Firewall Wizards mailing list archives
Re: Firewalls v. Router ACLs
From: "Victor B. Williams" <vbwilliams () essvote net>
Date: Fri, 12 Dec 2003 09:43:09 -0600 (CST)
My main reply to that would be that firewalls are BUILT to log, as well as handle the potentially large amount of traffic, and filter based on their ruleset. I don't know of a router that is ever equipped with enough CPU power and memory to handle (and by handle, I mean to inspect, forward or drop) a large amount of junk traffic...which is often what you get coming through routers with these worms, trojans, and viruses. A firewall is specifically designed to look at this traffic at a different level and decide what to do with it (where to send it). Also, regarding the logging function...I know of no affordable Cisco router that will give you the log detail of a comparably-priced Cisco PIX firewall. In this instance, they are two completely separate devices aimed at two completely separate functions. Routers are just that...used to ROUTE traffic, not examine and filter it. Firewalls are just that...there to partition off or protect certain traffic from hitting certain destinations. Both devices share some common attributes...such as Cisco PIX firewalls now supporting dynamic routing at some level and supporting VLANs. But the firewall is still a specialized product, as is the router. They each have a specific purpose, and they fulfill that purpose BETTER than any other *alternative*. WhiteHat () btclick com said:
Hi All,
I hope this is the appropriate forum for my question, and I apologise
if not but I am
looking for information and would appreciate any help.
I currently work for a department in a large company. Our department
has always
used firewalls (CheckPoint on Nokia) to protect our part of the
network from network
worms and other 'nasty stuff' on the rest of the network. Our view is
that this
'segmentation' makes it easier to contain any infection. This strategy
has been almost
100% successful and we have not been impacted by the numerous
network-borne
worms etc. over the years.
We are now being pressurised to remove the firewalls by the rest of
the company.
The argument is that using well defined ACLs (with a default 'deny
all' statement at
the end) on the the Cisco WAN routers would have the same effect as
the current
firewalls. A secondary argument is cost - the router is seen as a
one-off purchase
while the Checkpoint software has an annual licence cost. I am trying
to gather
evidence of the pros and cons of this approach.
In particular, I am concerned about:
- performance - will the routers be able to manage this as they are
designed to route
traffic, not stop it?
- logging - what would be the best way to consolidate the router logs
for analysis etc.?
- incident management - if a router is being hammered by a network
worm (e.g.
MSBlaster/LovSan), how easy will it be to manage to make any emergency
changes
necessary? Won't it be so busy dropping packets it becomes impossible
to make the
change?
- future capability - I see the AI-type technologies evolving in
firewalls as providing a
useful IPS-type functionality in the future. This will allow more open
rule sets but
automated protection if things go wrong. Has anyone successfully
implemented this
yet? Can this be enough justification to keep the firewalls?
Does anyone know of any case studies or horror stories of
organisations that have
attempted this?
Has anyone had success doing this that they would be willing to share?
Thanks in advance for any help.
Regards
Richard
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
"Real men don't even use monitors! I've just got a guy that can draw real fast." Victor Williams Network Architect Election Systems & Software http://www.essvote.com vbwilliams () essvote net (402) 970-1100 CONFIDENTIALITY NOTICE: This e-mail transmission and any documents, files or previous e-mail messages attached to it may contain information that is confidential, protected by the attorney/client or other privileges, and may constitute non-public information. It is intended to be conveyed only to the designated recipient(s) named above. Any unauthorized use, reproduction, forwarding, distribution or other dissemination of this transmission is strictly prohibited and may be unlawful. If you are not an intended recipient of this e-mail transmission, please notify the sender by return e-mail and permanently delete any record of this transmission. Your cooperation is appreciated. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls v. Router ACLs WhiteHat (Dec 11)
- Re: Firewalls v. Router ACLs Victor B. Williams (Dec 12)
- RE: Firewalls v. Router ACLs Ben Nagy (Dec 12)
- RE: Firewalls v. Router ACLs R. DuFresne (Dec 13)
- RE: Firewalls v. Router ACLs Carric Dooley (Dec 17)
- RE: Firewalls v. Router ACLs R. DuFresne (Dec 13)
- Re: Firewalls v. Router ACLs pedski (Dec 12)
- <Possible follow-ups>
- RE: Firewalls v. Router ACLs MHawkins (Dec 13)
- Re: Firewalls v. Router ACLs WhiteHat (Dec 16)