Re: Telco's write best practices for packet switching networks

["Christopher L. Morrow" <chris () UU NET>]

On Thu, 7 Mar 2002, Sean Donelan wrote:

> My comment was originally prompted by the meeting minutes which
> reported on the survey data showing that 100% of carriers are implementing
> firewalls in their gateways.  The 100% is what caught my eye.  As the
> topic comes up in various places, large ISPs repeatedly say they are
> unable to implement filters or packet screening on their high-speed
> links such as at peering points.  So the self-reported 100% implementation
> of screening and filtering firewalls at gateways didn't seem to jive
> with my understanding of the limitations faced by large ISPs.

Yes... hmm, I didn't read the report/minutes BUT I'd think this might mean
2 things:
1) the filtering is on the gateways (routers) 'for the router' (vty acls,
loopback filters, snmp filters, ntp filters...)
2) the filtering is on the ISP's corporate connection to the 'internet'

I'd think 1 more likely the correct interpretation than 2. I'd doubt this
was meant to be applied to 'all interfaces on the gateways' in the sense
that all interfaces have a traffic filter on them.  That really isn't a
scalable/managable/workable (without melting a router) solution. (yes, I
know a juniper can probably filter on all interfaces at 'line rate' but
not everyone has junipers at their edge so the 100% would not apply here)

> Firewalls can be a useful tool in the security engineer's toolbox.  But
> they get misused a lot.  I don't believe security engineers are better
> programmers.  If there was a class of programmers in the world that didn't
> make mistakes, I would hire them to write the applications. When the
> firewall is more complex than the application server it is "protecting"
> which is likely to have more mistakes?