[j-nsp] Juniper firewall filters/stateful firewalls best practice

[Jonathan Looney]

On 6/25/07, Shawn Hargan <shawnh at frii.com> wrote:
>
> Thanks for the reply. I have gone through that whitepaper, though I've
> not made it entirely through the Security section of the site just yet.
> It did not explain whether it's best to combine firewall filters with
> the stateful firewall (or if it doesn't really matter), though.
> -SH


Technically, the router doesn't care if you combine regular firewall filters
with stateful firewall filters on the AS PIC.  You just need to know that
regular firewall filters are still stateless and you need to be aware of the
state of the packet at the point where you're doing the filtering (i.e. is
the packet pre-NAT or post-NAT, etc.) so you can write your filter match
conditions correctly.

As far as which approach is better, I don't think anyone can make a firm
recommendation for you.  There are trade-offs in either approach.  The AS
PIC has a finite processing power and there is a finite amount of bandwidth
available between the FPC and the AS PIC.  (The numbers are large and these
limits likely aren't even a consideration with a small chassis, but there
are nonetheless finite limits.)  So, filtering obviously bad unwanted
traffic before it reaches the AS PIC will preserve some of these finite
resources.  However, doing two-level filtering presents another set of
management problems (two filters need to be considered when making changes,
two filters need to be considered during troubleshooting, potentially two
sets of traffic logs need to be examined, etc.).

So, you can choose to filter before traffic reaches the AS PIC or you can
choose to do all the filtering on the AS PIC; however, only you can make the
choice about which is the correct approach in your network.

-Jon