On Tue, Feb 7, 2012 at 4:31 PM, Matthew Reath <matt@mattreath.com> wrote:
Looking for some recommendations on firewall placement in service provider environments. I'm of the school of thought that in my SP network I do as little firewalling/packet filtering as possible. As in none, leave that to my end users or offer a "managed" firewall solution where if a customer signs up for the extra service I put him in a VRF or VLAN that is "behind" a firewall and manage that solution for them. Otherwise I don't prefer to have a firewall inline in my service provider network for all customer traffic to go through. I can accomplish filtering of known bad ports on my edge routers either facing my customers or upstream providers.
What is the group's thought on this?
Hi Matthew, It Depends. High end business customers (of the BGP speaking variety) generally appreciate having a remote triggered black hole facility. That's a kind of firewall. http://tools.ietf.org/html/rfc5635 Business customers in general shouldn't be filtered unless they buy a managed firewall service from you. Don't tamper with their DNS either! When you get down to the residential and Internet Cafe type users, there is some common filtering you should consider: TCP SYN to port 25 outbound from your dynamic IP customers should generally be disallowed except to your local mail servers. 99 times out of 100, connections originating to this port from dynamic IP customers will be Email Spam from an infected PC. This will hurt you. It will hurt you with spam complaints. It will hurt you with adverse action by RBL providers. It will hurt you with damage to your reputation and brand. http://www.spamhaus.org/faq/answers.lasso?section=isp%20spam%20issues#133 Blocking TCP and UDP 137, 138, 139 and 445 is not terribly unusual. These are associated with Microsoft file sharing protocols. Off the LAN and outside the enterprise anybody actually open to this traffic is generally asking to be hacked. Then a spam bot is installed and you have another problem customer who isn't paying you enough to deal with that crap. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004