At 08:31 PM 3/29/2000 -0700, Kevin wrote:
I'm not really sure if I should post this to the isp list or this one, but anyway. I work for a fairly small isp and the management told me they want me to put some sort of firewall in front of the router. Actually their first idea was a firewall in front of the router, then one behind the router, then to the servers. I'm curious what kind of effect having a firewalled router will have on the dialup customers as well as certain servers like a shell provider. Also what would I firewall from the router. I don't want to really restrict any ports for end dialup users as I've had personal experience with this, and it can be a pain. Any ideas, comments, or short poems about how great I am would be greatly appreciated.
First, a little full disclosure to point out the source of my Cisco bias: I spent six months working on Cisco's Partner/Reseller presales line, and I now work in the SMB TAC, supporting the smaller IOS routers. In addition to this, I keep a small ISP going, running Debian exclusively.
Note that the statements below only represent my opinion. They are stated in a manner that suggests that they are cold hard facts, so I wanted to add this disclaimer. :) They are also pretty much restatements of the last two replies to this message.
A Cisco router, even with a basic IP only feature set, can be locked down with access lists to a point of absurdity. A single access list with a handful of lines can make it impossible to contact anything on the network except a few TCP servers, yet allow almost anything on the inside to get to the internet.
In general, firewalling in an ISP environment is a bad idea. The whole idea of an ISP is open, unrestricted access to the Internet. Aside from creating access lists to minimize IP spoofing, there are certain things an ISP may consider blocking on a near-global basis. These include outbound SMTP, NetBIOS ports, and the like. Even for these, it is usually best done directly on the access servers, not at the core. It's the dialup users that you want to protect, and shield the 'net from. :)
The only exception to the general rule of no firewalling would be personal and administrative workstations - computers that need to access the servers and the internet, but have no reason to be accessed from the outside. These ideally should use PAT/masquerading to a private network so that there is absolutely no possibility of direct outside contact -- but this doesn't require a firewall. It can be done with a router, or with Linux.
If the administrators are doing their jobs, there's no need for a firewall. Every server will have open ports for only those services that they actually need, and no others. The daemons that serve those requests will be the most stable and secure versions that can be found, reasonably safe from attack. Interaction between servers will be limited to only necessary connections from authorized addresses - NFS, DNS zone transfers, ssh, etc. Shell access to each machine will be granted to only those administrators and/or users that actually require it, or have paid for it. In other words, a security policy will be created and strictly enforced.
The summary: You'd be better off spending the money on overtime for the administrator(s) than firewall software and/or hardware. :) In a service provider setting, all a firewall really amounts to is either a band-aid for bad administration, or peace of mind for the suits. And for that peace of mind, you can't beat a PIX. :)
--- gratuitous (and very bad) attempt at flattering poetry --- Kevin is but a cog in the machine. It's an important piece, though. Please do not feed the fishes. --- Thanks, Shawn --It was only after their numbers had been reduced from 50 to 8 that the other 7 dwarves began to suspect Hungry of cannibalism.