Mornin'!
Marcus J. Ranum wrote:
> >I mean, I'm running an ISP here, so I don't read the log
> >entries for every blocked packet, but we _do_ monitor
> >all customer's lines with MRTG and _of_course_ all the
> >routers are configured to do unicast reverse path verification.
> >Hasn't brought the backbone to a crawl yet ;-)
>
> Whoah - a Networking Guy who Gets It! Hey, cool!
But ... I'm doing it at the other side of the political
border!
For small businesses I'm still guilty of implementing NAT
gateways that allow "everything out" since these customers
aren't able to state what they want to allow. "Everything
should work" - "OK".
Then I put down my "consultant" hat and put on my
"ISP technical director" hat and implement
egress filters on _my_ routers.
For anything bigger and more security aware than the mentioned small
businessess we strongly recommend ALG based firewalls anyway - Ooops!
Egress filtering for free! Magic! ;-)
Regards,
Patrick M. Hausen
--
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 05 2004
Intro
