Home page logo

nanog logo nanog mailing list archives

Re: Firewalls in service provider environments
From: William Herrin <bill () herrin us>
Date: Tue, 7 Feb 2012 17:22:38 -0500

On Tue, Feb 7, 2012 at 4:31 PM, Matthew Reath <matt () mattreath com> wrote:
Looking for some recommendations on firewall placement in service provider
environments.  I'm of the school of thought that in my SP network I do as
little firewalling/packet filtering as possible. As in none, leave that to
my end users or offer a "managed" firewall solution where if a customer
signs up for the extra service I put him in a VRF or VLAN that is "behind"
a firewall and manage that solution for them. Otherwise I don't prefer to
have a firewall inline in my service provider network for all customer
traffic to go through. I can accomplish filtering of known bad ports on my
edge routers either facing my customers or upstream providers.

What is the group's thought on this?

Hi Matthew,

It Depends.

High end business customers (of the BGP speaking variety) generally
appreciate having a remote triggered black hole facility. That's a
kind of firewall. http://tools.ietf.org/html/rfc5635

Business customers in general shouldn't be filtered unless they buy a
managed firewall service from you. Don't tamper with their DNS either!

When you get down to the residential and Internet Cafe type users,
there is some common filtering you should consider:

TCP SYN to port 25 outbound from your dynamic IP customers should
generally be disallowed except to your local mail servers. 99 times
out of 100, connections originating to this port from dynamic IP
customers will be Email Spam from an infected PC. This will hurt you.
It will hurt you with spam complaints. It will hurt you with adverse
action by RBL providers. It will hurt you with damage to your
reputation and brand.


Blocking TCP and UDP 137, 138, 139 and 445 is not terribly unusual.
These are associated with Microsoft file sharing protocols. Off the
LAN and outside the enterprise anybody actually open to this traffic
is generally asking to be hacked. Then a spam bot is installed and you
have another problem customer who isn't paying you enough to deal with
that crap.

Bill Herrin

William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]