Firewalls in service provider environments

Suresh Ramasubramanian ops.lists at
Wed Feb 8 01:45:34 UTC 2012

On Wed, Feb 8, 2012 at 3:52 AM, William Herrin <bill at> wrote:

> High end business customers (of the BGP speaking variety) generally
> appreciate having a remote triggered black hole facility. That's a
> kind of firewall.

While I 100% agree that sticking a stateful firewall into a SP
environment is several kinds of dumb, I wouldn't run it wide open and
unfiltered either.

There are several things that a SP should definitely be looking at,
that'd still describe as a firewall, and are not the "stateful
firewall / IDS / IPS magic black box" half the posters in this thread
are instinctively reacting to.   For the record, yes, I agree those
are a bad idea.

But how about these -  All these are going to be implemented to a
greater or a lesser degree, and in different places, depending on how
you define SP (selling only transit OC-48s?  T1..T3 to end user
corporations?  Datacenter hosting?)


2. Netflow based devices (Arbor, Tivoli TNPFA flow analyzers, etc)

3. DDoS mitigation - possibly resold as an extra service [built
inhouse / provided by other vendors or your upstream tier 1]

4. Router ACLs to get rid of common worm traffic

5. Filtering both ways to prevent async routing to bypass your filters
( and in that thread, for a fun example)

6.  Putting different customers into different VLANs rather than
packing everybody into a single VLAN - that way they don't spoof
unused IPs on the same VLAN (that is, unused IPs anywhere in your IP
space .. and this is, like #5, a rather old attack that I haven't seen
in a while, it used to be very popular with spammers some years back,
and sticking your customers into separate VLANs anyway makes a lot of
sense from a management perspective, leave alone the security


Suresh Ramasubramanian (ops.lists at

More information about the NANOG mailing list