Firewalls in service provider environments

• Previous message (by thread): Firewalls in service provider environments
• Next message (by thread): Firewalls in service provider environments
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
>
>> -----Original Message-----
>> From: Matthew Reath [mailto:matt at mattreath.com]
>> Sent: 07 February 2012 21:34
>> To: nanog at nanog.org
>> Subject: Firewalls in service provider environments
>>
>> All,
>>
>> Looking for some recommendations on firewall placement in service
>> provider
>> environments.  I'm of the school of thought that in my SP network I do
>> as
>> little firewalling/packet filtering as possible. As in none,
>
> I had a vendor actually suggest that that ALL my customer traffic should
> traverse a firewall. I asked why and they said "Ahhh it the internet, must
> have firewall". I suppose this must have been a great firewall.
>
> So yes I would agree with you, firewall nothing for your customers unless
> they are paying you for a specific service. Filtering known bad ports,
> well, what's a known bad port? Bad for one person may be quite important
> for another. Whilst filtering port 25 outbound may help prevent some bots
> from emanating spam, it certainly does a lot to annoy other people.
>
> --
> Leigh Porter
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>

>From a filtering perspective there are some know worm ports and such that
we usually have a template created for.

Here is the template we typically use (or a variant of it):

<-- snippet -->
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 0.0.0.0 0.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip 224.0.0.0 15.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   tcp any any eq 135
access-list 102 deny   udp any any eq 135
access-list 102 deny   udp any any eq netbios-ns
access-list 102 deny   tcp any any eq 139
access-list 102 deny   udp any any eq netbios-ss
access-list 102 deny   tcp any any eq 445
access-list 102 deny   tcp any any eq 593
access-list 102 deny   tcp any any eq 4444
access-list 102 deny   tcp any any eq 9996
access-list 102 deny   tcp any any eq 5554
access-list 102 deny   tcp any any eq 8888
access-list 102 deny   tcp any any eq 7778
access-list 102 deny   tcp any any eq 8594
access-list 102 deny   tcp any any eq 8563
access-list 102 deny   tcp any any eq 1434
<-- end snippet -->

This blocks some common worm ports as well as traffic sourced outside of
our network from reserved address space.

-Matt

• Previous message (by thread): Firewalls in service provider environments
• Next message (by thread): Firewalls in service provider environments
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]