nanog mailing list archives

RE: ACLs vs. full firewalls

From: "TJ" <trejrco () gmail com>
Date: Wed, 15 Apr 2009 11:22:34 -0400

MS is doing something very Jerico'ish with "DirectAccess" ... very loosely,
"Automagic IPsec + IPv6 (via Teredo when needed) + AD-based auth"   
(MS's previous step was SDI (Server Domain Isolation))


/TJ

-----Original Message-----
From: Mark Smith
[mailto:nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org]
Sent: Tuesday, April 07, 2009 5:34 PM
To: Michael Helmeste
Cc: nanog () nanog org
Subject: Re: ACLs vs. full firewalls

On Tue, 07 Apr 2009 13:05:31 -0700
Michael Helmeste <mhelmest () uvic ca> wrote:

Hi all,
  One of the duties of my current place of employ is reorganizing the
network. We have a few Catalyst 6500 series L3 switches, but currently
do all packet filtering (and some routing) using a software based
firewall. Don't ask me, I didn't design it :)

  Current security requirements are only based on TCP and non-stateful
UDP src/dst net/port filtering, and so my suggestion was to use ACLs
applied on the routed interface of each VLAN. There was some talk of
using another software based firewall or a Cisco FWSM card to filter
traffic at the border, mostly for management concerns. We expect full
1 gig traffic levels today, and 10 gig traffic levels in the future.

  I view ACLs as being a cheap, easy to administrate solution that
scales with upgrades to new interface line speeds, where a full
stateful firewall isn't necessary. However, I wanted to get other
opinions of what packet filtering solutions people use in the border
and in the core, and why.


It seems there is a trend towards moving host protection on to the hosts
themselves, onto or closer to the resource or entity being protected. It's
basically following the cliche, "If you want something to be done properly,

you

need to do it yourself."

http://www.opengroup.org/jericho/ - they call it "de-perimeterization"

I first came across the idea in this article:

http://www.cs.columbia.edu/~smb/papers/distfw.html

If you move to the host-based firewalling model, plain packet filtering

ACLs at

the perimeter would be quite an adequate form of a first level of defence,
while also avoiding the performance overhead of (or resources required to
perform) stateful tracking of large amounts of traffic.

Regards,
Mark.

  What's out there, and why do you guys use it? How do you feel about
the scalability, performance, security, and manageability of your
solution? What kind of traffic levels do you put through it?

Current thread:

Re: ACLs vs. full firewalls, (continued)
- Re: ACLs vs. full firewalls Justin M. Streiner (Apr 07)
- Re: ACLs vs. full firewalls Eric Gauthier (Apr 07)
  - Re: ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Matthew Petach (Apr 07)
- Re: ACLs vs. full firewalls Mark Smith (Apr 07)
  - Re: ACLs vs. full firewalls Karl Auer (Apr 07)
    - Re: ACLs vs. full firewalls Nathan Ward (Apr 07)
    - Re: ACLs vs. full firewalls Karl Auer (Apr 07)
    - Re: ACLs vs. full firewalls Steven M. Bellovin (Apr 07)
    - Re: ACLs vs. full firewalls Ravi Pina (Apr 15)
  - RE: ACLs vs. full firewalls TJ (Apr 15)
- RE: ACLs vs. full firewalls Crooks, Sam (Apr 07)
- Re: ACLs vs. full firewalls Roland Dobbins (Apr 07)
  - Re: ACLs vs. full firewalls ubaidali_abdul_razack (Apr 07)