At 12:09 AM 2/21/00 -0500, Chris Brenton wrote:
>Dave Harris wrote:
>>
>> I take your point about defense in depth, however, I'm of the opinion
>> that routers should route and firewalls should firewall. If your
>> firewall can't stop evil packets getting into your network then get
>> one that does. Isn't that the point?
>
>I still cringe every time I see this in print. ;)
same reaction here. & routers can do an awful lot more than route
these days.
>> Could you tell me your arguments for and against re router filtering or
direct me
>> to some literature on the subject?
>
>By deploying two or more layers of perimeter protection, you hedge your
>bets. If one layer has a tiny hole, chances are you can plug it with the
>second layer. Also, some security measures (like broadcast mapping and
>source routing) are actually easier to deal with at the on a router.
& some measures can only be employed on the border router.
e.g. most internet links will have an interface serial/ISDN etc which is
configured as a point-to-point link, usually with an IP address assigned
by the ISP. the only place your can perform anti-IP spoofing or
other filtering for this IP address is on that interface on the router.
i see continuous hits on filters for these access-lists on links
i have configured. typically attempts to access port 23 tcp or 161 udp
(telnet & snmp).
& if you duplicate packet filters on both router & firewall a hit on the
duplicate firewall filters means the router has failed in some way & this
should raise alarm bells.
my level of paranoia is - if a device is capable of performing packet
filtering - implement packet filtering; whether it be a router,
firewall, webserver, ftp server, dmz host etc. there's no excuses
when there's great stuff like ip-filter out there -
http://coombs.anu.edu.au/~avalon
hope this helps,
pauline
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
