RE: Router Packet Filtering and Firewalls

In my opinion.. This is a great question..:)

The more the better is always the thought however when I configure such scenarios I prefer to have there firewall do the blocking and leave the router to do just routing (which it's best at anyways IMHO)....

This way you have one place to gather logging from and analysis. Of course I'm presuming that you are logging the denies and possibly permits against syslog or something similar...

I realize in this setup you only have one box protecting you versus potentionally two.... But I like routers to do routing and firewalls to do firewalling.... Just my two cents worth.... This also keeps loading down on the router if you have a busy link...

Opinions on this would be really good.. I'd love to hear what others are doing...:)

---

Paul Stewart
Network Solutions Specialist
Nexicom Inc.

-----Original Message-----

From: Geoff Shatz [mailto:geoff.shatz@pchelps.com] Sent: Wednesday, January 29, 2003 5:55 PM To: security-basics@securityfocus.com
Subject: Router Packet Filtering and Firewalls

I am trying to confirm my thoughts regarding the use of router packet filtering in addition to having a firewall behind the router but first a

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

little background...

Years ago when we first connected our firm to the Internet we did not have
a firewall but used packet filtering on the router to protect our perimeter.

As time progressed and security became a much greater issue for everyone

in IT we moved forward an installed a firewall between our router and the
LAN. I was managing our router at that time and kept the initial packet filters in place as I figured two layers of security were better than one.

A few years ago we were forced to switch ISP's and our new ISP managed the
router they supplied to us. They supplied the router with no ACL's applied
to either interface which as I understand it with Cisco IOS creates an implicit permit for both inbound and outbound.

After contacting technical support I was told none of their customers use
packet filtering at the router level and that's what a firewall was for. I had a small battle with them but they finally relented and configured the router the way I asked them to.

We just had a second circuit installed and I had to go through the same routine with them and the end result was the same.

Am I missing something here? Is it not better to have both packet filtering applied on the router and a firewall behind it? Is there something inherently wrong with this or is this just a case of our ISP not
really giving a damn about security and on top of it being lazy? Any comments would be appreciated.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-Geoff
Received on Fri Jan 31 12:49:11 2003