Firewalls Make DDoS Attacks Worse 217
jfruhlinger writes "Firewalls are an important part of any network setup — but if you put them in front of your Web servers, they become a single point of failure in the event of a DDoS attack. "Folks do it because they have been programmed to do it," says one security expert, but he urges you to avoid this setup at all costs."
Long on Rhetoric (Score:5, Insightful)
Short on specifics.
Arbor Networks (Score:5, Insightful)
Arbor Networks, the people who did this "study", sell DDoS solutions. Of course they're going to say that anything you do other than pay them to provide your solution is a bad idea.
Yeah, poorly configured and managed firewalls can't handle a big DDoS attack. Duh, neither could a poorly configured server of any kind (eg. web server or whatever).
Nothing to see here.
We're not always programmed... (Score:4, Insightful)
We're forced to deploy "legacy" network firewalls by standards (such as the PCI DSS) or regulations (such as MA 201CMR1700). If you are confronted with an auditor without imagination your compensating controls are misunderstood and findings ensue.
Would you rather (Score:5, Insightful)
Flawed logic (Score:5, Insightful)
Also don't build taller walls, because it just encourages attackers to bring taller ladders.
Re:Long on Rhetoric (Score:5, Insightful)
Looks like it. Single point of failure in a DDoS? If they choke your inbound pipe (the very definition of a DDoS...) having it on a DMZ or unprotected will not help prevent things from crushing your connectivitiy. In many cases, the Firewall can actually handle higher transaction traffic than the webserver can. If you're doing a load-balanced setup, he might be right, but that's not the premise he apparenly lead with.
Re:Bad headline, too vague (Score:5, Insightful)
The article says that poorly deployed firewalls and IPS systems create a single point of failure.
So do poorly deployed network cables, or poorly deployed almost anything that hosts rely on to handle all their traffic (power solutions, switches, etc). By the definition of what a firewall is supposed to accomplish, a poorly deployed one obviously creates a lot of problems or provides little protection.
Also, water is wet.
Re:Long on Rhetoric (Score:0, Insightful)
So basically what you're saying is that you have not the slightest clue how the internet, firewalls or networks in general work. And you seem to think that a port is somehow a physical thing.
Re:Long on Rhetoric (Score:4, Insightful)