RE: Router Packet Filtering and Firewalls

["Paul Stewart" <pauls () nexicom net>]

Hey Trevor...

I believe you have summarized it perfectly and I highly agree.  After
writing that email I realized that I left a few things out which you
have covered.  In our setups all of our routers are protected from ip
spoofing, smurfing and the typical stuff including blocking private IP's
from transversing the router.  A totally unprotected router is very
dangerous indeed.  Last night we seen a user on Internet trying
everything possible to use one of our Cisco's to launch an attack on
another site.  If there wasn't any filtering that person could have
created serious trouble for us and the receiving site.

Anyways, to further elaborate we do use basic filtering on the router to
protect from broadcasts and common attacks.  Then we let the firewall do
it's job. ;)

Take care.

---
Paul Stewart
Network Solutions Specialist
Nexicom Inc.


-----Original Message-----
From: Trevor Cushen [mailto:Trevor.Cushen () sysnet ie] 
Sent: Friday, January 31, 2003 1:49 PM
To: Paul Stewart
Cc: security-basics () securityfocus com
Subject: RE: Router Packet Filtering and Firewalls


I particially agree with you Paul in that a router is there to do
routing but the overhead of routing is low and the router is well able
to withstand a bit of filtering too.  Certainly large complicated filter
rule sets will put an overhead on the router but that does not mean you
shouldn't use any filtering on your router.  Your router should block
broadcasts going all over the place for one and certainly remote telnet
to your router should be disabled.  These are both filtering rules and I
don't see why you shouldn't add a small few more rules to route more
specifically and get the value out of your router and get extra security
to boot.  The logging situation is quickly solved with a central logging
system for your DMZ setup.

In very many setups the router is the first line of defence and also the
first piece of equipment in need of defending.  Just look at the
potential of GRE tunnels to realise the damage that could be done by a
breached router.  Netbios broadcasts leaving a router will reveal far
more information then would be desired by any network admin.  In this
list server just recently one member has asked about heartbeat traffic
showing up on his IDS.  Router filter rules in my very humble oppion are
needed and I certainly advise anyone who cares to listen (they are few
and far between) that the router should be very secure and well
hardened.

I would never consider a router a firewall alternative however.

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: Paul Stewart [mailto:pauls () nexicom net] 
Sent: 30 January 2003 17:17
To: 'Geoff Shatz'; security-basics () securityfocus com
Subject: RE: Router Packet Filtering and Firewalls


In my opinion.. This is a great question..:)  

The more the better is always the thought however when I configure such
scenarios I prefer to have there firewall do the blocking and leave the
router to do just routing (which it's best at anyways IMHO)....

This way you have one place to gather logging from and analysis.  Of
course I'm presuming that you are logging the denies and possibly
permits against syslog or something similar...

I realize in this setup you only have one box protecting you versus
potentionally two.... But I like routers to do routing and firewalls to
do firewalling.... Just my two cents worth.... This also keeps loading
down on the router if you have a busy link...

Opinions on this would be really good.. I'd love to hear what others are
doing...:)

---
Paul Stewart
Network Solutions Specialist
Nexicom Inc.


-----Original Message-----
From: Geoff Shatz [mailto:geoff.shatz () pchelps com] 
Sent: Wednesday, January 29, 2003 5:55 PM
To: security-basics () securityfocus com
Subject: Router Packet Filtering and Firewalls




I am trying to confirm my thoughts regarding the use of router packet 
filtering in addition to having a firewall behind the router but first a

little background...

Years ago when we first connected our firm to the Internet we did not
have 
a firewall but used packet filtering on the router to protect our 
perimeter.

As time progressed and security became a much greater issue for everyone

in IT we moved forward an installed a firewall between our router and
the 
LAN. I was managing our router at that time and kept the initial packet 
filters in place as I figured two layers of security were better than
one.

A few years ago we were forced to switch ISP's and our new ISP managed
the 
router they supplied to us. They supplied the router with no ACL's
applied 
to either interface which as I understand it with Cisco IOS creates an 
implicit permit for both inbound and outbound.

After contacting technical support I was told none of their customers
use 
packet filtering at the router level and that's what a firewall was for.
I had a small battle with them but they finally relented and configured 
the router the way I asked them to.

We just had a second circuit installed and I had to go through the same 
routine with them and the end result was the same.

Am I missing something here? Is it not better to have both packet 
filtering applied on the router and a firewall behind it? Is there 
something inherently wrong with this or is this just a case of our ISP
not 
really giving a damn about security and on top of it being lazy? Any 
comments would be appreciated.

-Geoff


************************************************************************
**************

This email and any files transmitted with it are confidential and
intended 
solely for the use of the individual or entity to whom they are
addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

************************************************************************
**************