Even if one could magically configure a stateful firewall to be invulnerable to state table exhaustion attacks, it still serves no purpose. When you're fronting a server farm, the point is to allow access to the site on the correct ports. Stateless ACLs in hardware do that, and function at millions of packets per second. Stateful firewalls start dying at a fraction of theoretical throughput when faced with an attack that specifically targets the state table. There are no network state attacks against web services that aren't better handled on the servers. The place for stateful firewalls is in front of clients, where you want to disallow packets that aren't part of a conversation started from the inside.
STATEFUL firewalls are the problem. It makes no sense to put stateful firewalls in front of server farms. Any mechanism that tracks state is a DDoS intensifier. If you're running services on ports 80 and 443, put stateless ACLs on the edge routers, running in hardware, that are capable of line rate. That protects you against traffic on inappropriate ports without creating a stateful DDoS vector.
If you need to mitigate application-layer attacks, do it on the servers with something like mod_security. That way you can distribute the attack across the server farm instead of running a stateful choke point that risks bringing your whole site down.
I am a long-time search and rescue technician in Colorado. I got my ham license expressly for SAR work. The short answer is that amateur radio works great in some locations; not at all in others. We use a combination of emergency services radios, amateur radio, and cell phones. We have satellite phones available but I don't recall ever using them.
Personally, I would recommend a SPOT beacon. The newer ones allow you to signal a 911-level emergency, a non-emergent help signal, or an OK signal, along with GPS coordinates. They are lighter than ham HTs and will work in more locations.
If one is hypothesizing about a real Batman, you have to include superior genetics and near-infinite financial resources.
Batman would start training at a young age with top level mixed-martial arts and wrestling coaches, then go through a world-class prep-school education, spending his summers at MMA camps and firearms programs. He'd go through an elite undergraduate education, double majoring in something like engineering physics and economics. Through prep school and college he'd be traveling extensively, picking up languages and training with MMA, kickboxing, judo, and wrestling coaches all over the world.
After college he'd spend 4-6 years in a top-level military special operations unit, gaining real-world experience in violence, emergency medicine, demolitions, covert operations, etc.
By the time he's done with this he'll be approaching 30, and he'll have the connections, wealth, and knowledge to pick up additional skills he might need in the private sector, possibly through private tutoring or formal education programs. He'll still be in top physical condition. After a year or two of fine-tuning, he'll be ready to start wiping out villains anywhere.
This is basically what NAT-PT (RFC 2766 http://www.ietf.org/rfc/rfc2766.txt) does. Unfortunately the IETF deprecated NAT-PT without offering a replacement, although Cisco and other vendors continue to offer the feature in their code.
NAT doesn't add security just because it's NAT. The reason NAT adds security is that it is most often used to create state by multiplexing many sessions onto a single IP address (a process also known as PAT, overloaded NAT, etc.). An IPv6 firewall also creates state, but preserves transparency of addressing. IPv6 firewalls provide essentially the same security services we see in IPv4 firewalls, although the ruleset may need to be slightly different.
The reason people think IPv6 adds security goes back to the now-ancient requirement that IPv6 stacks provide native support for IPSec. It doesn't say that IPv6 sessions have to *use* IPSec, just that they support it. Since IPSec is now well-supported in IPv4, the supposed better security of IPv6 is mostly mythical.
However, none of this changes the fact that the rate of IPv4 address assignment is growing exponentially, and IPv4 resources are in short supply. At some point the price of a new IPv4 address block will surpass the price of IPv6 implementation. Whether that will be accompanied by chaos remains to be seen.
As a CCIE who's been around a LOT of people studying for and getting the CCNA and CCNP certifications, here's my take: if you REALLY study for the CCNA and understand what you're learning before you take the exam, it serves as a superb foundation for the basics of network engineering. The material, particularly in the latest revisions, is really at the core of what you need to know. If you are looking to get a junior-level network engineering or NOC job and you really understand CCNA level material inside and out, it's going to help a lot.
The problem is that it is indeed possible to pass the CCNA and even CCNP level exams without understanding the material. I know one guy who got his CCNP by studying everything backwards and forwards, and he's quite good at intermediate-to-advanced network implementation and troubleshooting--because he understands the material. I know another guy who has a whole boatload of certifications (everything except CCIE, it seems like), but he has trouble configuring (and understanding) static routes or dot1q trunks, because he took the minimal effort, braindump path.
I think the value of networking certifications for honest, curious people is to test your knowledge of stuff you should know anyway, and to gauge your breadth and depth in your areas of expertise.
Slashdot Mirror
Even if one could magically configure a stateful firewall to be invulnerable to state table exhaustion attacks, it still serves no purpose. When you're fronting a server farm, the point is to allow access to the site on the correct ports. Stateless ACLs in hardware do that, and function at millions of packets per second. Stateful firewalls start dying at a fraction of theoretical throughput when faced with an attack that specifically targets the state table. There are no network state attacks against web services that aren't better handled on the servers. The place for stateful firewalls is in front of clients, where you want to disallow packets that aren't part of a conversation started from the inside.
STATEFUL firewalls are the problem. It makes no sense to put stateful firewalls in front of server farms. Any mechanism that tracks state is a DDoS intensifier. If you're running services on ports 80 and 443, put stateless ACLs on the edge routers, running in hardware, that are capable of line rate. That protects you against traffic on inappropriate ports without creating a stateful DDoS vector. If you need to mitigate application-layer attacks, do it on the servers with something like mod_security. That way you can distribute the attack across the server farm instead of running a stateful choke point that risks bringing your whole site down.
I am a long-time search and rescue technician in Colorado. I got my ham license expressly for SAR work. The short answer is that amateur radio works great in some locations; not at all in others. We use a combination of emergency services radios, amateur radio, and cell phones. We have satellite phones available but I don't recall ever using them.
Personally, I would recommend a SPOT beacon. The newer ones allow you to signal a 911-level emergency, a non-emergent help signal, or an OK signal, along with GPS coordinates. They are lighter than ham HTs and will work in more locations.
If one is hypothesizing about a real Batman, you have to include superior genetics and near-infinite financial resources. Batman would start training at a young age with top level mixed-martial arts and wrestling coaches, then go through a world-class prep-school education, spending his summers at MMA camps and firearms programs. He'd go through an elite undergraduate education, double majoring in something like engineering physics and economics. Through prep school and college he'd be traveling extensively, picking up languages and training with MMA, kickboxing, judo, and wrestling coaches all over the world. After college he'd spend 4-6 years in a top-level military special operations unit, gaining real-world experience in violence, emergency medicine, demolitions, covert operations, etc. By the time he's done with this he'll be approaching 30, and he'll have the connections, wealth, and knowledge to pick up additional skills he might need in the private sector, possibly through private tutoring or formal education programs. He'll still be in top physical condition. After a year or two of fine-tuning, he'll be ready to start wiping out villains anywhere.
This is basically what NAT-PT (RFC 2766 http://www.ietf.org/rfc/rfc2766.txt) does. Unfortunately the IETF deprecated NAT-PT without offering a replacement, although Cisco and other vendors continue to offer the feature in their code.
There is (or at least used to be) an http://ipv6.google.com/
NAT doesn't add security just because it's NAT. The reason NAT adds security is that it is most often used to create state by multiplexing many sessions onto a single IP address (a process also known as PAT, overloaded NAT, etc.). An IPv6 firewall also creates state, but preserves transparency of addressing. IPv6 firewalls provide essentially the same security services we see in IPv4 firewalls, although the ruleset may need to be slightly different. The reason people think IPv6 adds security goes back to the now-ancient requirement that IPv6 stacks provide native support for IPSec. It doesn't say that IPv6 sessions have to *use* IPSec, just that they support it. Since IPSec is now well-supported in IPv4, the supposed better security of IPv6 is mostly mythical. However, none of this changes the fact that the rate of IPv4 address assignment is growing exponentially, and IPv4 resources are in short supply. At some point the price of a new IPv4 address block will surpass the price of IPv6 implementation. Whether that will be accompanied by chaos remains to be seen.
As a CCIE who's been around a LOT of people studying for and getting the CCNA and CCNP certifications, here's my take: if you REALLY study for the CCNA and understand what you're learning before you take the exam, it serves as a superb foundation for the basics of network engineering. The material, particularly in the latest revisions, is really at the core of what you need to know. If you are looking to get a junior-level network engineering or NOC job and you really understand CCNA level material inside and out, it's going to help a lot. The problem is that it is indeed possible to pass the CCNA and even CCNP level exams without understanding the material. I know one guy who got his CCNP by studying everything backwards and forwards, and he's quite good at intermediate-to-advanced network implementation and troubleshooting--because he understands the material. I know another guy who has a whole boatload of certifications (everything except CCIE, it seems like), but he has trouble configuring (and understanding) static routes or dot1q trunks, because he took the minimal effort, braindump path. I think the value of networking certifications for honest, curious people is to test your knowledge of stuff you should know anyway, and to gauge your breadth and depth in your areas of expertise.
Lots of other modern protocol numbers are in use: OSPF EIGRP IGMP AH GRE ESP All of which are pretty important...