nanog mailing list archives
Re: Firewalls in service provider environments
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 7 Feb 2012 17:59:47 -0500
On Tue, Feb 7, 2012 at 4:42 PM, Leigh Porter <leigh.porter () ukbroadband com> wrote:
-----Original Message----- From: Matthew Reath [mailto:matt () mattreath com] Sent: 07 February 2012 21:34 To: nanog () nanog org Subject: Firewalls in service provider environments All, Looking for some recommendations on firewall placement in service provider environments. I'm of the school of thought that in my SP network I do as little firewalling/packet filtering as possible. As in none,I had a vendor actually suggest that that ALL my customer traffic should traverse a firewall. I asked why and they said "Ahhh it the internet, must have firewall". I suppose this must have been a great firewall.
'of china'! ha! hahaha.... anyway.
So yes I would agree with you, firewall nothing for your customers unless they are paying you for a specific service. Filtering known bad ports, well, what's a known bad port? Bad for one person may be quite important for another. Whilst filtering port 25 outbound may help prevent some bots from emanating spam, it certainly does a lot to annoy other people.
I think for a purely SP network, transit-provider core links sort of thing, why filter anything at all? why filter anything that's not destined to your own equipment? You can't possibly know what some customer (or set of customers) are going to do with their traffic, so you can't possibly filter it sanely/safely. for a consumer ISP, provided your TOS says it's ok, why not filter some common problems: tcp/25 ... not much else really... and REALLY you just want to send tcp/25 -> 587 on your mail-relays (or redirect to internal use addresses on the relays). If customers (in either case) want to pay you for 'security services' then rock some filters on their CPE, with the option to move that upstream to your PE if you have to (too much crap on customer link). -chris
Current thread:
- Re: Firewalls in service provider environments, (continued)
- Re: Firewalls in service provider environments Matt Buford (Feb 07)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Christopher Morrow (Feb 08)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Henry Yen (Feb 08)
- Re: Firewalls in service provider environments David Walker (Feb 09)
- RE: Firewalls in service provider environments George Bonser (Feb 07)
- Re: Firewalls in service provider environments Jared Mauch (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)
- Re: Firewalls in service provider environments Steve Bertrand (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)