Firewalls in service provider environments

William Herrin bill at herrin.us
Tue Feb 7 22:22:38 UTC 2012


On Tue, Feb 7, 2012 at 4:31 PM, Matthew Reath <matt at mattreath.com> wrote:
> Looking for some recommendations on firewall placement in service provider
> environments.  I'm of the school of thought that in my SP network I do as
> little firewalling/packet filtering as possible. As in none, leave that to
> my end users or offer a "managed" firewall solution where if a customer
> signs up for the extra service I put him in a VRF or VLAN that is "behind"
> a firewall and manage that solution for them. Otherwise I don't prefer to
> have a firewall inline in my service provider network for all customer
> traffic to go through. I can accomplish filtering of known bad ports on my
> edge routers either facing my customers or upstream providers.
>
> What is the group's thought on this?

Hi Matthew,

It Depends.

High end business customers (of the BGP speaking variety) generally
appreciate having a remote triggered black hole facility. That's a
kind of firewall. http://tools.ietf.org/html/rfc5635

Business customers in general shouldn't be filtered unless they buy a
managed firewall service from you. Don't tamper with their DNS either!

When you get down to the residential and Internet Cafe type users,
there is some common filtering you should consider:

TCP SYN to port 25 outbound from your dynamic IP customers should
generally be disallowed except to your local mail servers. 99 times
out of 100, connections originating to this port from dynamic IP
customers will be Email Spam from an infected PC. This will hurt you.
It will hurt you with spam complaints. It will hurt you with adverse
action by RBL providers. It will hurt you with damage to your
reputation and brand.

http://www.spamhaus.org/faq/answers.lasso?section=isp%20spam%20issues#133


Blocking TCP and UDP 137, 138, 139 and 445 is not terribly unusual.
These are associated with Microsoft file sharing protocols. Off the
LAN and outside the enterprise anybody actually open to this traffic
is generally asking to be hacked. Then a spam bot is installed and you
have another problem customer who isn't paying you enough to deal with
that crap.

Regards,
Bill Herrin





-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




More information about the NANOG mailing list