Re: Network Access Control Changes - Firewall and ACL policy changes

[Michael Hornung <hornung () CAC WASHINGTON EDU>]

We use Cisco FWSMs to provide customers with managed subnet firewalls.
They are working great, and manually-committed ACL changes are fast and do
not noticeably impact traffic flow.

_____________________________________________________
 Michael Hornung          Computing & Communications
 hornung () washington edu   University of Washington

|Gary Flynn wrote:
|>
|> We extensively use Cisco ACLs for our network access controls.
|> Our current method of handling ACLs, that has worked for
|> over a decade, is centered around two text files containing the
|> security configuration for all our internet and core routers.
|> After editing, a perl script breaks out the ACL configurations
|> for individual routers and vlans and stores them on a tftp server.
|> When an access change is needed, we edit the file, generate
|> the ACL configuration files, and reload the appropriate router
|> with just the ACL.
|>
|> The new Cisco router architectures have hardware assist for
|> ACL processing. With the new hardware, reloading one of our
|> ACLs now results in 20-60 second network outages. For example,
|> we've got a 7206 on one Internet connection and a new 7604 on
|> the other. Near identical ACL for both. On the old router it
|> takes seconds to load with no visible outage. On the new router,
|> it takes 90 seconds with network traffic cut off for 60 of them.
|>
|> TAC tells me the behavior is because it takes longer to load the
|> ACL into the hardware than it does to initiate it in software.
|> While the new architecture may process the ACL faster and
|> eliminate the problem of unwanted traffic during the ACL
|> load, it has really messed up our business process. We are
|> accustomed to and expect to be able to make multiple changes
|> in real time without adverse effects. Generally, we make
|> several a day for things like new service deployments,
|> troubleshooting, exceptions to our Internet default deny policy,
|> quarantining infected computers, and reacting to outside
|> malicious activity.
|>
|> While hand editing the live config is an option in an emergency,
|> I don't believe it practical long term due to the complexity
|> of an ACL with hundreds ( nearly thousands ) of entries and
|> the risk associated with changing the live configuration on a
|> frequent basis.
|>
|> Our Juniper ISG IPS has firewall capabilities and we're
|> looking at the Cisco FWSM for the core routers but I was
|> hoping someone with that type of hardware already installed
|> would comment on their experiences with real-time changes to
|> large policies and ACLs during production.
|>
|> Thanks for any assistance and information.