RE: Router Packet Filtering and Firewalls

["Fitzgerald, John" <John.Fitzgerald () petro-canada com>]

I wouldn't expect the ISP to provide this service for nothing... it's a
considerable administrative burden, however, some ISPs may provide a
firewalled service. You can combine this firewalled service with your own
firewall to provide the layered security without having to purchase and
manage an additional filtering router.

Hopefully what you achieve (most suitable for a small shop) is  the
two-brain rule (where at least two people are involved in a firewall change
... one to make the change on the in-house firewall and a different person
to make the change at the ISP), also, proper change control will be required
by the ISP (so there's an audit of any changes made).

Even in some larger organisations you can often find that the perimeter
security is purely in the hands of one person - they can mistakenly or
maliciously open holes in the security. 

The benefit of having an additional in-house packet filter in a smaller
organisation is tempered by the fact that this is likely to be managed by
the same person (who may not be particularly expert in this area.)

Even better if the ISP installs the firewall at their end of the link
(although I've never heard of this being done) as the unwanted traffic would
never get to use up precious customer bandwidth.

Obviously there will be concerns at placing trust in a third party (although
the customer does maintain their own firewall and, hopefully, some form of
IDS ... or at least they monitor the firewall logs.) But it's not uncommon
(particularly in larger organisations) for the whole infrastructure to be
outsourced.

As I mention above, there may be benefits in using an ISP if they have
significant firewall expertise (this depends on their size and the number of
customers using the firewall service)... and if the service can stop errant
traffic using your bandwidth even better! (as I mention above, the norm is
for the firewall/filter to be placed at the customer site so there's no
saving in bandwidth) 

The downside is that the IDS (and/or firewall logs) at the customer site
never gets to see the full picture because the majority of (or maybe all)
malicious traffic is blocked at the ISP filter ... this could disguise
attack signatures (e.g. if you see a concerted attack from a particular IP
address from a specific source address then you would possibly block all
traffic from that address before they find a real hole or at least query the
ISP that owns that address)... I would hope that the ISP would be providing
this as a service. The ISP should have some expertise in spotting attack
signatures and have good communications channels to other ISPs to trace back
attacks ... again, for a small shop where there is no resource to properly
manage the perimeter security this may be the ideal service.

Going back to the ISP supplied/managed router at the customer site ...
although I wouldn't expect the ISP to provide customer supplied ACL (at no
extra cost) I think it's reasonable to expect the ISP to install ACL to
prevent the router itself being attacked.

John
-----Original Message-----
From: Rich MacVarish [mailto:rmacvarish () killergeek com]
Sent: 31 January 2003 13:08
To: security-basics () securityfocus com
Subject: RE: Router Packet Filtering and Firewalls


Greetings,

RFC 1918 specifies the reserved "private use" networks which should never
be seen across the public Internet.

RFC 2827 filtering specifies preventin a network's users from spoofing
other networks by preventing any outbound traffic on your network that
does not have a source address in your organization's own IP range. When
RFC 2827 filtering is implemented at the ISP, this filtering can help
prevent DDoS attack packets that use these addresses as sources from
traversing the WAN link, potentially saving bandwidth during the attack.

At the very least is your ISP filtering the RFC 1918 addresses and RFC
2827 filtering guidlines upon installation?. If they aren't I would say
that qualifies as negligence (maybe even stupidity).

That said, you are right, they are just being lazy.

Unfortunaely, having worked with many, many carriers I can say that this
is more the rule than the exception.

Rich Macvarish
Unemployed Network Security Administrator

"Insert whimsical signature file here"

            ***********************
This email communication is intended as a private communication for the sole use of the primary addressee and those 
individuals listed for copies in the original message. The information contained in this email is private and 
confidential and if you are not an intended recipient you are hereby notified that copying, forwarding or other 
dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized 
to receive this email and if you believe that you received it in error please notify the original sender immediately.  
We honour similar requests relating to the privacy of email communications.