nanog mailing list archives
Re: Firewalls in service provider environments
From: Suresh Ramasubramanian <ops.lists () gmail com>
Date: Wed, 8 Feb 2012 07:15:34 +0530
On Wed, Feb 8, 2012 at 3:52 AM, William Herrin <bill () herrin us> wrote:
High end business customers (of the BGP speaking variety) generally appreciate having a remote triggered black hole facility. That's a kind of firewall. http://tools.ietf.org/html/rfc5635
While I 100% agree that sticking a stateful firewall into a SP environment is several kinds of dumb, I wouldn't run it wide open and unfiltered either. There are several things that a SP should definitely be looking at, that'd still describe as a firewall, and are not the "stateful firewall / IDS / IPS magic black box" half the posters in this thread are instinctively reacting to. For the record, yes, I agree those are a bad idea. But how about these - All these are going to be implemented to a greater or a lesser degree, and in different places, depending on how you define SP (selling only transit OC-48s? T1..T3 to end user corporations? Datacenter hosting?) 1. S/RTBH 2. Netflow based devices (Arbor, Tivoli TNPFA flow analyzers, etc) 3. DDoS mitigation - possibly resold as an extra service [built inhouse / provided by other vendors or your upstream tier 1] 4. Router ACLs to get rid of common worm traffic 5. Filtering both ways to prevent async routing to bypass your filters (http://irbs.net/internet/nanog/0408/0405.html and in that thread, http://irbs.net/internet/nanog/0408/0465.html for a fun example) 6. Putting different customers into different VLANs rather than packing everybody into a single VLAN - that way they don't spoof unused IPs on the same VLAN (that is, unused IPs anywhere in your IP space .. and this is, like #5, a rather old attack that I haven't seen in a while, it used to be very popular with spammers some years back, and sticking your customers into separate VLANs anyway makes a lot of sense from a management perspective, leave alone the security implications) --srs -- Suresh Ramasubramanian (ops.lists () gmail com)
Current thread:
- Re: Firewalls in service provider environments, (continued)
- Re: Firewalls in service provider environments Matthew Reath (Feb 08)
- Re: Firewalls in service provider environments Henry Yen (Feb 08)
- Re: Firewalls in service provider environments David Walker (Feb 09)
- RE: Firewalls in service provider environments George Bonser (Feb 07)
- Re: Firewalls in service provider environments Jared Mauch (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)
- Re: Firewalls in service provider environments Steve Bertrand (Feb 07)
- Re: Firewalls in service provider environments Suresh Ramasubramanian (Feb 07)