[j-nsp] Juniper firewall filters/stateful firewalls best practice

Shawn Hargan shawnh at frii.com
Mon Jun 25 11:48:00 EDT 2007 

Security-wise, I certainly understand the benefit of layering the 
stateless filters and the stateful firewall. My concern probably comes 
from working with underpowered, archaic Cisco routers where too many 
ACLs or concurrent processes brings the router to its knees during a 
traffic spike. I know this isn't much of a worry with the firewall 
filters, but I've not found any data on the throughput of the AS2 PIC or 
ASP.

Now that I actually write that, I feel like an ass. The answer's rather 
obvious, isn't it? I'll be configuring my firewalls if anybody needs me...
-SH


Jonathan Looney wrote:
> On 6/25/07, *Shawn Hargan* <shawnh at frii.com <mailto:shawnh at frii.com>> 
> wrote:
>
>     Thanks for the reply. I have gone through that whitepaper, though I've
>     not made it entirely through the Security section of the site just
>     yet.
>     It did not explain whether it's best to combine firewall filters with
>     the stateful firewall (or if it doesn't really matter), though.
>     -SH
>
>
> Technically, the router doesn't care if you combine regular firewall 
> filters with stateful firewall filters on the AS PIC.  You just need 
> to know that regular firewall filters are still stateless and you need 
> to be aware of the state of the packet at the point where you're doing 
> the filtering ( i.e. is the packet pre-NAT or post-NAT, etc.) so you 
> can write your filter match conditions correctly.
>
> As far as which approach is better, I don't think anyone can make a 
> firm recommendation for you.  There are trade-offs in either 
> approach.  The AS PIC has a finite processing power and there is a 
> finite amount of bandwidth available between the FPC and the AS PIC.  
> (The numbers are large and these limits likely aren't even a 
> consideration with a small chassis, but there are nonetheless finite 
> limits.)  So, filtering obviously bad unwanted traffic before it 
> reaches the AS PIC will preserve some of these finite resources.  
> However, doing two-level filtering presents another set of management 
> problems (two filters need to be considered when making changes, two 
> filters need to be considered during troubleshooting, potentially two 
> sets of traffic logs need to be examined, etc.).
>
> So, you can choose to filter before traffic reaches the AS PIC or you 
> can choose to do all the filtering on the AS PIC; however, only you 
> can make the choice about which is the correct approach in your network.
>
> -Jon


-- 
Shawn Hargan--Network Operations Center
FRII
866-FRII-NOC	noc at frii.com
Monitoring FRII's network 24/7/365.

More information about the juniper-nsp mailing list