Re: Comparisons between Router ACLs and Firewalls

["Dale W. Carder" <dwcarder () doit wisc edu>]

On Dec 17, 2003, at 6:30 PM, sd2mcleo () engmail uwaterloo ca wrote:
> I'm looking to compare the use of router ACLs versus firewalls in  
> enforcing
> network security. If you could provide me with the pros and cons of  
> using each...
>
> - Performance: what are the performance capabilities of each method  
> and how does
> the throughput compare?

Some routers and switches have firewall features, and some firewalls  
can route and switch.  Then to define what is an ACL or a firewall rule  
gets even harder.

Furthermore, you also need to differentiate between network equipment  
that makes packet forwarding decisions in the software realm (like PIX  
or Linux) versus ASIC implementation (like Cisco's 6500, 7600 series or  
NetScreen stuff), and what that particular hardware and software  
combination can handle.  It's not a firewall vs. ACL question anymore.   
 For some platforms, there is little correlation between CPU usage,  
traffic throughput, and concurrent sessions/states.  For some platforms  
there is severely painful correlation.

The lines differentiating firewalls, routers, and switches will  
probably continue to only get more blurred as these features'  
implementations blend hardware and software solutions.  I guess my  
point is that for now you  at least need to compare individual firewall  
products against those of the same architecture (software or ASIC  
based).

Dale

------------------------------------------------------------------------ 
----
Dale W. Carder                  dwcarder () doit wisc edu
Network Engineer        University of Wisconsin at Madison

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards