Firewall Wizards mailing list archives

RE: Defense in Depth to the Desktop

From: Chris Pugrud <cpugrud () yahoo com>
Date: Wed, 8 Dec 2004 13:48:06 -0800 (PST)


--- Scott Stursa <stursa () mailer fsu edu> wrote:

Really? On what kind of hardware?

Our experience, at least with CAT6500s running SUP2, is that CBAC can
be a real dog (Context Based Access Control, the "stateful inspection"
piece of Firewall Feature Set). It works okay for small departmental nets,
but if you have 150+ desktops busily accessing numerous resources outside
their subnet (i.e., through the CBAC ACL), it can have a serious
performance impact.

And don't even think about running it on a CAT5500/RSM.

Don't know about a 6500 equipped with a SUP720, but even if the
performance is improved, functionally FFS is no substitute for a PIX or a
FWSM.


Without a doubt a dedicated firewall appliance is the way to go for this
application.  I'm able to get away with CBAC in the current environment, even
with a few thousand clients, because the rules are so simple and CBAC is only
controlling access to a handful (five) servers (AD and MSX).  As the system
expands to accomodate more server subnets, either PIX blades or Netscreens are
in the future.

The one way nature is what leads to the operational and academic simplicity of
the model.  On the Server vlan interface there is no outbound ACL and CBAC is
only inspecting UDP.  On the inbound ACL about the only lines are "allow tcp
established" and "deny ip any any".  CBAC adds in, on average, about 30-40 very
specific permit udp lines at the top of the list with a timeout of 30 seconds. 
That timeout could probably be cut back to 5-10 seconds without any impact.

This is still POC operationally, but it does close a considerable gap between
the perimeter (enclave) firewall and the desktop that exists in most
organizations.  I don't view it as replacing anything else, just another tool
that is useful in acheiving defense in depth.

chris
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Defense in Depth to the Desktop Chris Pugrud (Dec 05)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 07)
  - Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
    - Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 11)
    - protection models Chris Pugrud (Dec 11)
- Re: Defense in Depth to the Desktop Rogan Dawes (Dec 07)
  - Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Ben Nagy (Dec 07)
  - RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
    - RE: Defense in Depth to the Desktop Scott Stursa (Dec 11)
    - RE: Defense in Depth to the Desktop Chris Pugrud (Dec 11)
- Re: Defense in Depth to the Desktop Kevin Sheldrake (Dec 11)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 12)
  - Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
    - Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
    - Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
    - Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
    - Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
    - Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
    - Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
    - Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)

(Thread continues...)