>> Cisco routers filter on output, not input, a serious disadvantage for
>> security purposes.
>Yes, but since they filter on both interfaces, the internal and
>external ones, "filtering on input" on one interface is achieved
>by "filtering on output" on the other one. This is feasible and
>that's how we do it.
There is a difference when filtering on input or output. If you have
a router with just two interfaces, filtering on output is just fine
because you know that the packets that come in on interface A are
going to go out on interface B. If you have a router with upteen
interfaces it makes a big difference whether you filter on input or
output. For example, let's assume that I have a cisco router with a
56K serial port and 6 ethernet ports. I was fast routing on the
ethernet ports and do not want to incur the performance penalty of
turning on the filters for the ethernet ports. If I could filter in
both directions on the 56K port, I would take the penalty there where
it really doesn't cost my anything.
Another plus: filtering on the aforementioned 56K port would also put
the router itself inside the firewall, thus potentially "hardening" it
against undesired access attempts.
Brian Lloyd, WB6RQN Lloyd & Associates
Principal and Network Architect 3420 Sudbury Road
com Cameron Park, CA 95682
voice (916) 676-1147 fax (916) 676-3442