Re: Cisco IOS

[Ryan Russell <ryan () securityfocus com>]

On Fri, 8 Dec 2000, Robert Purdy (DSL AK) wrote:

> Can anyone tell me what added features I get out of putting the Firewall IOS
> on a 1600 over what I can do in ACLs?

Sure.  With ACLs, even reflexive ones, you have to leave TCP ports above
1023 wide open if you want to support non-PASV FTP.  With the firewall
feature set, it snoops out the port command, and opens just the one port
back.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/index.htm

It's also supposed to do some IDS stuff, but I haven't looked at it.
Supposed to have better logging, too.


> For a B2B connection that does not have a requirement to be 100%
> bullet-proof all the time, is a Firewall IOS really required?

A plain packet filter alone is completely inadequate for almost every
situtation.  I'd use it to protect public servers that run the simplest of
protocols (no FTP), but I'd never want to put users behind one.

> Are there any holes in a ACL apart from the fact that there is an implicit
> allow rather than deny if the ACL is not no the interface?

They're just not flexible enough for many protocols.  You may also run
into trouble with an attacker playing fragment games.

                                        Ryan


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards