Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Cisco 2611 as a firewall?
- To: "'tlug@example.com'" <tlug@example.com>
- Subject: RE: Cisco 2611 as a firewall?
- From: Scott Stone <SStone@example.com>
- Date: Wed, 16 May 2001 10:18:17 -0700
- Content-Type: text/plain;charset="iso-8859-1"
- Reply-To: tlug@example.com
- Resent-From: tlug@example.com
- Resent-Message-ID: <_S9Qd.A.PP.LarA7@example.com>
- Resent-Sender: tlug-request@example.com
well Jonathan, yes and no.... a border router would theoretically be paired with a firewall and/or a core router, at an ISP, but this seems like a very small-scale ISP on a limited budget. You don't *necessarily* want to allow all traffic in. Especially considering that a C2611 has *two* ethernets plus the capability to connect up to two T1 CSU/DSU modules or four T1s via external CSU/DSU (actually you could do more via the large expansion bay, but I wouldn't trust a C2611's MPC860 CPU to handle more than two T1s anyway). So you could have Ethernet0/1 be a "DMZ" of sorts for the ISP's servers, and limit traffic into that. oh and you could block the AOL IM ports there too, if you wanted to be evil[1] [1] who doesn't? ----------------------------------------------------- Scott M. Stone <sstone@example.com> Senior Technical Consultant - UNIX and Networking Taos, the Sysadmin Company - Santa Clara, CA -----Original Message----- From: Jonathan Q [mailto:jq@example.com] Sent: Wednesday, May 16, 2001 9:07 AM To: tlug@example.com Subject: Re: Cisco 2611 as a firewall? sven@example.com (sven@example.com) wrote: > For security I'm going to block basically all incoming port beside the > he needs for the services he running locally. These are DNS, POP3, > SMTP(not sure we wants to allow), Web, and SSH. Outgoing port wouldn't > have to be blocked I believe. Not much time to write now (I'll go into more detail tomorrow), but for now, NO. An ISP cannot do this. Your border router has to let in everything. Exception: you want to rate-limit ICMP (ping and traceroute). Rate-limiting it to 64 kbps would be reasonable. Of course, on a pipe that small, the good place to do this is at the upstream's end. Ask the upstream if they will rate-limit ICMP to 64 kbps on their end of the link. Another quick thought: blocking outgoing port 25 is very highly recommended. If all ISPs did this, spam would be less than 1/10 of what it is today. It's a growing trend, but not growing fast enough. > I have little to no experience with Cisco routers, so where do I start, > how can I accomplish all this and what do I have to be careful about? This would be a good time to get someone who is experienced and give that person money. There are a ton of things to consider that you may or may not be aware of. Also, routers make lousy firewalls, anyway. That's why Cisco sells firewalls, too. More tomorrow, Jonathan ----------------------------------------------------------------------- Next Technical Meeting: Sat, May 12 13:30- Next Nomikai Meeting: Fri, June (TBA) 19:30- Tengu Tokyo Eki Mae ----------------------------------------------------------------------- more info: http://www.tlug.gr.jp Sponsor: Global Online Japan
- Follow-Ups:
- Re: Cisco 2611 as a firewall?
- From: Jonathan Q <jq@example.com>
- Re: Cisco 2611 as a firewall?
- Prev by Date: RE: Cisco 2611 as a firewall?
- Next by Date: Re: Source of virus.
- Prev by thread: RE: Cisco 2611 as a firewall?
- Next by thread: Re: Cisco 2611 as a firewall?
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |