Re: Switch ACL vs Firewall

["Martin Hoz" <martinhoz () gmail com>]

On 5/7/06, Grant Bourzikas <strongrant () gmail com> wrote:
> not use Firewalls but rather use Switch ACL's.  Their point is that Switch
> ACL's do the same thing as firewalls if used in conjunction with a layered
> security model that uses Network IPS, Layer 7 Firewalls, and Host IPS,  I

That's sort-of-right: modern firewalls do that as well: they put VPN,
QoS and IPS/deep inspection technlogy and it makes sense... several
customers use that are happy...

What's the point of distributing that functionality when having some
of it integrated makes more sense?
- How do you add VPNs in the architecture they are proposing for example?
- Would all of those things be managed from the same point, or are
those different managements?
- How many things would you have to learn, operate, update (in a word:
manage) so you can do the same things you do today with what you have
and are happy?
- What about reporting? - How much hard work would you have to do to
get useful reports that mean something to you (and to your
management)?
- How can be the whole thing audited?
- How does that design scale to give you more Gbps, Connections-per-second?

And finally... seems like they want to tie you...
- What guarantees vendor independency/interoperability in their
design? How is that achieved?
- If you don't like a part of their design in the future (let's say
you prefer a new IPS, or another firewall, plain and simple), how easy
can you replace that component without affecting the overall design in
performance, reliability and security?

Interesting... huh? :-)

- Martín.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards