Firewall Wizards mailing list archives
Re: Cisco IOS
From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 8 Dec 2000 20:33:40 -0800 (PST)
On Fri, 8 Dec 2000, Robert Purdy (DSL AK) wrote:
Can anyone tell me what added features I get out of putting the Firewall IOS on a 1600 over what I can do in ACLs?
Sure. With ACLs, even reflexive ones, you have to leave TCP ports above 1023 wide open if you want to support non-PASV FTP. With the firewall feature set, it snoops out the port command, and opens just the one port back. http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/index.htm It's also supposed to do some IDS stuff, but I haven't looked at it. Supposed to have better logging, too.
For a B2B connection that does not have a requirement to be 100% bullet-proof all the time, is a Firewall IOS really required?
A plain packet filter alone is completely inadequate for almost every situtation. I'd use it to protect public servers that run the simplest of protocols (no FTP), but I'd never want to put users behind one.
Are there any holes in a ACL apart from the fact that there is an implicit allow rather than deny if the ACL is not no the interface?
They're just not flexible enough for many protocols. You may also run into trouble with an attacker playing fragment games. Ryan _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco IOS Robert Purdy (DSL AK) (Dec 09)
- <Possible follow-ups>
- Re: Cisco IOS Ryan Russell (Dec 10)
- Re: Cisco IOS Joe Dauncey (Dec 12)
- Cisco IOS Christopher J. Wargaski (Dec 12)
- Re: Cisco IOS Eric Vyncke (Dec 14)