[c-nsp] firewall w/ >1Gbps interfaces
Saku Ytti
saku+cisco-nsp at ytti.fi
Wed Oct 19 11:10:00 EDT 2005
On (2005-10-19 11:02 -0400), Adam Greene wrote:
> The thought of activating a firewall feature set on a 3750 / 4948 or 2800 /
> 3800 and doing etherchannel also crossed my mind ...
Firewall or ACL? My personal opinion is, that wide-open internet server
should not be placed behind firewall, only behind packet filter.
Firewall implies states, and states imply quite easy dossability.
Of course you're the best judge of your situation, but please consider
2x3750 and image server connected to both switches via as many 1GE's
as needed (upto 4 to both, totalling 8Gbps and 4Gbps if single box
fails). To have egress ACL, what you need, you need to be routing on
the 3750. Then just deny all other source addreses other than the
web servers, this adds up to line sessionless/stateless packet filtering.
Please filter web servers source address in AS borders and apply
RPF/strict in customer interfaces to avoid unidirectional spoofed
attacks (which will pass the firewall just as well).
--
++ytti
More information about the cisco-nsp
mailing list