Educause Security Discussion mailing list archives
Re: Network Access Control Changes - Firewall and ACL policy changes
From: Michael Hornung <hornung () CAC WASHINGTON EDU>
Date: Tue, 5 Jun 2007 08:42:44 -0700
We use Cisco FWSMs to provide customers with managed subnet firewalls. They are working great, and manually-committed ACL changes are fast and do not noticeably impact traffic flow. _____________________________________________________ Michael Hornung Computing & Communications hornung () washington edu University of Washington |Gary Flynn wrote: |> |> We extensively use Cisco ACLs for our network access controls. |> Our current method of handling ACLs, that has worked for |> over a decade, is centered around two text files containing the |> security configuration for all our internet and core routers. |> After editing, a perl script breaks out the ACL configurations |> for individual routers and vlans and stores them on a tftp server. |> When an access change is needed, we edit the file, generate |> the ACL configuration files, and reload the appropriate router |> with just the ACL. |> |> The new Cisco router architectures have hardware assist for |> ACL processing. With the new hardware, reloading one of our |> ACLs now results in 20-60 second network outages. For example, |> we've got a 7206 on one Internet connection and a new 7604 on |> the other. Near identical ACL for both. On the old router it |> takes seconds to load with no visible outage. On the new router, |> it takes 90 seconds with network traffic cut off for 60 of them. |> |> TAC tells me the behavior is because it takes longer to load the |> ACL into the hardware than it does to initiate it in software. |> While the new architecture may process the ACL faster and |> eliminate the problem of unwanted traffic during the ACL |> load, it has really messed up our business process. We are |> accustomed to and expect to be able to make multiple changes |> in real time without adverse effects. Generally, we make |> several a day for things like new service deployments, |> troubleshooting, exceptions to our Internet default deny policy, |> quarantining infected computers, and reacting to outside |> malicious activity. |> |> While hand editing the live config is an option in an emergency, |> I don't believe it practical long term due to the complexity |> of an ACL with hundreds ( nearly thousands ) of entries and |> the risk associated with changing the live configuration on a |> frequent basis. |> |> Our Juniper ISG IPS has firewall capabilities and we're |> looking at the Cisco FWSM for the core routers but I was |> hoping someone with that type of hardware already installed |> would comment on their experiences with real-time changes to |> large policies and ACLs during production. |> |> Thanks for any assistance and information.
Current thread:
- Re: Network Access Control Changes - Firewall and ACL policy changes Luke Sheppard (Jun 04)
- <Possible follow-ups>
- Re: Network Access Control Changes - Firewall and ACL policy changes David LaPorte (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Mike Iglesias (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Paul Keser (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Michael Hornung (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Greg T. Grimes (Jun 06)