Firewall Wizards mailing list archives
Re: How secure are (cisco) ACL's?
From: "Dave O'Shea" <daveoshea () email msn com>
Date: Thu, 1 Oct 1998 19:47:25 -0500
-----Original Message----- From: Chris Hughes <chughes () rpm com> To: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Thursday, October 01, 1998 6:16 AM Subject: How secure are (cisco) ACL's?
In a discussion I had with a co-worker, I expressed my opinion that Firewall1 bounded by two routers (choke/gate/choke) was probably a better solution than a PIX front-ended by a single router (choke/gate).
I'd probably agree. front, side, and head airbags PLUS seatbelts is my taste.:-) But having to live within my means, I'll forego the least amount of protection that saves the most amount of money.
His response was that ACL's on the front-ended PIX would be sufficient security. In fact, he stated, a single router with comprehensive ACL's would be sufficient for low-bandwidth internet connections.
A lot of people have done just that. It's not at all airtight, and the stateless nature means that a lot of "interesting" traffic could easily get by - even if you expect it. If you've got a smaller pool of computers with limited and known vulnerabilities, it's possibly acceptable.
On the surface, it does seem that NAT in conjunction with comprehensive ACL's is secure. However, I have read about stateful inspection(not well implemented on cisco) and know that this can be a problem when depending on ACL's to do the job.
One other concern is possible (and not yet discovered) security weaknesses in various routers. If it's possible to crash a certain router, it might be possible to take advantage of a vulnerable state while it is still coming up. I like designs in which cascaded failures turn off communication, not open it up. In fact, you've got me thinking a little, now. Suppose NAT were used to create an address space that exists only inside the firewall area? And cannot exist outside it? Like an RFC1918 address pool that's banned inside the firewall (and outside, unless the ISP is asleep at the switch)
With my limited knowledge I was not able to argue my point. Can someone explain and/or point me to material I can digest and come back swinging in my next encounter like this? Also, I need to read up on choke/gate/choke and other security architectures. Any guiding shove in the right direction will be deeply appreciated.
The software vendors will tell you one thing, the hardware vendors another. A solution that involves a mix, and is not fully predictable by either an insider or an outsider, is a good thing. Think of airport security: Some days, they inspect every laptop like it's got plutonium dust on it. Next day they do something different. The idea is to introduce an element of unpredictability, make people think about security, and give the guy who's teetering on the edge of doing something dumb a really bad case of indigestion.
Commentary is welcome...
Current thread:
- How secure are (cisco) ACL's? Chris Hughes (Oct 01)
- Re: How secure are (cisco) ACL's? Stu Allen (Oct 01)
- <Possible follow-ups>
- Re: How secure are (cisco) ACL's? Dave O'Shea (Oct 02)