RE: Router Packet Filtering and Firewalls
From: David Gillett (gillettdavid@fhda.edu)
Date: 01/30/03
- Previous message: Alberto Cozer: "Re: Tivoli Global Sign On Help."
- In reply to: Geoff Shatz: "Router Packet Filtering and Firewalls"
- Next in thread: Garbrecht, Frederick: "RE: Router Packet Filtering and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Gillett" <gillettdavid@fhda.edu> To: <security-basics@securityfocus.com> Date: Thu, 30 Jan 2003 11:31:45 -0800
Certainly a firewall can check for things that a router probably
doesn't have the memory and/or spare horsepower for. But there is
some traffic that is just simply obviously wrong, and the further
out from your core you can discard it, the less impact it can have
on your network and systems.
The IOS "firewall feature", for instance, can filter on a bunch
of low-level "malformed packet" issues that I'm not certain many
common firewalls even look for. On the other hand, stateful
inspection is a Very Good Thing, but takes more memory than most
routers have -- the router "established" check may simply trust
that the SYN bit is correct.
So I agree that packet filter + firewall is the way to go.
David Gillett
> -----Original Message-----
> From: Geoff Shatz [mailto:geoff.shatz@pchelps.com]
> Sent: January 29, 2003 14:55
> To: security-basics@securityfocus.com
> Subject: Router Packet Filtering and Firewalls
>
> I am trying to confirm my thoughts regarding the use of router packet
> filtering in addition to having a firewall behind the router
> but first a
> little background...
>
> Years ago when we first connected our firm to the Internet we
> did not have
> a firewall but used packet filtering on the router to protect our
> perimeter.
>
> As time progressed and security became a much greater issue
> for everyone
> in IT we moved forward an installed a firewall between our
> router and the
> LAN. I was managing our router at that time and kept the
> initial packet
> filters in place as I figured two layers of security were
> better than one.
>
> A few years ago we were forced to switch ISP's and our new
> ISP managed the
> router they supplied to us. They supplied the router with no
> ACL's applied
> to either interface which as I understand it with Cisco IOS
> creates an
> implicit permit for both inbound and outbound.
>
> After contacting technical support I was told none of their
> customers use
> packet filtering at the router level and that's what a
> firewall was for.
> I had a small battle with them but they finally relented and
> configured
> the router the way I asked them to.
>
> We just had a second circuit installed and I had to go
> through the same
> routine with them and the end result was the same.
>
> Am I missing something here? Is it not better to have both packet
> filtering applied on the router and a firewall behind it? Is there
> something inherently wrong with this or is this just a case
> of our ISP not
> really giving a damn about security and on top of it being lazy? Any
> comments would be appreciated.
>
> -Geoff
- Next message: Steve Anderson: "RE: Monitoring office web use"
- Previous message: Alberto Cozer: "Re: Tivoli Global Sign On Help."
- In reply to: Geoff Shatz: "Router Packet Filtering and Firewalls"
- Next in thread: Garbrecht, Frederick: "RE: Router Packet Filtering and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
