[AusNOG] web App firewalls.
Adrian Chadd
adrian at creative.net.au
Fri May 28 11:23:17 EST 2010
On Fri, May 28, 2010, Pinkerton, Eric wrote:
> I hear what you are saying, and I think we may be arguing semantics because my reading of the term 'Statefull Firewall' in this day and age, is that of a device that offers much more than a state table, and can even be configured to ignore state if so desired.
>
> To clarify, I simply believe there is in some circumstances a place for a device that can amongst other things and where practical/appropriate inspect traffic up to layer 7.
And the netops people are pushing back on this idea - these devices tend
to have limitations in their behaviour under specific conditions. Whether
that's load, or a hard limit on number of flows/sessions, or a bunch of
other things - the problem is, a lot of these stateful inspection devices
do have those issues.
The right thing at this point would be to say "But device X doesn't have
these issues" and provide a counter example to their current theory.
In this instance, a single counter example won't change minds but it'll
certainly provide for a more constructive discussion. :)
Adrian
(Note: I'd personally be curious to know if there's any way to DDoS
the L7 inspection devices ISPs may be using on their customer traffic.
>From the customer side, rather than from the internets side.)
More information about the AusNOG
mailing list