Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Filter routers? (was Re:logs)

From: stephane nasdrovisky <stephane.nasdrovisky () paradigmo com>
Date: Fri, 01 Oct 2004 14:39:40 +0200
Kevin wrote:


How common is it to deploy filter routers to pre-process traffic before it gets to the firewalls?  How elaborate do you 
get with these
ACLs?
I try to have ACLs +- matching the firewall rules, this way, the firewall only logs very suspicious traffic (and accepted traffic). 


Simple "ingress" filtering at the DMZ is a best practice, and it's not uncommon to additionally do "egress filtering, 
usually in the same DMZ
router.
What do you mean by DMZ ? If you're talking about the network between the fw and internet: 
-there are only internet access routers on this network.
-wherever possible, the routers filters private addresses (both ingress and egress) - this is the first layer of anti-spoofing and address-translation debugging tool. 


At the DMZ, I find little value in logging denied traffic.
I personally like to log everything, for troubleshooting reason, mainly. I reduce the firewall log noise by filtering at the router side. The routers are logging to syslog, keeping the noise out of my firewall(s) log. 


It makes sense to me to simply deny the "noise", traffic which would otherwise increase the load on firewalls, 
(generating and writing deny log
events) to no real end.
I log everything because i want to be almost sure 'it will work' even during an attack involving many events logged. (I've seen some nokia 440 firewalls rebooting during a syn flood, due to logging and syn-defender) 


Anything matching these sources must be spoofed, cannot readily be traced back to the source.
Note that there is a trackback/traceback rfc defining a way to know where the spoofed packets really comes from... unfortunatly: 
-it needs many spoofed packet coming from the same real source
-this is not implemented in most (or even any) router!
-last time I looked at it, it was still under development.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: