On Wed, Feb 8, 2012 at 3:52 AM, William Herrin <bill@herrin.us> wrote:
High end business customers (of the BGP speaking variety) generally appreciate having a remote triggered black hole facility. That's a kind of firewall. http://tools.ietf.org/html/rfc5635
While I 100% agree that sticking a stateful firewall into a SP environment is several kinds of dumb, I wouldn't run it wide open and unfiltered either. There are several things that a SP should definitely be looking at, that'd still describe as a firewall, and are not the "stateful firewall / IDS / IPS magic black box" half the posters in this thread are instinctively reacting to. For the record, yes, I agree those are a bad idea. But how about these - All these are going to be implemented to a greater or a lesser degree, and in different places, depending on how you define SP (selling only transit OC-48s? T1..T3 to end user corporations? Datacenter hosting?) 1. S/RTBH 2. Netflow based devices (Arbor, Tivoli TNPFA flow analyzers, etc) 3. DDoS mitigation - possibly resold as an extra service [built inhouse / provided by other vendors or your upstream tier 1] 4. Router ACLs to get rid of common worm traffic 5. Filtering both ways to prevent async routing to bypass your filters (http://irbs.net/internet/nanog/0408/0405.html and in that thread, http://irbs.net/internet/nanog/0408/0465.html for a fun example) 6. Putting different customers into different VLANs rather than packing everybody into a single VLAN - that way they don't spoof unused IPs on the same VLAN (that is, unused IPs anywhere in your IP space .. and this is, like #5, a rather old attack that I haven't seen in a while, it used to be very popular with spammers some years back, and sticking your customers into separate VLANs anyway makes a lot of sense from a management perspective, leave alone the security implications) --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)