RE: Defense in Depth to the Desktop

[Scott Stursa <stursa () mailer fsu edu>]

On Mon, 6 Dec 2004, Chris Pugrud wrote:

> Organizations with a Cisco core can upgrade to the firewall feature set to gain
> the stateful packet filtering required to implement the model, at least that's
> how I'm doing it in one fairly large environment.

Really? On what kind of hardware?

Our experience, at least with CAT6500s running SUP2, is that CBAC can
be a real dog (Context Based Access Control, the "stateful inspection"
piece of Firewall Feature Set). It works okay for small departmental nets,
but if you have 150+ desktops busily accessing numerous resources outside
their subnet (i.e., through the CBAC ACL), it can have a serious
performance impact.

And don't even think about running it on a CAT5500/RSM.

Don't know about a 6500 equipped with a SUP720, but even if the
performance is improved, functionally FFS is no substitute for a PIX or a
FWSM.

- SLS

------------------------------------------------------------------------
Scott L. Stursa                                             850/645-2397
Network Security Assessment                        stursa () mailer fsu edu
Technology Integration/User Services            Florida State University

                     - No good deed goes unpunished -
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards