Firewalls in service provider environments

Justin M. Streiner streiner at
Tue Feb 7 21:46:04 UTC 2012

On Tue, 7 Feb 2012, Matthew Reath wrote:

> Looking for some recommendations on firewall placement in service provider
> environments.  I'm of the school of thought that in my SP network I do as
> little firewalling/packet filtering as possible. As in none, leave that to
> my end users or offer a "managed" firewall solution where if a customer
> signs up for the extra service I put him in a VRF or VLAN that is "behind"
> a firewall and manage that solution for them. Otherwise I don't prefer to
> have a firewall inline in my service provider network for all customer
> traffic to go through. I can accomplish filtering of known bad ports on my
> edge routers either facing my customers or upstream providers.

I tend to agree with this, and I think you'll find that most providers 
agree with that as well.

There are several reasons for this:
1. Firewalls present another point of failure, and SPs are generally loath 
to force customer traffic* through another choke point.
2. Many firewall appliances are stateful.  Multihomed customers and 
stateful firewalls can be a major headache.  Asymmetric routing through 
stateful firewalls is pretty much a non-starter.
3. You (the customer) know your applications and internal network better 
than the SP does.  It makes sense for you to manage your firewalls/NAT/
internal LAN.  If you can't or don't want to do this, hire a consultant to 
do the work for you.
4. Most SPs would not want the liability of managing firewall service.
5. Dropping packets at the SP edge could be done, but I think most SPs 
would only want to do so in extraordinary circumstances.

* - As you mentioned, unless the SP offers, and those customers 
specifically pay for a firewalled service.


More information about the NANOG mailing list