Re: Router Packet Filtering and Firewalls

From: Mark Reardon <riscorp(at)mindspring.com>
Date: Thu Jan 30 2003 - 16:32:15 EST

-------Original Message-------
From: Geoff Shatz <geoff.shatz@pchelps.com> Sent: 01/29/03 05:54 PM
To: security-basics@securityfocus.com
Subject: Router Packet Filtering and Firewalls

>
>

I am trying to confirm my thoughts regarding the use of router packet filtering in addition to having a firewall behind the router but first a little background...

Years ago when we first connected our firm to the Internet we did not have

a firewall but used packet filtering on the router to protect our perimeter.

As time progressed and security became a much greater issue for everyone in IT we moved forward an installed a firewall between our router and the LAN. I was managing our router at that time and kept the initial packet filters in place as I figured two layers of security were better than one.

A few years ago we were forced to switch ISP's and our new ISP managed the

router they supplied to us. They supplied the router with no ACL's applied

to either interface which as I understand it with Cisco IOS creates an implicit permit for both inbound and outbound.

After contacting technical support I was told none of their customers use packet filtering at the router level and that's what a firewall was for. I had a small battle with them but they finally relented and configured the router the way I asked them to.

We just had a second circuit installed and I had to go through the same routine with them and the end result was the same.

Am I missing something here? Is it not better to have both packet filtering applied on the router and a firewall behind it? Is there something inherently wrong with this or is this just a case of our ISP not

really giving a damn about security and on top of it being lazy? Any comments would be appreciated.

-Geoff

> End of Original Message

Geoff,

The protection is better with redundant rules. If the router fails (usually an operator's error) the Firewalls rules should both protect you and alert you to the router's failure to act properly. This allows you to contact the router's support team and get the filter corrected.

Your ISP's position is one of economics, not being lazy. Each company has different rules requirements, especially to keep things host specific. You are putting the ISP in the position of supporting your specific security policy and procedures. They have probably priced the service without this overhead. Also, if your company wants a change, they have to log in and make it and they are responsible if the rule change causes an outage.

As usual there are two sides to the issue, and in this case the trade-off is the ISP's profits vs. your security. Since you got the ISP to give in let me just point out one final issue.

You now have an external company managing part of your security and they don't want to do it. If the router filters fail the ISP will probably deny any responsibility. I would suggest to your management that you purchase a filtering router to sit between the ISP and your installation so you control the filters and can better manage your security.

Mark

---

Mark Reardon
Reardon Information Security Corporation 156 Blue Sky Drive
Marietta, GA 30068
(770) 565-0544
(404) 444-0041 cell Received on Fri Jan 31 13:11:15 2003