Re: Network Access Control Changes - Firewall and ACL policy changes

[Luke Sheppard <lshep () TCPIPLAB COM>]

I have found that the Cisco FWSM needs a manual shutdown/no-shut of the interface if making acl changes via the 
command-line IOS. But if you use the web browser GUI you can add interstitial acl changes on-the-fly with no down time. 
This is very convenient for quick one-off changes, but irritating if you are used to scripting everything.

I have also heard, anecdotally, that the Junipers can have problems (brain dead) if the acls get too big. Sorry, I have 
to actual metrics for this.

Luke


On Mon, 2007-06-04 at 12:16, Gary Flynn wrote:
> Hi,
>
> We extensively use Cisco ACLs for our network access controls.
> Our current method of handling ACLs, that has worked for
> over a decade, is centered around two text files containing the
> security configuration for all our internet and core routers.
> After editing, a perl script breaks out the ACL configurations
> for individual routers and vlans and stores them on a tftp server.
> When an access change is needed, we edit the file, generate
> the ACL configuration files, and reload the appropriate router
> with just the ACL.
>
> The new Cisco router architectures have hardware assist for
> ACL processing. With the new hardware, reloading one of our
> ACLs now results in 20-60 second network outages. For example,
> we've got a 7206 on one Internet connection and a new 7604 on
> the other. Near identical ACL for both. On the old router it
> takes seconds to load with no visible outage. On the new router,
> it takes 90 seconds with network traffic cut off for 60 of them.
>
> TAC tells me the behavior is because it takes longer to load the
> ACL into the hardware than it does to initiate it in software.
> While the new architecture may process the ACL faster and
> eliminate the problem of unwanted traffic during the ACL
> load, it has really messed up our business process. We are
> accustomed to and expect to be able to make multiple changes
> in real time without adverse effects. Generally, we make
> several a day for things like new service deployments,
> troubleshooting, exceptions to our Internet default deny policy,
> quarantining infected computers, and reacting to outside
> malicious activity.
>
> While hand editing the live config is an option in an emergency,
> I don't believe it practical long term due to the complexity
> of an ACL with hundreds ( nearly thousands ) of entries and
> the risk associated with changing the live configuration on a
> frequent basis.
>
> Our Juniper ISG IPS has firewall capabilities and we're
> looking at the Cisco FWSM for the core routers but I was
> hoping someone with that type of hardware already installed
> would comment on their experiences with real-time changes to
> large policies and ACLs during production.
>
> Thanks for any assistance and information.
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security
--
Luke Sheppard, CISSP
mailto:lshep () tcpiplab com