[j-nsp] Juniper firewall filters/stateful firewalls bestpractice

[Shawn Hargan]

Thanks!
-SH

Doug Marschke wrote:
> Specs on the ASP:
>
> http://www.juniper.net/products/modules/100087.pdf
>
>
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Shawn Hargan
> Sent: Monday, June 25, 2007 8:48 AM
> To: Jonathan Looney
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Juniper firewall filters/stateful firewalls
> bestpractice
>
> Security-wise, I certainly understand the benefit of layering the 
> stateless filters and the stateful firewall. My concern probably comes 
> from working with underpowered, archaic Cisco routers where too many 
> ACLs or concurrent processes brings the router to its knees during a 
> traffic spike. I know this isn't much of a worry with the firewall 
> filters, but I've not found any data on the throughput of the AS2 PIC or
>
> ASP.
>
> Now that I actually write that, I feel like an ass. The answer's rather 
> obvious, isn't it? I'll be configuring my firewalls if anybody needs
> me...
> -SH
>
>
> Jonathan Looney wrote:
>   
>> On 6/25/07, *Shawn Hargan* <shawnh at frii.com <mailto:shawnh at frii.com>> 
>> wrote:
>>
>>     Thanks for the reply. I have gone through that whitepaper, though
>>     
> I've
>   
>>     not made it entirely through the Security section of the site just
>>     yet.
>>     It did not explain whether it's best to combine firewall filters
>>     
> with
>   
>>     the stateful firewall (or if it doesn't really matter), though.
>>     -SH
>>
>>
>> Technically, the router doesn't care if you combine regular firewall 
>> filters with stateful firewall filters on the AS PIC.  You just need 
>> to know that regular firewall filters are still stateless and you need
>>     
>
>   
>> to be aware of the state of the packet at the point where you're doing
>>     
>
>   
>> the filtering ( i.e. is the packet pre-NAT or post-NAT, etc.) so you 
>> can write your filter match conditions correctly.
>>
>> As far as which approach is better, I don't think anyone can make a 
>> firm recommendation for you.  There are trade-offs in either 
>> approach.  The AS PIC has a finite processing power and there is a 
>> finite amount of bandwidth available between the FPC and the AS PIC.  
>> (The numbers are large and these limits likely aren't even a 
>> consideration with a small chassis, but there are nonetheless finite 
>> limits.)  So, filtering obviously bad unwanted traffic before it 
>> reaches the AS PIC will preserve some of these finite resources.  
>> However, doing two-level filtering presents another set of management 
>> problems (two filters need to be considered when making changes, two 
>> filters need to be considered during troubleshooting, potentially two 
>> sets of traffic logs need to be examined, etc.).
>>
>> So, you can choose to filter before traffic reaches the AS PIC or you 
>> can choose to do all the filtering on the AS PIC; however, only you 
>> can make the choice about which is the correct approach in your
>>     
> network.
>   
>> -Jon
>>     
>
>
>   


-- 
Shawn Hargan--Network Operations Center
FRII
866-FRII-NOC	noc at frii.com
Monitoring FRII's network 24/7/365.