I wouldn't expect the ISP to provide this service for nothing... it's a considerable administrative burden, however, some ISPs may provide a firewalled service. You can combine this firewalled service with your own firewall to provide the layered security without having to purchase and manage an additional filtering router.
Hopefully what you achieve (most suitable for a small shop) is the two-brain rule (where at least two people are involved in a firewall change ... one to make the change on the in-house firewall and a different person to make the change at the ISP), also, proper change control will be required by the ISP (so there's an audit of any changes made). Even in some larger organisations you can often find that the perimeter security is purely in the hands of one person - they can mistakenly or maliciously open holes in the security. The benefit of having an additional in-house packet filter in a smaller organisation is tempered by the fact that this is likely to be managed by the same person (who may not be particularly expert in this area.) Even better if the ISP installs the firewall at their end of the link (although I've never heard of this being done) as the unwanted traffic would never get to use up precious customer bandwidth. Obviously there will be concerns at placing trust in a third party (although the customer does maintain their own firewall and, hopefully, some form of IDS ... or at least they monitor the firewall logs.) But it's not uncommon (particularly in larger organisations) for the whole infrastructure to be outsourced. As I mention above, there may be benefits in using an ISP if they have significant firewall expertise (this depends on their size and the number of customers using the firewall service)... and if the service can stop errant traffic using your bandwidth even better! (as I mention above, the norm is for the firewall/filter to be placed at the customer site so there's no saving in bandwidth) The downside is that the IDS (and/or firewall logs) at the customer site never gets to see the full picture because the majority of (or maybe all) malicious traffic is blocked at the ISP filter ... this could disguise attack signatures (e.g. if you see a concerted attack from a particular IP address from a specific source address then you would possibly block all traffic from that address before they find a real hole or at least query the ISP that owns that address)... I would hope that the ISP would be providing this as a service. The ISP should have some expertise in spotting attack signatures and have good communications channels to other ISPs to trace back attacks ... again, for a small shop where there is no resource to properly manage the perimeter security this may be the ideal service. Going back to the ISP supplied/managed router at the customer site ... although I wouldn't expect the ISP to provide customer supplied ACL (at no extra cost) I think it's reasonable to expect the ISP to install ACL to prevent the router itself being attacked. John -----Original Message----- From: Rich MacVarish [mailto:[EMAIL PROTECTED]] Sent: 31 January 2003 13:08 To: [EMAIL PROTECTED] Subject: RE: Router Packet Filtering and Firewalls Greetings, RFC 1918 specifies the reserved "private use" networks which should never be seen across the public Internet. RFC 2827 filtering specifies preventin a network's users from spoofing other networks by preventing any outbound traffic on your network that does not have a source address in your organization's own IP range. When RFC 2827 filtering is implemented at the ISP, this filtering can help prevent DDoS attack packets that use these addresses as sources from traversing the WAN link, potentially saving bandwidth during the attack. At the very least is your ISP filtering the RFC 1918 addresses and RFC 2827 filtering guidlines upon installation?. If they aren't I would say that qualifies as negligence (maybe even stupidity). That said, you are right, they are just being lazy. Unfortunaely, having worked with many, many carriers I can say that this is more the rule than the exception. Rich Macvarish Unemployed Network Security Administrator "Insert whimsical signature file here" *********************** This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and if you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately. We honour similar requests relating to the privacy of email communications.