lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 12 May 2011 01:30:32 +0000
From: "Dobbins, Roland" <rdobbins@...or.net>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Sony: No firewall and no patches

On May 12, 2011, at 3:49 AM, phocean wrote:

> To go back to my point: an application server (IIS, Apache) cannot sustain as many connections as a firewall (of course in a sane and standard environment).

Sorry, but my operational experience is quite the opposite.  And one generally deploys clusters of servers, in any kind of even semi-important site.

> So you cannot tell that a firewall will increase the risk of DoS.

I can and do tell you that.  I further tell you that enforcing network access policies for servers in stateless ACLs instantiated in ASIC-based routers and layer-3 switches is the way to go.  I tell you this based upon my direct experience working for the largest manufacturer of firewalls in the world, and on my day-to-day operational experience with people calling up and screaming that 'the data center is down' and the proximate cause being a stateful firewall which gave up the ghost to trivial amounts of traffic.

For example, I've seen 80kpps of SYN-flood take down a stateful firewall rated for 2.5gb/sec.

> From what I have seen so far as arguments, I think the discussion is over.

The folks cited on pp. 41 - 42 of the survey in question have reached a different conclusion:

<http://www.eweek.com/index2.php?option=content&task=view&id=66503&pop=1&hide_ads=1&page=0&hide_js=1&catid=45>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@...or.net> // <http://www.arbornetworks.com>

		The basis of optimism is sheer terror.

			  -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ