RE: Router Packet Filtering and Firewalls
From: Garbrecht, Frederick (FGarbrecht@ecogchair.org)
Date: 01/30/03
- Previous message: Steve Anderson: "RE: Monitoring office web use"
- Maybe in reply to: Geoff Shatz: "Router Packet Filtering and Firewalls"
- Next in thread: Wayne Penny: "Re: Router Packet Filtering and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Garbrecht, Frederick" <FGarbrecht@ecogchair.org> To: 'Geoff Shatz' <geoff.shatz@pchelps.com>, security-basics@securityfocus.com Date: Thu, 30 Jan 2003 12:19:47 -0500
Your ISP is being dorkish in its approach. There is no question
whatsoever that packet filtering at the level of the border router
should be an adjunct to stateful inspection at the firewall level. At
the very least, router ACLs take some of the burden off of the firewall,
and will complement and enforce the security policy you are enforcing on
your firewall. This is part of the immutable second law of IT security,
i.e. 'multiple levels of security are better than one', unless of course
this conflicts with business need (money) and then all bets are off.
Frederick Garbrecht, M.D., GSEC
Coalition of National Cancer Cooperative Groups
-----Original Message-----
From: Geoff Shatz [mailto:geoff.shatz@pchelps.com]
Sent: Wednesday, January 29, 2003 5:55 PM
To: security-basics@securityfocus.com
Subject: Router Packet Filtering and Firewalls
I am trying to confirm my thoughts regarding the use of router packet
filtering in addition to having a firewall behind the router but first a
little background...
Years ago when we first connected our firm to the Internet we did not
have
a firewall but used packet filtering on the router to protect our
perimeter.
As time progressed and security became a much greater issue for everyone
in IT we moved forward an installed a firewall between our router and
the
LAN. I was managing our router at that time and kept the initial packet
filters in place as I figured two layers of security were better than
one.
A few years ago we were forced to switch ISP's and our new ISP managed
the
router they supplied to us. They supplied the router with no ACL's
applied
to either interface which as I understand it with Cisco IOS creates an
implicit permit for both inbound and outbound.
After contacting technical support I was told none of their customers
use
packet filtering at the router level and that's what a firewall was for.
I had a small battle with them but they finally relented and configured
the router the way I asked them to.
We just had a second circuit installed and I had to go through the same
routine with them and the end result was the same.
Am I missing something here? Is it not better to have both packet
filtering applied on the router and a firewall behind it? Is there
something inherently wrong with this or is this just a case of our ISP
not
really giving a damn about security and on top of it being lazy? Any
comments would be appreciated.
-Geoff
- application/x-pkcs7-signature attachment: smime.p7s
- Next message: Burton M. Strauss III: "RE: Monitoring office web use"
- Previous message: Steve Anderson: "RE: Monitoring office web use"
- Maybe in reply to: Geoff Shatz: "Router Packet Filtering and Firewalls"
- Next in thread: Wayne Penny: "Re: Router Packet Filtering and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
