[fw-wiz] Filter routers? (was Re:logs)
From: Kevin (KKadow_at_gmail.com)
To: firstname.lastname@example.org Date: Thu, 30 Sep 2004 23:01:41 -0500
How common is it to deploy filter routers to pre-process traffic
before it gets to the firewalls? How elaborate do you get with these
Simple "ingress" filtering at the DMZ is a best practice, and it's not
uncommon to additionally do "egress filtering, usually in the same DMZ
router. Over the past few years I've become more of a fan of
additionally deploying "Intranet" filter routers on the private
network, to deal with default route traffic towards the Internet
firewalls from inside.
At the DMZ, I find little value in logging denied traffic. It makes
sense to me to simply deny the "noise", traffic which would otherwise
increase the load on firewalls, (generating and writing deny log
events) to no real end.
Primarily this "noise" consists of packets with spoofed source
addresses -- any packet claiming to come from an internal address,
from RFC1918 address space, or from certain IANA-Reserved blocks;
Anything matching these sources must be spoofed, cannot readily be
traced back to the source. Other than some interesting statistics,
logging spoofed sources doesn't do much for me, for security.
Additionally, I prefer to drop inbound traffic destined for subnets
and protocols which I know we do not use (We need to advertise IP
space that is not actively used due to limitations on BGP
advertisements). For example, permit IPSEC protocols towards the
subnet where VPN devices are known to live, permit TCP/UDP/ICMP
towards currently active subnets which are supposed to be visible to
the Internet, then just drop everything else.
Normally I wouldn't include TCP ports in the filter router ACL (that's
the firewall's job), but very recently I've caved on this stance,
added entries to specifically drop TCP 135-139 and 445. IMHO, nobody
in their right mind would expose these ports to the Internet, and the
deny logs on the firewalls were becoming a real hassle (as I mentioned
in my message Re:logs, 75% of the inbound firewall events were denied
TCP SYN packets from Microsoft worms on these ports).
In a perfect world, I could request upstream ISPs apply these filters
on their end of the pipe, conserving our valuable WAN bandwidth for
more desirable traffic.
(P.S. Outbound filter routers on the internal network are a whole
other animal, one I'm hoping to parlay into a speaking position at
some future 'con.)
firewall-wizards mailing list