On Tue, Feb 7, 2012 at 4:42 PM, Leigh Porter <leigh.porter@ukbroadband.com> wrote:
-----Original Message----- From: Matthew Reath [mailto:matt@mattreath.com] Sent: 07 February 2012 21:34 To: nanog@nanog.org Subject: Firewalls in service provider environments
All,
Looking for some recommendations on firewall placement in service provider environments. I'm of the school of thought that in my SP network I do as little firewalling/packet filtering as possible. As in none,
I had a vendor actually suggest that that ALL my customer traffic should traverse a firewall. I asked why and they said "Ahhh it the internet, must have firewall". I suppose this must have been a great firewall.
'of china'! ha! hahaha.... anyway.
So yes I would agree with you, firewall nothing for your customers unless they are paying you for a specific service. Filtering known bad ports, well, what's a known bad port? Bad for one person may be quite important for another. Whilst filtering port 25 outbound may help prevent some bots from emanating spam, it certainly does a lot to annoy other people.
I think for a purely SP network, transit-provider core links sort of thing, why filter anything at all? why filter anything that's not destined to your own equipment? You can't possibly know what some customer (or set of customers) are going to do with their traffic, so you can't possibly filter it sanely/safely. for a consumer ISP, provided your TOS says it's ok, why not filter some common problems: tcp/25 ... not much else really... and REALLY you just want to send tcp/25 -> 587 on your mail-relays (or redirect to internal use addresses on the relays). If customers (in either case) want to pay you for 'security services' then rock some filters on their CPE, with the option to move that upstream to your PE if you have to (too much crap on customer link). -chris