That sound nice and good, but consider scenario like this:
CompanyA uses ISP-A and ISP-B as a backup. CompanyA's IP series 'belongs' to
ISPA's 'inside' - right? Now CompanyA's connection to ISPA is down and their
vital connection to say Branch office is routed through ISPB, so it will
come through ISPB's net to ISPA's net. Since Branch office link to ISPA is
up, the route is still advertised from there. The backup link might also be
an ISDN that comes up only when needed.
It is of course nice for the ISP if its customers cannot easily change
provider, but not so nice for the customer, if they cannot have backup
links.
Now I know there are many more problems with this scheme, like that the
routing for the return packets. NAT might be answer, but it brings it's own
problems. My point is only, that it is not so simple as you make it sound.
Sakari
> -----Original Message-----
> From: Bennett Todd [SMTP:[EMAIL PROTECTED]]
> Sent: Saturday, September 25, 1999 8:41 PM
> To: Tim Kramer
> Cc: Michael Cunningham; [EMAIL PROTECTED]
> Subject: Re: security policy examples
>
> 1999-09-24-16:17:48 Tim Kramer:
> > I can only image one case where an ISP would need a firewall: to protect
> its
> > internal network where the billing records and logs are kept. (I'm
> probably
> > wrong as I've never worked that side of the house.) (Why have a firewall
> if
> > the security policy is "no restrictions"?)
>
> There ought to be a firewall any place there's an administrative border.
> At
> the connection between the internet and an ISP, they should have a box
> that
> enforces a couple of rules:
>
> - don't allow packets through in either direction to or from the RFC
> 1918 address blocks 192.168/16, 172.16/12, and 10/8.
> - don't allow incoming packets with source addresses that are
> supposed
> to be inside the firewall, and don't allow outbound packets with
> source addresses that aren't inside the firewall.
>
> In addition a border firewall gives you valuable logging, and the ability
> to
> shut down many denial-of-service attacks once they're detected and
> diagnosed.
>
> > Politics will always conflict with security when use of your network is
> > involved.
>
> I think these conflicts, and how they are resolved, are the test of the
> security policy. A good security policy is strengthened by such
> challenges,
> since it ends up either educating the user about the organization's needs,
> or
> else being revised to better meet them.
>
> -Bennett
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
