9 Dec
2013
9 Dec
'13
12:33 p.m.
On Tue, Dec 10, 2013 at 6:11 AM, Dobbins, Roland
Servers really should never be placed behind stateful firewalls - it doesn't actually do any good, it doesn't really make sense (all incoming connections are unsolicited, so there's no state to inspect), and renders them much more vulnerable to DDoS attacks than if the firewalls weren't there.
Technically true. However an external level of control (stateful firewall because they're common, router ACLs are 'faster' but have fewer tools to help you maintain them) is essential to prevent accidental services being enabled, or a compromised box being able to call out to the network for C&C. Of course, no-one filters the outbound traffic from their servers, do they? :-( -jim