[fw-wiz] Filter routers? (was Re:logs)

From: Kevin (KKadow_at_gmail.com)
Date: 10/01/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] SMTP forwarding question"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 30 Sep 2004 23:01:41 -0500

    How common is it to deploy filter routers to pre-process traffic
    before it gets to the firewalls? How elaborate do you get with these

    Simple "ingress" filtering at the DMZ is a best practice, and it's not
    uncommon to additionally do "egress filtering, usually in the same DMZ
    router. Over the past few years I've become more of a fan of
    additionally deploying "Intranet" filter routers on the private
    network, to deal with default route traffic towards the Internet
    firewalls from inside.

    At the DMZ, I find little value in logging denied traffic. It makes
    sense to me to simply deny the "noise", traffic which would otherwise
    increase the load on firewalls, (generating and writing deny log
    events) to no real end.

    Primarily this "noise" consists of packets with spoofed source
    addresses -- any packet claiming to come from an internal address,
    from RFC1918 address space, or from certain IANA-Reserved blocks;
    Anything matching these sources must be spoofed, cannot readily be
    traced back to the source. Other than some interesting statistics,
    logging spoofed sources doesn't do much for me, for security.

    Additionally, I prefer to drop inbound traffic destined for subnets
    and protocols which I know we do not use (We need to advertise IP
    space that is not actively used due to limitations on BGP
    advertisements). For example, permit IPSEC protocols towards the
    subnet where VPN devices are known to live, permit TCP/UDP/ICMP
    towards currently active subnets which are supposed to be visible to
    the Internet, then just drop everything else.

    Normally I wouldn't include TCP ports in the filter router ACL (that's
    the firewall's job), but very recently I've caved on this stance,
    added entries to specifically drop TCP 135-139 and 445. IMHO, nobody
    in their right mind would expose these ports to the Internet, and the
    deny logs on the firewalls were becoming a real hassle (as I mentioned
    in my message Re:logs, 75% of the inbound firewall events were denied
    TCP SYN packets from Microsoft worms on these ports).

    In a perfect world, I could request upstream ISPs apply these filters
    on their end of the pipe, conserving our valuable WAN bandwidth for
    more desirable traffic.


    (P.S. Outbound filter routers on the internal network are a whole
    other animal, one I'm hoping to parlay into a speaking position at
    some future 'con.)
    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] SMTP forwarding question"