Re: Network Access Control Changes - Firewall and ACL policy changes

[Paul Keser <pkeser () STANFORD EDU>]

Gary-

We have a large installed base of Juniper/Netscreen firewalls including
several ISG2000's.  We have some huge policies.  I believe our NS5400
had 8-9000 rules at one point.  We make changes during production with
no ill effects using either the browser interface or cli...well usually
no ill effects...there is the occasional fat finger error ;-)

We are currently deploying 9 HA pairs of 5200's to firewall our
departments.  Each department goes in their own vsys (virtual
firewall).  We are moving 3-5 departments per week behind firewalls so
needless to say there are a lot of rule changes...

-PaulK

Paul Keser
Assoc. Information Security Officer
Stanford University
650.724.9051
GPG Fingerprint:  DBA3 E20F CE91 28AA DA1C  4A77 3BD9 C82D 2699 24FB



Gary Flynn wrote:
> Hi,
>
> We extensively use Cisco ACLs for our network access controls.
> Our current method of handling ACLs, that has worked for
> over a decade, is centered around two text files containing the
> security configuration for all our internet and core routers.
> After editing, a perl script breaks out the ACL configurations
> for individual routers and vlans and stores them on a tftp server.
> When an access change is needed, we edit the file, generate
> the ACL configuration files, and reload the appropriate router
> with just the ACL.
>
> The new Cisco router architectures have hardware assist for
> ACL processing. With the new hardware, reloading one of our
> ACLs now results in 20-60 second network outages. For example,
> we've got a 7206 on one Internet connection and a new 7604 on
> the other. Near identical ACL for both. On the old router it
> takes seconds to load with no visible outage. On the new router,
> it takes 90 seconds with network traffic cut off for 60 of them.
>
> TAC tells me the behavior is because it takes longer to load the
> ACL into the hardware than it does to initiate it in software.
> While the new architecture may process the ACL faster and
> eliminate the problem of unwanted traffic during the ACL
> load, it has really messed up our business process. We are
> accustomed to and expect to be able to make multiple changes
> in real time without adverse effects. Generally, we make
> several a day for things like new service deployments,
> troubleshooting, exceptions to our Internet default deny policy,
> quarantining infected computers, and reacting to outside
> malicious activity.
>
> While hand editing the live config is an option in an emergency,
> I don't believe it practical long term due to the complexity
> of an ACL with hundreds ( nearly thousands ) of entries and
> the risk associated with changing the live configuration on a
> frequent basis.
>
> Our Juniper ISG IPS has firewall capabilities and we're
> looking at the Cisco FWSM for the core routers but I was
> hoping someone with that type of hardware already installed
> would comment on their experiences with real-time changes to
> large policies and ACLs during production.
>
> Thanks for any assistance and information.