Comparisons between Router ACLs and Firewalls

[sd2mcleo () engmail uwaterloo ca]

I'm an undergraduate student studying computer engineering and do not possess
the expertise I'm sure you all do, so I came here to get some help.

This post is related to and inspired by the post (and responses) titled
"Firewalls vs. Router ACLs" posted by Richard here:
http://honor.icsalabs.com/pipermail/firewall-wizards/2003-December/015755.html

I'm looking to compare the use of router ACLs versus firewalls in enforcing
network security. If you could provide me with the pros and cons of using each
method I would be most grateful. Please spare NO details or thoughts of your own.

Further, I've come up with some possible points of comparison between the two
methods. Please inject thoughts of your own on which method is better for each
criterion:

- Performance: what are the performance capabilities of each method and how does
the throughput compare?

- Logging capabilities: how effective is the logging done by each method? How
much of a network manager's ability to monitor incoming and outgoing packets is
lost if firewall logging is dropped? How effectively can network managers
monitor traffic with only router ACLs?

- Manageability: how easily can each system be maintained and updated? Does the
ACL grow too unwieldy once it grow large and hamper the ability to expand it?
Does the GUI of popular firewall software provide an attraction to using
firewalls over ACLs?

- Cost: routers are a one-time purchase, whereas firewall fees are ongoing? How
do the cost of popular products compare? What are the drawbacks of sacrificing
performance for cost? For a limited budget, which is the preferred method?

- Fundamental purpose: routers are designed to route traffic, not stop it,
whereas firewalls are designed to examine and accept/reject traffic. Do these
fundamental differences hamper the ability of router ACLs to perform accurately?

- Ability to enforce policies: firewalls dig deeper into the packets (stateful
inspection), unlike router ACLs, which don't examine as deeply. How does this
hinder abilities to enforce policies?

- Incident management: how easily can either system perform while the victim of
an attack?

Finally:
- Which of the two or what structure of a combination of the two would you
recommend for an enterprise network?
- What conclusions can you draw on one method over the other or on using both
together?
- What recommendations would you make to a large corporation looking to
modernize their security policy and integrate their connectivity and security areas?

As I'm learning about the two technologies, I thought I'd come to the source. I
was pretty happy when I came across this mailing list and the "Firewalls vs.
Router ACLs" post I referred to. Any help is extremely appreciated.

Thank you,
Scott McLeod.

----------------------------------------
This mail sent through www.mywaterloo.ca
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards