Re: [fw-wiz] SYN flood protection strategies (Was: Post connection SYN)

From: Chuck Swiger (chuck_at_codefab.com)
Date: 10/17/03

  • Next message: Mikael Riska: "[fw-wiz] Request for Information: study of patching a certain IIS-vulnerability" 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 17 Oct 2003 13:28:29 -0400

    On Friday, October 17, 2003, at 01:19 PM, Paul Robertson wrote:
    > On Fri, 17 Oct 2003, Chuck Swiger wrote:
    >> Handling SYN floods at the firewall lets you conserve internal LAN
    >> bandwidth even if your Internet pipe(s) are still going to suffer.
    >
    > That would imply that you're letting external traffic hit your internal
    > LAN, instead of servers on the DMZ. I figured that particular lesson
    > was
    > learned a good decade ago?

    My use of the word "LAN" wasn't meant to reflect a particular network
    topology but local network cabling versus long-distance: if you've got
    three or four machines sitting in a cage in a hosting facility, there
    may not be a meaningful distinction between "DMZ" versus "internal
    LAN". If those machines need to talk to some backend application, such
    as a database, certainly it's better to do something like multihome
    them and have seperate subnets for Internet-bound traffic versus
    internal, and maybe others for out-of-band management via a terminal
    server for serial console access and backup traffic.

    [ I've gotten a lot of mileage out of things like Sun's
    quad-fast-ethernet NICs configured pretty much as described here, but
    YMMV. ]

    For the circumstances of a company with end-user workstations which
    also locally hosts their own mail, web, or other services, Paul is of
    course right-- what E. Zilwicky calls a "screened subnet architecture"
    is a much better design for security.

    How many people have learned that lesson is another issue entirely,
    unfortunately. 

    -- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Mikael Riska: "[fw-wiz] Request for Information: study of patching a certain IIS-vulnerability"

    Relevant Pages

    • RE: Firewall / Internet Gateway Config Fails
      ... in the address of it's internet address so it can be routed on the net. ... Firewall / Internet Gateway Config Fails ... configured correctly shouldn't the lan clients be able ...
      (RedHat)
    • Re: Internet Connection Firewall
      ... You actually might want to keep the firewall on in a lan environment. ... TCP 445 - SMB over TCP ... > The built-in firewall is designed to be used only on a direct> connection to the Internet, not on any internal LAN connections. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: RD works on LAN not across Internet
      ... RD works fine within my LAN but not across the ... I turned off Windows Firewall and NIS on all computers. ... >>> settings to fully use DHCP to access the Internet. ...
      (microsoft.public.windowsxp.work_remotely)
    • RE: Firewall / Internet Gateway Config Fails
      ... Firewall / Internet Gateway Config Fails ... all the machines on the lan are already configured to ...
      (RedHat)
    • Re: Internet Connection Sharing AND networking?
      ... >> XP machine the same as that used on the windows 98 machine. ... I can get to the Internet through ... >I cannot disable the firewall for just the LAN connection. ...
      (microsoft.public.windowsxp.network_web)