/ BLOG / Becareful with that hammer

Over the last few days there’s been an interesting debate on NANOG [1] over the usefulness of firewalls. Although NANOG focuses on much larger networks than I typically look after, the topic of conversation does present some arguments that are interesting, and some which I simply hadn’t considered because I’ve never been directly on the receiving end of what you could ever consider a large attack.

Roland Dobbins makes a very good point, and it’s the main one that hadn’t really twigged in my brain. Servers, by their nature, sit there listening for unsolicited communication. Using a stateful firewall could be considered overkill, provided that you have some degree of control over the hardware in-front of the server(s). ACLs are much faster, especially as they’re typically handled in hardware on routers and switches. Combine this with hardened servers [2] and you’re onto a good start.

Although some vendors are now doing stateful filtering in hardware, it’s still likely that the firewall can be made to fall over before the host, by exhausting the state table. You can resolve this by making the firewall highly available, but you’re ultimately only postponing the problem and simply waiting for someone able to launch a bigger attack. You’re now in a hardware and cash race.

When this happens you’re probably at the point of being worried by large attacks; you’re a big target (such as facebook or twitter), or you’re a service provider. In these circumstances detecting potential attacks and null routing the traffic, or forcing it to go through a scrubbing mechanism, you can make them useful. Fortunately for us at the much smaller end of the things, these generally aren’t things we need to worry about (although I’d seriously love to set it up and play with it on real hardware [3]), and are something we can run to the service provider about.

At the end of the day us small guys and girls can only go so far. Our domain of control is much, much smaller. If you’re renting very small quantities of servers you may well not have access to the hardware in front of your box(es) to implement some lovely hardware based ACLs (although 1and1 did provide this feature last time I had servers with them). For us in this situation there really isn’t much of an option if you want some form of control over stuff that hits your box(es).

Ultimately I’m not advocating for the stateful firewall to go away. Hopefully that’s clear. They’ve definitely got their uses; such as protecting a gaggle of clients, and perhaps single servers. All I’m trying to say is that sometimes you don’t always need a sledgehammer, a tack hammer will do. Just make sure that the little tack hammer is more prominent in your mental toolbox!

I’ll certainly be thinking a lot more carefully when it comes to all of the technical decisions over the next few months. After all, you never know - there could be all sorts of really elegant solutions that you’ve been dismissing.

[1] It all started with “D/DoS mitigation hardware/software needed” and is currently continuing under “I don’t need no stinking firewall!”.

[2] Really, turn stuff off on external cards you don’t need. Like NetBIOS, networking for Windows. Bind servers to the interfaces or addresses they need. Don’t be lazy.

[3] Lets be honest, virtual labs just aren’t as fun.