RE: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
Verizon filters unsolicited inbound traffic for their EVDO customers in my experience. - S -----Original Message----- From: Roland Dobbins <rdobbins@cisco.com> Sent: Thursday, April 09, 2009 09:32 To: NANOG list <nanog@nanog.org> Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote:
Please share your thought and thanks in advance :)
No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different. The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // +852.9133.2844 mobile Our dreams are still big; it's just the future that got small. -- Jason Scott
Yep verizon does indeed filter all unsolicated inbound traffic to the EVDO network. It can be a blessing or a curse. :) Skywing wrote:
Verizon filters unsolicited inbound traffic for their EVDO customers in my experience.
- S
-----Original Message----- From: Roland Dobbins <rdobbins@cisco.com> Sent: Thursday, April 09, 2009 09:32 To: NANOG list <nanog@nanog.org> Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote:
Please share your thought and thanks in advance :)
No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different.
The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // +852.9133.2844 mobile
Our dreams are still big; it's just the future that got small.
-- Jason Scott
Hi Charles/Skywing, is Verizon filter the unsolicated inbound traffic on the firewall or on the border router? Regards, Steven Lee -----Original Message----- From: Charles Wyble [mailto:charles@thewybles.com] Sent: Friday, April 10, 2009 6:09 AM To: Skywing Cc: NANOG list Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ? Yep verizon does indeed filter all unsolicated inbound traffic to the EVDO network. It can be a blessing or a curse. :) Skywing wrote:
Verizon filters unsolicited inbound traffic for their EVDO customers in my experience.
- S
-----Original Message----- From: Roland Dobbins <rdobbins@cisco.com> Sent: Thursday, April 09, 2009 09:32 To: NANOG list <nanog@nanog.org> Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote:
Please share your thought and thanks in advance :)
No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different.
The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // +852.9133.2844 mobile
Our dreams are still big; it's just the future that got small.
-- Jason Scott
That's why you use Teredo - it defeats that sort of simple statefulness, and works. ((SSH'ed from one laptop (WinXP, using MS's Teredo over double-NATed v4 connection) to another laptop (Ubuntu, EVDO, + Miredo) ... although it was pretty slow, it fit my needs at the time.)) For a time, maybe still today?, 6to4 would work as well. That is, the carrier may have been filtering unsolicited TCP/UDP ... but not Protocol41. (Off the top of my head, I forget which providers fell into which side of the ItWorked | ItStillWorks camp) /TJ
-----Original Message----- From: Charles Wyble [mailto:charles@thewybles.com] Sent: Thursday, April 09, 2009 6:09 PM To: Skywing Cc: NANOG list Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
Yep verizon does indeed filter all unsolicated inbound traffic to the EVDO network. It can be a blessing or a curse. :)
Skywing wrote:
Verizon filters unsolicited inbound traffic for their EVDO customers in my experience.
- S
-----Original Message----- From: Roland Dobbins <rdobbins@cisco.com> Sent: Thursday, April 09, 2009 09:32 To: NANOG list <nanog@nanog.org> Subject: Re: Do we still need Gi Firewall for 3G/UMTS/HSPA network ?
On Apr 9, 2009, at 11:48 PM, Lee, Steven (NSG Malaysia) wrote:
Please share your thought and thanks in advance :)
No, IMHO. Most broadband operators don't insert firewalls inline in front of their subscribers, and wireless broadband is no different.
The infrastructure itself must be protected via iACLs, the various vendor-specific control-plane protection mechanisms, and so forth, but inserting additional state in the middle of everything doesn't buy anything, and introduces additional constraints and concerns.
---------------------------------------------------------------------- - Roland Dobbins <rdobbins@cisco.com> // +852.9133.2844 mobile
Our dreams are still big; it's just the future that got small.
-- Jason Scott
participants (4)
-
Charles Wyble -
Lee, Steven (NSG Malaysia) -
Skywing -
TJ