nanog mailing list archives

Re: ACLs vs. full firewalls

From: Matthew Petach <mpetach () netflight com>
Date: Tue, 7 Apr 2009 14:20:52 -0700

On 4/7/09, Michael Helmeste <mhelmest () uvic ca> wrote:

Hi all,
  One of the duties of my current place of employ is reorganizing the
 network. We have a few Catalyst 6500 series L3 switches, but currently
 do all packet filtering (and some routing) using a software based
 firewall. Don't ask me, I didn't design it :)

  Current security requirements are only based on TCP and non-stateful
 UDP src/dst net/port filtering, and so my suggestion was to use ACLs
 applied on the routed interface of each VLAN. There was some talk of
 using another software based firewall or a Cisco FWSM card to filter
 traffic at the border, mostly for management concerns. We expect full 1
 gig traffic levels today, and 10 gig traffic levels in the future.

  I view ACLs as being a cheap, easy to administrate solution that
 scales with upgrades to new interface line speeds, where a full stateful
 firewall isn't necessary. However, I wanted to get other opinions of
 what packet filtering solutions people use in the border and in the
 core, and why.


ACLs are a cheap solution; ease of administration depends on your
scale in terms of number of entries.  Keep in mind that depending
on your hardware platform, using ACLs can run into unexpected
limitations.  If you're considering doing this on the 6500 platform,
read up on TCAM limitations and L4Op/LOU operator limits:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml#wp43433

It can be a very rude awakening when you add one more seemingly
innocuous ilne to your ACL, and discover the entire thing has suddenly
gone into software switched mode.

With that caveat aside, there are many large sites that do make
use of ACLs as part of their security repetoire.  It's definitely
something to consider, just be aware of your hardware platform's
limitations before diving in headfirst.

Matt

  What's out there, and why do you guys use it? How do you feel about
 the scalability, performance, security, and manageability of your
 solution? What kind of traffic levels do you put through it?

Current thread:

ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Justin M. Streiner (Apr 07)
- Re: ACLs vs. full firewalls Eric Gauthier (Apr 07)
  - Re: ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Matthew Petach (Apr 07)
- Re: ACLs vs. full firewalls Mark Smith (Apr 07)
  - Re: ACLs vs. full firewalls Karl Auer (Apr 07)
    - Re: ACLs vs. full firewalls Nathan Ward (Apr 07)
    - Re: ACLs vs. full firewalls Karl Auer (Apr 07)
    - Re: ACLs vs. full firewalls Steven M. Bellovin (Apr 07)
    - Re: ACLs vs. full firewalls Ravi Pina (Apr 15)
  - RE: ACLs vs. full firewalls TJ (Apr 15)
- RE: ACLs vs. full firewalls Crooks, Sam (Apr 07)
- Re: ACLs vs. full firewalls Roland Dobbins (Apr 07)
  - Re: ACLs vs. full firewalls ubaidali_abdul_razack (Apr 07)