State or No State?
Imagine your arrangement is beneath advance from a massive bulk of spoofed HTTP traffic. This
might, for example, be cartage aggravating to ability your capital Internet web server application random
source IP addresses, with baby packets advancing in at a aerial rate.
Another accepted advance book consists of sending a ample cardinal of Internet Control
Message Protocol (ICMP) packets. The aftermost affair you appetite in these advance cases is to fill
the affiliation table of the ambit firewall.
Both scenarios highlight a specificity accepted to around all firewalls: They maintain
state—state for connections. Maintaining a affiliation accompaniment isn’t a adorable affection in
these cases, because stateful accessories accept a absolute in agreement of circumstantial admission they
can handle. After the affiliation table is full, 18-carat accepted cartage is denied by
collateral damage. This action is accepted as abnegation of account (DoS). This is where
firewalls lose a point adjoin stateless devices, such as switches processing ACLs.
Therefore, ACLs accommodate themselves able-bodied to prefirewall ambit clarification or to assure the
infrastructure itself. At the end of the day, allotment amid a firewall and an admission list
isn’t consistently necessary; they both accompaniment anniversary other.