Security Basics mailing list archives

Re: Router Packet Filtering and Firewalls

From: Sean Smith <shmelty () yahoo com>
Date: Thu, 30 Jan 2003 12:44:12 -0800 (PST)

As far as the ISP being lazy... Even though they say
the service offered you is a managed router, in realty
all it is is setting up the routing and making sure
that it functions. As far as security, they like to
charge extra for the security management. What you had
before was a screened host setup and that is a nice
security scheme. You could go one further and put
another screening router behind your firewall and
create a screened subnet. You lucky you got them to
configre any filters for you. I asked AT&T to do that
for me, but they wanted another $400/month for each
router.

sean
--- Geoff Shatz <geoff.shatz () pchelps com> wrote:



I am trying to confirm my thoughts regarding the use
of router packet 
filtering in addition to having a firewall behind
the router but first a 
little background...

Years ago when we first connected our firm to the
Internet we did not have 
a firewall but used packet filtering on the router
to protect our 
perimeter.

As time progressed and security became a much
greater issue for everyone 
in IT we moved forward an installed a firewall
between our router and the 
LAN. I was managing our router at that time and kept
the initial packet 
filters in place as I figured two layers of security
were better than one.

A few years ago we were forced to switch ISP's and
our new ISP managed the 
router they supplied to us. They supplied the router
with no ACL's applied 
to either interface which as I understand it with
Cisco IOS creates an 
implicit permit for both inbound and outbound.

After contacting technical support I was told none
of their customers use 
packet filtering at the router level and that's what
a firewall was for.
I had a small battle with them but they finally
relented and configured 
the router the way I asked them to.

We just had a second circuit installed and I had to
go through the same 
routine with them and the end result was the same.

Am I missing something here? Is it not better to
have both packet 
filtering applied on the router and a firewall
behind it? Is there 
something inherently wrong with this or is this just
a case of our ISP not 
really giving a damn about security and on top of it
being lazy? Any 
comments would be appreciated.

-Geoff



__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Current thread:

RE: Router Packet Filtering and Firewalls Trevor Cushen (Jan 31)
- RE: Router Packet Filtering and Firewalls Paul Stewart (Feb 02)
- <Possible follow-ups>
- Re: Router Packet Filtering and Firewalls Sean Smith (Jan 31)
- RE: Router Packet Filtering and Firewalls Fitzgerald, John (Feb 05)
- RE: Router Packet Filtering and Firewalls Rich MacVarish (Feb 05)