Roland Dobbins presentation at the recent Australian Network Operators Group 03 (AusNOG-03) summit was around the ineffectiveness of firewalls in the cloud computing environment. Unfortunately I was not there to hear it, nor at the follow-up where he re-presented it to my colleagues at the office. Fortunately I’ve had an opportunity to hear, at least second hand, at what he had to say as well as obtain a copy of his slide deck.
His talk was on the RoK/USA DDoS attacks, however the main focus of the talk was not using firewalls for internet facing applications. Apparently this was received with many a *gasp* and for a couple of days it was a hot topic of conversation in the office.
The argument goes something like this;
Firewalls, above and beyond listing what is and is not permitted, maintain state in order to ensure that the return packet is valid. This is well and good when you have a user trying to get access to a server on the other side of the firewall, say in a corporate environment:
- User sends the request out,
- the firewall checks that the session is permitted,
- adds it to the state table and forwards the packet on.
When the return packet from the server comes back:
- The firewall sees that there is an entry for it in the state table and
- allows the return packet back to the client.
No sessions are allowed in to the client that are unsolicited. That is to say, only return traffic is allowed where the client was the one to initiate the connection.
So in a web server environment where by definition all connections are unsolicited, does a firewall really have a place? Roland’s argument was that no they didn’t, that they caused bottlenecks and would crumble under a DDoS much faster than the web servers. Statistics were provided backing up his allegation, and from personal experience it is very true. His solution, do stateless filtering at the edge, on your router, through the use of Access Control Lists (ACLs).
For those of you who have to pick your selves up off the floor, do so and take a minute to think about it. Now ask yourself, is it valid, if so why? Is it valid in all instances? My own personal take is that it is definitely a valid stance, but not in all situations. I’ve seen first hand at how the session limitation of a firewall, even a big one, can cause the firewall to fall over under the normal load if the servers behind it are getting hit a lot, let alone a targe for a DDoS.
The security mantra of defense in depth is something that Roland Dobbins subscribes to and the “no firewalls” (for front end web servers) is only one aspect of the over all picture he is trying to paint here. I believe that the big take home message is to ask yourself the questions “why are you doing what you are when implementing a security measure?” and “what you hope to achieve by it?”, but most importantly understand the limitations. Too often we fall into the habit of doing it because that is just the way it’s always been done.
So when looking at your internet facing services, remember to take a holistic approach to your security measures.