Re: [fw-wiz] Firewalls that generate new packets..


No offense, but both of you are wrong.
Properly configured, a simple firewall
CAN prevent most DOS attacks.

Check out this SANS bulletin on
"Defeating DDOS". Yes, that is my
name in the credits. Special task
force back in 2000. Sigh, and still
people don't know that you can use
a simple firewall to defeat most
DOS attacks... as long as you are
protecting the world from YOUR
network.

Yes, that sigh of mine was ironic
and facetious ;-) Here's a
hankie to wipe that egg off
your face....

http://www.sans.org/dosstep/index.php?portal=fa88d69a3aede10976f8f2dc977d796e


--p


Darren Reed said:

Marcus J. Ranum wrote:


Let's take MITM and DOS off the table. No firewall will
protect you against either of those.



Understanding what DOS is appears to be a problem for a
*lot* of people. Lots of people seem to fail to understand
what the real problem is - the saturation of your network
(connection) with packets that you don't want anything to
do with at a point at which you've got no control over.

What's more, people seem to think that you can just filter
out DOS attacks. Will someone please give me a cricket
bat (or baseball bat) so I can apply some proper instruction?
*sigh*

As Marcus said, no firewall, be it stateless, stateful, proxy,
or otherwise can help you against DOS.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: [fw-wiz] Firewalls that generate new packets..
    ... if it has the proper syns/acks let it through. ... This is a recipe for DOS disaster of course. ... As Marcus said, no firewall, be it stateless, stateful, proxy, ... I first heard the term "deep packet inspection" around 5 years ...
    (Firewall-Wizards)
  • Re: Ports that are open on a Server
    ... The server is not an internet server, ... mail server already behind a firewall. ... The DoS that I ...
    (microsoft.public.win2000.security)
  • Re: CA vs. Symantec vs. Microsoft
    ... Microsoft can release antispyware for the cooperation and power ... I am disappointed that XP has a poor legacy substitute DOS shell ... :> You do not use a firewall and so you must be playing with fire. ...
    (microsoft.public.windowsxp.general)
  • Re: Stand alone linux webserver security tuning
    ... You don't really need a firewall on a standalone webserver. ... only very few DoS types you can handle on the host itself (syn floods ... $IPT -P OUTPUT ACCEPT ...
    (Security-Basics)
  • Re: CA vs. Symantec vs. Microsoft
    ... We are moving away from DOS.. ... the Microsoft antispyware does show promise but we ... > wheras 98SE has true MS-DOS but still lacks some DOS commands as PCR has ... >:> You do not use a firewall and so you must be playing with fire. ...
    (microsoft.public.windowsxp.general)