Firewall Wizards mailing list archives
RE: Defense in Depth to the Desktop
From: Chris Pugrud <cpugrud () yahoo com>
Date: Wed, 8 Dec 2004 13:48:06 -0800 (PST)
--- Scott Stursa <stursa () mailer fsu edu> wrote:
Really? On what kind of hardware? Our experience, at least with CAT6500s running SUP2, is that CBAC can be a real dog (Context Based Access Control, the "stateful inspection" piece of Firewall Feature Set). It works okay for small departmental nets, but if you have 150+ desktops busily accessing numerous resources outside their subnet (i.e., through the CBAC ACL), it can have a serious performance impact. And don't even think about running it on a CAT5500/RSM. Don't know about a 6500 equipped with a SUP720, but even if the performance is improved, functionally FFS is no substitute for a PIX or a FWSM.
Without a doubt a dedicated firewall appliance is the way to go for this application. I'm able to get away with CBAC in the current environment, even with a few thousand clients, because the rules are so simple and CBAC is only controlling access to a handful (five) servers (AD and MSX). As the system expands to accomodate more server subnets, either PIX blades or Netscreens are in the future. The one way nature is what leads to the operational and academic simplicity of the model. On the Server vlan interface there is no outbound ACL and CBAC is only inspecting UDP. On the inbound ACL about the only lines are "allow tcp established" and "deny ip any any". CBAC adds in, on average, about 30-40 very specific permit udp lines at the top of the list with a timeout of 30 seconds. That timeout could probably be cut back to 5-10 seconds without any impact. This is still POC operationally, but it does close a considerable gap between the perimeter (enclave) firewall and the desktop that exists in most organizations. I don't view it as replacing anything else, just another tool that is useful in acheiving defense in depth. chris _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Defense in Depth to the Desktop Chris Pugrud (Dec 05)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 11)
- protection models Chris Pugrud (Dec 11)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Magosányi Árpád (Dec 07)
- Re: Defense in Depth to the Desktop Rogan Dawes (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Ben Nagy (Dec 07)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- RE: Defense in Depth to the Desktop Scott Stursa (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 11)
- RE: Defense in Depth to the Desktop Chris Pugrud (Dec 07)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 13)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 13)
- Re: Defense in Depth to the Desktop Frederick M Avolio (Dec 13)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Chris Pugrud (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)
- Re: Defense in Depth to the Desktop Devdas Bhagat (Dec 14)
- Re: Defense in Depth to the Desktop Paul D. Robertson (Dec 14)