[AusNOG] web App firewalls.

Fri May 28 09:36:27 EST 2010

I hear what you are saying, and I think we may be arguing semantics because my reading of the term 'Statefull Firewall' in this day and age, is that of a device that offers much more than a state table, and can even be configured to ignore state if so desired. 

To clarify, I simply believe there is in some circumstances a place for a device that can amongst other things and where practical/appropriate inspect traffic up to layer 7.

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Dobbins, Roland
Sent: Thursday, 27 May 2010 5:07 PM
To: ausnog at ausnog.net
Subject: Re: [AusNOG] web App firewalls.

On May 27, 2010, at 1:35 PM, Pinkerton, Eric wrote:

> IMHO The attached Presentation (and I realise that this isn't your work) represents at best a blinkered view of security appropriate to a particular environment.

Actually, it represents the consensus of the global Internet operational security community - note that there are no stateful firewalls in font of any of the well-known Web sites a) you regularly visit and b) which exhibit little or no downtime.  However, one often finds stateful firewalls in front of Web sites which exhibit a high degree of downtime.

;>

Stateful inspection in front of servers, where *by definition, every connection is unsolicited, and there is therefore no state to track in the first place*, makes no sense.

There simply isn't a rational case to be made for inserting a stateful firewall in front of any client-facing server anywhere, anytime, under any circumstances.  Stateful firewalls in front of servers mitigate no risks which can't be more easily and appropriately mitigated by other means, while greatly expanding both vulnerability to DDoS as well as the exploit attack surface via poorly-written 'inspectors', which are regularly found to have compromise-level vulnerabilities as evidenced by the ongoing security vulnerability notices associated with said stateful firewalls.

Server security is a function of architecture, of policy, of hardening the OS, of hardening the apps/services running on said OS, and enforcing network access policy via stateless ACLs in router/layer-3 switch hardware.  Stateful firewalls contribute nothing to server security policy, and actively detract from it.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog