Re: [nznog] Stateful firewalls

Then is not DDOS on a firewall not a form/implementation of stateful inspection and management of protocols ??? They track traffic/processes/protocols looking for incomplete stateful session setups and perform termination when the state has not been setup/completed correctly thus relieving pressure/resource demands from the server behind them? Regards Robert Cotter Personal opinion and not one of any other organisation or person. -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Dobbins, Roland Sent: Thursday, 25 February 2010 7:04 p.m. To: nznog Subject: Re: [nznog] Stateful firewalls On Feb 25, 2010, at 1:06 PM, Gerard Creamer wrote:

Has some major thing happened and I missed it in terms of server security, or am I reading your statement incorrectly?

Stateful firewalls make no sense whatsoever in front of servers, since every incoming packet is unsolicited. Instead, the OS should be locked down, as should the apps/services, and policy should be enforced via stateless ACLs in hardware-based routers. ----------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog This email is for the intended recipient(s) only. Be advised that if you have received this email in error that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. The sender cannot guarantee that this email or any attachment to it is free of computer viruses or other conditions which may damage or interfere with data, hardware or software with which it might be used. If you have received this email in error, please notify Distribution Central on +61 2 8986 5000 or notify sender.