Educause Security Discussion mailing list archives
Re: Network Access Control Changes - Firewall and ACL policy changes
From: Luke Sheppard <lshep () TCPIPLAB COM>
Date: Mon, 4 Jun 2007 12:27:08 -0700
I have found that the Cisco FWSM needs a manual shutdown/no-shut of the interface if making acl changes via the command-line IOS. But if you use the web browser GUI you can add interstitial acl changes on-the-fly with no down time. This is very convenient for quick one-off changes, but irritating if you are used to scripting everything. I have also heard, anecdotally, that the Junipers can have problems (brain dead) if the acls get too big. Sorry, I have to actual metrics for this. Luke On Mon, 2007-06-04 at 12:16, Gary Flynn wrote:
Hi, We extensively use Cisco ACLs for our network access controls. Our current method of handling ACLs, that has worked for over a decade, is centered around two text files containing the security configuration for all our internet and core routers. After editing, a perl script breaks out the ACL configurations for individual routers and vlans and stores them on a tftp server. When an access change is needed, we edit the file, generate the ACL configuration files, and reload the appropriate router with just the ACL. The new Cisco router architectures have hardware assist for ACL processing. With the new hardware, reloading one of our ACLs now results in 20-60 second network outages. For example, we've got a 7206 on one Internet connection and a new 7604 on the other. Near identical ACL for both. On the old router it takes seconds to load with no visible outage. On the new router, it takes 90 seconds with network traffic cut off for 60 of them. TAC tells me the behavior is because it takes longer to load the ACL into the hardware than it does to initiate it in software. While the new architecture may process the ACL faster and eliminate the problem of unwanted traffic during the ACL load, it has really messed up our business process. We are accustomed to and expect to be able to make multiple changes in real time without adverse effects. Generally, we make several a day for things like new service deployments, troubleshooting, exceptions to our Internet default deny policy, quarantining infected computers, and reacting to outside malicious activity. While hand editing the live config is an option in an emergency, I don't believe it practical long term due to the complexity of an ACL with hundreds ( nearly thousands ) of entries and the risk associated with changing the live configuration on a frequent basis. Our Juniper ISG IPS has firewall capabilities and we're looking at the Cisco FWSM for the core routers but I was hoping someone with that type of hardware already installed would comment on their experiences with real-time changes to large policies and ACLs during production. Thanks for any assistance and information. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
-- Luke Sheppard, CISSP mailto:lshep () tcpiplab com
Current thread:
- Re: Network Access Control Changes - Firewall and ACL policy changes Luke Sheppard (Jun 04)
- <Possible follow-ups>
- Re: Network Access Control Changes - Firewall and ACL policy changes David LaPorte (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Mike Iglesias (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Paul Keser (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Michael Hornung (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Greg T. Grimes (Jun 06)