RE: Router Packet Filtering and Firewalls

From: Gene LeDuc (Gene.LeDuc@mktdev.tnsofres.com)
Date: 01/30/03

  • Next message: Michael Conroy: "Re: Monitoring office web use"
    From: Gene LeDuc <Gene.LeDuc@mktdev.tnsofres.com>
    To: security-basics@securityfocus.com
    Date: Thu, 30 Jan 2003 12:52:26 -0500
    
    

    Hi Geoff,

    It's your ISP not wanting the extra pain of a non-standard installation.
    Having the router block incoming packets from your address block and those
    addressed to your broadcast address means your firewall can spend its CPU
    time dealing with trickier rules. If your company doesn't do business with
    China, Korea, Taiwan, Russia, etc., then there are also some good-sized
    blocks of IP addresses that you can block that will definitely lighten the
    load on your firewall. Think Defense In Depth.

    Regards,
    Gene

    -----Original Message-----
    From: Geoff Shatz [mailto:geoff.shatz@pchelps.com]
    Sent: Wednesday, January 29, 2003 2:55 PM
    To: security-basics@securityfocus.com
    Subject: Router Packet Filtering and Firewalls

    I am trying to confirm my thoughts regarding the use of router packet

    filtering in addition to having a firewall behind the router but first a

    little background...

    Years ago when we first connected our firm to the Internet we did not have

    a firewall but used packet filtering on the router to protect our

    perimeter.

    As time progressed and security became a much greater issue for everyone

    in IT we moved forward an installed a firewall between our router and the

    LAN. I was managing our router at that time and kept the initial packet

    filters in place as I figured two layers of security were better than one.

    A few years ago we were forced to switch ISP's and our new ISP managed the

    router they supplied to us. They supplied the router with no ACL's applied

    to either interface which as I understand it with Cisco IOS creates an

    implicit permit for both inbound and outbound.

    After contacting technical support I was told none of their customers use

    packet filtering at the router level and that's what a firewall was for.

    I had a small battle with them but they finally relented and configured

    the router the way I asked them to.

    We just had a second circuit installed and I had to go through the same

    routine with them and the end result was the same.

    Am I missing something here? Is it not better to have both packet

    filtering applied on the router and a firewall behind it? Is there

    something inherently wrong with this or is this just a case of our ISP not

    really giving a damn about security and on top of it being lazy? Any

    comments would be appreciated.

    -Geoff



    Relevant Pages

    • Re: 56k dial up on laptop 802.11G ?
      ... >>> Linux firewall is not a firewall... ... NAT router? ... traffic can be set like it can be set for packet filtering like they can be ...
      (alt.internet.wireless)
    • Re: Cable broadband, wired router and iLamp
      ... The Virgin modem makes your Mac appear on the outside world using the IP ... So a firewall is necessary. ... router will not do, since the WAN port is ADSL not Ethernet. ... NAT inspects every outgoing packet, and edits the packet so it appears to ...
      (uk.comp.sys.mac)
    • Re: Cable broadband, wired router and iLamp
      ... So a firewall is necessary. ... "Ethernet-WAN" router. ... NAT also inspects every incoming packet. ...
      (uk.comp.sys.mac)
    • Re: UPNP/SSDP
      ... otherwise it's just a glorified packet filter with a set of rules. ... neither a NAT nor a router are referred to as packet filters. ... a NAT router for broadband internet does not do this, ... router to route traffic b/w two or more private networks and the internet. ...
      (microsoft.public.windowsxp.general)
    • Re: 56k dial up on laptop 802.11G ?
      ... > "firewall router" or some similar conglomeration. ... must have at least two network interfaces, one for the network it is ... > A router is just something that glues two networks together. ... This is where I think a packet filtering solution or packet filtering NAT ...
      (alt.internet.wireless)