Home page logo
/

nanog logo nanog mailing list archives

Re: Firewalls in service provider environments
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 7 Feb 2012 17:59:47 -0500

On Tue, Feb 7, 2012 at 4:42 PM, Leigh Porter
<leigh.porter () ukbroadband com> wrote:


-----Original Message-----
From: Matthew Reath [mailto:matt () mattreath com]
Sent: 07 February 2012 21:34
To: nanog () nanog org
Subject: Firewalls in service provider environments

All,

Looking for some recommendations on firewall placement in service
provider
environments.  I'm of the school of thought that in my SP network I do
as
little firewalling/packet filtering as possible. As in none,

I had a vendor actually suggest that that ALL my customer traffic should traverse a firewall. I asked why and they 
said "Ahhh it the internet, must have firewall". I suppose this must have been a great firewall.

'of china'! ha! hahaha.... anyway.

So yes I would agree with you, firewall nothing for your customers unless they are paying you for a specific service. 
Filtering known bad ports, well, what's a known bad port? Bad for one person may be quite important for another. 
Whilst filtering port 25 outbound may help prevent some bots from emanating spam, it certainly does a lot to annoy 
other people.


I think for a purely SP network, transit-provider core links sort of
thing, why filter anything at all? why filter anything that's not
destined to your own equipment? You can't possibly know what some
customer (or set of customers) are going to do with their traffic, so
you can't possibly filter it sanely/safely.

for a consumer ISP, provided your TOS says it's ok, why not filter
some common problems:
  tcp/25
  ... not much else really... and REALLY you just want to send tcp/25
-> 587 on your mail-relays (or redirect to internal use addresses on
the relays).

If customers (in either case) want to pay you for 'security services'
then rock some filters on their CPE, with the option to move that
upstream to your PE if you have to (too much crap on customer link).

-chris


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]