RE: Router Packet Filtering and Firewalls

["Trevor Cushen" <Trevor.Cushen () sysnet ie>]

You are right on all accounts and fair play to you for battling with
them.  

Yes they are more lazy then anything else and a preset configuration
naturally makes their life easier but that is not what you are paying
them for.  Might I also suggest that you get a copy of the flash memory
with the configuration from them on disk rather then leaving recovery to
them solely.  I would also make sure you get the password and keep an
eye on the router yourself too. (MRTG is great for this)

It is your organisation and your network.  If there is an incident it
will be your head too.  You decide what level of security you want and
they must provide it to their customer (ie you).  The customer is always
right after all and yes two layers of security is always better then
one.

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: Geoff Shatz [mailto:geoff.shatz () pchelps com] 
Sent: 29 January 2003 22:55
To: security-basics () securityfocus com
Subject: Router Packet Filtering and Firewalls




I am trying to confirm my thoughts regarding the use of router packet 

filtering in addition to having a firewall behind the router but first a


little background...



Years ago when we first connected our firm to the Internet we did not
have 

a firewall but used packet filtering on the router to protect our 

perimeter.



As time progressed and security became a much greater issue for everyone


in IT we moved forward an installed a firewall between our router and
the 

LAN. I was managing our router at that time and kept the initial packet 

filters in place as I figured two layers of security were better than
one.



A few years ago we were forced to switch ISP's and our new ISP managed
the 

router they supplied to us. They supplied the router with no ACL's
applied 

to either interface which as I understand it with Cisco IOS creates an 

implicit permit for both inbound and outbound.



After contacting technical support I was told none of their customers
use 

packet filtering at the router level and that's what a firewall was for.

I had a small battle with them but they finally relented and configured 

the router the way I asked them to.



We just had a second circuit installed and I had to go through the same 

routine with them and the end result was the same.



Am I missing something here? Is it not better to have both packet 

filtering applied on the router and a firewall behind it? Is there 

something inherently wrong with this or is this just a case of our ISP
not 

really giving a damn about security and on top of it being lazy? Any 

comments would be appreciated.



-Geoff





**************************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

**************************************************************************************