Re: Cisco 2611 as a firewall?

[Jonathan Q <jq@example.com>]

sven@example.com (sven@example.com) wrote:

> A friend of mine who's running an ISP wants me to come over
> and configure his Cisco 2611 router he just got as the primary
> link to his backbone.

He may be already committed contractually, but a better and
more reliable setup would be to get some portable IP space
and multi-home with two providers, and get the fiber from
two different carriers, so he has a network uplink that
looks like this:


**********				**********
Provider A				Provider B
**********				**********
    |					    |
    | Carrier A				    | Carrier B
    |					    |
    -----------------2611--------------------

The links could be be 768K and equally balanced, or one
could be smaller and used as a backup, with traffic primarily
going through the bigger pipe.  The benefits of this are:

1) If Provider A has an outage, you have a backup router through
   Provider B;

2) If Carrier A has a fiber cut or other outage, you hope
   that Carrier B's fiver takes a physically different path
   and didn't get cut by the same backhoe that took out Carrier A.
   Ditto for outages from things like ugprades of network switches:
   Carrier B probably doesn't upgrade it's firmware at the same time
   Carrier A does.  If A has an upgrade gone bad, you still have a route
   via B.

More expensive?  Yeah.  But cheaper than downtime, especially if you're
an ISP.

On the inside of the network, you could - as Scott suggested - hang
the mail servers, DNS, etc. off of one Ethernet interface on the
2611 and protect them with access lists, then hang things like
dial-up access servers, that need to be right on the Internet,
on the other Ethernet interface.  Here, acess lists would be
minimal, just filter outoing port 25 and anything your AUP
prohibits (filtering all NetBIOS ports might be useful for
protecting customers; just state somewhere that you're doing
it).   This will make the 2611 work harder, so if the business
does well, it will run out of steam faster or you'll seen need
to move to a real firewall and take that work off of the router.
However, if you really want to have firewalling there, you're better
off setting up a firewall in the first place.

Note: do use a setup where:

1)  Each machine behind the firewall is locked down, and even
    running ipchains or iptables firewalling itself;

2) All you have to do if the firewall fails in service is unplug the
   ethernet leading to the servers and connect it directly to the
   2611 to restore connectivity.   

For 2, connect all the machines behind the firewall into a switch
(not a hub; if anyone should somehow manage to own one of them, a
hub will allow them to sniff; a switch will defeat this.  Put
security where ever you can.  Switches also perform better than
hubs).  

This way, even if the firewall box dies, you can get your connectivity
back in a few seconds and the machines will still be fairly secure
even without the firewall.


Next issue, routing protocols.  If you plan to take a partial BGP
view (a full view is probably out of the question on a 2611), 
stuff that router with as much memory as it will hold.  However,
if you're not multi-homing, there's no real reason why you need
to do anything but run a static route to the upstream.

Jonathan