nanog mailing list archives
Re: Firewalls in service provider environments
From: "Justin M. Streiner" <streiner () cluebyfour org>
Date: Tue, 7 Feb 2012 16:46:04 -0500 (EST)
On Tue, 7 Feb 2012, Matthew Reath wrote:
Looking for some recommendations on firewall placement in service provider environments. I'm of the school of thought that in my SP network I do as little firewalling/packet filtering as possible. As in none, leave that to my end users or offer a "managed" firewall solution where if a customer signs up for the extra service I put him in a VRF or VLAN that is "behind" a firewall and manage that solution for them. Otherwise I don't prefer to have a firewall inline in my service provider network for all customer traffic to go through. I can accomplish filtering of known bad ports on my edge routers either facing my customers or upstream providers.
I tend to agree with this, and I think you'll find that most providers agree with that as well.
There are several reasons for this:1. Firewalls present another point of failure, and SPs are generally loath to force customer traffic* through another choke point. 2. Many firewall appliances are stateful. Multihomed customers and stateful firewalls can be a major headache. Asymmetric routing through stateful firewalls is pretty much a non-starter. 3. You (the customer) know your applications and internal network better than the SP does. It makes sense for you to manage your firewalls/NAT/ internal LAN. If you can't or don't want to do this, hire a consultant to do the work for you.
4. Most SPs would not want the liability of managing firewall service.5. Dropping packets at the SP edge could be done, but I think most SPs would only want to do so in extraordinary circumstances.
* - As you mentioned, unless the SP offers, and those customers specifically pay for a firewalled service.
jms
Current thread:
- Re: Firewalls in service provider environments, (continued)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Christopher Morrow (Feb 08)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Henry Yen (Feb 08)
- Re: Firewalls in service provider environments David Walker (Feb 09)
- RE: Firewalls in service provider environments George Bonser (Feb 07)
- Re: Firewalls in service provider environments Jared Mauch (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)
- Re: Firewalls in service provider environments Steve Bertrand (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)