Security Basics mailing list archives

RE: Router Packet Filtering and Firewalls

From: Gene LeDuc <Gene.LeDuc () mktdev tnsofres com>
Date: Thu, 30 Jan 2003 12:52:26 -0500

Hi Geoff,

It's your ISP not wanting the extra pain of a non-standard installation.
Having the router block incoming packets from your address block and those
addressed to your broadcast address means your firewall can spend its CPU
time dealing with trickier rules.  If your company doesn't do business with
China, Korea, Taiwan, Russia, etc., then there are also some good-sized
blocks of IP addresses that you can block that will definitely lighten the
load on your firewall.  Think Defense In Depth.

Regards,
Gene

-----Original Message-----
From: Geoff Shatz [mailto:geoff.shatz () pchelps com]
Sent: Wednesday, January 29, 2003 2:55 PM
To: security-basics () securityfocus com
Subject: Router Packet Filtering and Firewalls




I am trying to confirm my thoughts regarding the use of router packet 

filtering in addition to having a firewall behind the router but first a 

little background...



Years ago when we first connected our firm to the Internet we did not have 

a firewall but used packet filtering on the router to protect our 

perimeter.



As time progressed and security became a much greater issue for everyone 

in IT we moved forward an installed a firewall between our router and the 

LAN. I was managing our router at that time and kept the initial packet 

filters in place as I figured two layers of security were better than one.



A few years ago we were forced to switch ISP's and our new ISP managed the 

router they supplied to us. They supplied the router with no ACL's applied 

to either interface which as I understand it with Cisco IOS creates an 

implicit permit for both inbound and outbound.



After contacting technical support I was told none of their customers use 

packet filtering at the router level and that's what a firewall was for.

I had a small battle with them but they finally relented and configured 

the router the way I asked them to.



We just had a second circuit installed and I had to go through the same 

routine with them and the end result was the same.



Am I missing something here? Is it not better to have both packet 

filtering applied on the router and a firewall behind it? Is there 

something inherently wrong with this or is this just a case of our ISP not 

really giving a damn about security and on top of it being lazy? Any 

comments would be appreciated.



-Geoff

Current thread:

Router Packet Filtering and Firewalls Geoff Shatz (Jan 30)
- RE: Router Packet Filtering and Firewalls David Gillett (Jan 31)
- RE: Router Packet Filtering and Firewalls Paul Stewart (Jan 31)
- <Possible follow-ups>
- RE: Router Packet Filtering and Firewalls Garbrecht, Frederick (Jan 31)
- RE: Router Packet Filtering and Firewalls Gene LeDuc (Jan 31)
- RE: Router Packet Filtering and Firewalls Trevor Cushen (Jan 31)