Hi Geoff, It's your ISP not wanting the extra pain of a non-standard installation. Having the router block incoming packets from your address block and those addressed to your broadcast address means your firewall can spend its CPU time dealing with trickier rules. If your company doesn't do business with China, Korea, Taiwan, Russia, etc., then there are also some good-sized blocks of IP addresses that you can block that will definitely lighten the load on your firewall. Think Defense In Depth.
Regards, Gene -----Original Message----- From: Geoff Shatz [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 2:55 PM To: [EMAIL PROTECTED] Subject: Router Packet Filtering and Firewalls I am trying to confirm my thoughts regarding the use of router packet filtering in addition to having a firewall behind the router but first a little background... Years ago when we first connected our firm to the Internet we did not have a firewall but used packet filtering on the router to protect our perimeter. As time progressed and security became a much greater issue for everyone in IT we moved forward an installed a firewall between our router and the LAN. I was managing our router at that time and kept the initial packet filters in place as I figured two layers of security were better than one. A few years ago we were forced to switch ISP's and our new ISP managed the router they supplied to us. They supplied the router with no ACL's applied to either interface which as I understand it with Cisco IOS creates an implicit permit for both inbound and outbound. After contacting technical support I was told none of their customers use packet filtering at the router level and that's what a firewall was for. I had a small battle with them but they finally relented and configured the router the way I asked them to. We just had a second circuit installed and I had to go through the same routine with them and the end result was the same. Am I missing something here? Is it not better to have both packet filtering applied on the router and a firewall behind it? Is there something inherently wrong with this or is this just a case of our ISP not really giving a damn about security and on top of it being lazy? Any comments would be appreciated. -Geoff