On Thu, 9 Apr 2009, Lee, Steven (NSG Malaysia) wrote:
Hi all, in most of the existing 2G/2.5G mobile PS-core (Packet Switch) networks have Gi segment (interface between GGSN & IP Router/firewall). Due to the IP address constraint, operator usually do NAT on the Gi firewall to NAT the private IP to public IP in the past. Looking at the traffic pattern and user access behaviour, does it make sense to have firewall between the GGSN & Public Internet if the public IP addresses are sufficient to cater for mobile subscribers? Especially with 3G/UMTS/HSPA or even LTE in the future.
The only reason I see to have a FW on Gi would be to have a stateful device to stop scanning from the Internet towards the mobile devices (I don't know how much SYNs you see on a /16 nowadays, it used to be quite a lot). I know mobile operators who have been operating with public IPs to all customers without FW for a lot of years. Todays GGSN and other devices should handle it, even though they didn't do it well 5+ years back. -- Mikael Abrahamsson email: swmike@swm.pp.se