RE: Cisco 2611 as a firewall?

[Scott Stone <SStone@example.com>]

you still don't have to let all traffic in.  you have to let in pretty much
all UDP, and ICMP, but you don't have to let in all TCP SYN traffic, just
TCP traffic with the RST/ACK bits set.  SYN packets are used to initiate
connections, and you don't often need to do that on an inbound basis.  Even
so, if the ISP's servers are on Ethernet0/0 and the dialup pool is connected
to, say, a Cisco AS5300 on the same ethernet network as Ethernet0/1...
assume your dialup pool is 171.60.48.1 through 171.60.50.254.. and then you
have, say, 198.60.59.0/24 for your servers, you can say "permit all to
171.60.0.0/16" and still lock down traffic destined for 198.60.59.0/24.
Cisco ACLs are pretty good about filtering, you can filter based on source
ip/protocol/port and/or destination ip/protocol/port.

One thing that concerns me about using a router as a firewall like this,
though, is the issue of port address translation (this is IP masquerading,
but cisco calls it PAT).  Cisco routers doing this dont seem to understand
how to masquerade certain services, such as FTP.  The PIX firewalls do...
and I'm not sure if the IOS-FW feature set does or not.  It may.  I haven't
used it.

-----------------------------------------------------
Scott M. Stone <sstone@example.com>
Senior Technical Consultant - UNIX and Networking
Taos, the Sysadmin Company - Santa Clara, CA


-----Original Message-----
From: Jonathan Q [mailto:jq@example.com]
Sent: Wednesday, May 16, 2001 6:29 PM
To: tlug@example.com
Subject: Re: Cisco 2611 as a firewall?


Scott Stone (SStone@example.com) wrote:

> well Jonathan, yes and no.... a border router would theoretically be
paired
> with a firewall and/or a core router, at an ISP, but this seems like a
very
> small-scale ISP on a limited budget.  You don't *necessarily* want to
allow
> all traffic in.

I also suspect that this 2611 will be the only router, but then you
essentially *must* let all traffic in, because your dial pools 
need that.  Unless they tell their customers up-front that they
won't be able to play their favorite online game or do pretty 
much anything else, there'll be a lot of unhappiness.  If they
do tell them that, the unhappiness will be at the ISP, 'cuz there
won't be any customers.

About the only thing they can do there is - if they have a 
no servers TOS for dial-up - is to filter ports < 1024 to the
dial pools.  

So while they could do some basic firewalling on the 2611, as
we've both pointed out, it's not a great idea.  And we haven't
asked yet if they plan to take a partial BGP view (stuff that
2611 with memory and sleep near the phone!) or if they're just
going to run a static route to their bandwidth provider.  I'd also
favor two 768K links to two different upstreams over two different
carriers.

> Especially considering that a C2611 has *two* ethernets plus the
capability

It does, but routers should route, and run some access lists, especially on
a capable but not super powerful router.  Yeah, this solution may be better
than nothing if this ISP has no money whatsoever (possible), but a
real, stative firewall in front of the boxes that need protection would
stand them in better stead. 


> oh and you could block the AOL IM ports there too, if you wanted to be
> evil[1]
> 
> [1] who doesn't?

:-)  Really, though, any ISP that wants customers can't go around
filtering instant messenging.  Besides, it would be lots more fun
to filter MS stuff :-)

Jonathan

-----------------------------------------------------------------------
Next Technical Meeting:  Sat, May 12 13:30- 
Next Nomikai Meeting:    Fri, June (TBA) 19:30- Tengu Tokyo Eki Mae
-----------------------------------------------------------------------
more info: http://www.tlug.gr.jp           Sponsor: Global Online Japan