane Alcock wrote:
The questions I have: Is that initial statement correct? Is there anyone out there who is using (or knows anyone who is using) a stateful firewall in such a fashion?
It's utter nonsense, of course, as you rightly suspect.
;>
No SP in his right mind does this; you mainly see this sort of thing in legacy mobile data networks, where the folks building the networks didn't have a lot of TCP/IP experience at the time and were (understandably) bamboozled by the firewall-as-silver-bullet snake-oil. Many of these mobile networks, as they're becoming full-fledged wireless broadband providers, are ripping out these stateful DDoS chokepoints as they re-engineer their networks utilizing BCPs.
Marketing claims aside, firewalls do not provide any protection against DDoS; they actually are far more susceptible to DDoS themselves than are end-hosts, and they go down all the time under even low-scale DDoS attacks. Firewalls should not be wedged into the middle of SP networks, nor should they be placed in front of servers. They do make sense in front of workstations on end-customer access LANs, but that's about it.
So, wedging stateful boxes of any kind into the network (firewalls, 'IPS', et. al.), or wedging any sort of device permanently inline is generally a Bad Thing, and is to be avoided whenever possible.
There's some discussion of this topic in this preso:
http://files.me.com/roland.dobbins/k54qkv
and in this preso from the current NANOG meeting:
http://www.nanog.org/meetings/nanog48/presentations/Monday/Kaeo_FilterTrend_...
-----------------------------------------------------------------------
Roland Dobbins