RE: Firewalls v. Router ACLs

[MHawkins () TULLIB COM]

hi there,

It is important to remember to turn off console logging and do not log all
your ACL entries.

If you do leave console logging on, you can cause the console port to
overflow and also, on Cisco routers, every console character is a processor
interrupt. So thousands of ACL logs per second can ratchet your processor
utilization up higher enough to make it almost useless.

Having said that, ACL's on most routers are easily capable of dropping at
high rates. The ACL is generally applied to the actual physical interface
which means that the packets can be dropped in hardware (PLC chips or
other). In my experience, ACL's can and do regularly outperform any software
router such as CheckPoint.

But, CheckPoint AI and NG have far superior higher level packet inspection
than ACL's (which have none). CheckPoints MAD (malicious activity detection
now called smartdefense) is far superior to Cisco's PIX. CheckPoint has
implemented protection against many more attacks than the PIX (yes PIX does
protect against several). But CheckPoint kicks in when you start looking at
their WORM catcher which is fully programmable by the user. And further,
when you enable http header detection you can start blocking and controlling
Kazaa, IM and others very well indeed.

But you gotta ask yourself, am I using these firewalls to protect against
those threats.

I note, that none of the preceeding emails on this topic make mention of the
risk analysis that you should be doing as part of your decision making
process.

Your risk analysis would have to include examining the assets that you are
protecting and examining the expected threats. Determine the qualitative and
quantitative costs that would be incurred if your threats were to compromise
your systems (and by what methods) and determine how much money you are
willing to apply to the security problem in order to protect your assets
from those threats.

I would suggest that if you examine the threats that are likely to exist and
"attack" your network from WITHIN your Company (ie: but on the other side of
your firewall) then ACL's will do the job very nicely indeed.

First, they provide basic user (host or network) restrictions on where they
can get to inside your network.
Second, they provide protection against worms and other unknown attacks from
new virii by applying the no access except what I permit paradigm.

They don't provide all the fancy client VPN, client authentication, specific
worm catching etc of higher end firewalls but you don't need that anyway.

One note, if this firewall connects to the Internet then keep it. ACL's are
NOT enough to protect from the threats that exist on the Internet.

Mike H

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of pedski
Sent: Friday, December 12, 2003 8:15 PM
To: WhiteHat () btclick com
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Firewalls v. Router ACLs


i have to agreee on the acl...with are doing the acl with router very 
succesfull....the firewall in your swan ement complicate your 
enviroment......

you will save money and yes the routers can handle it...as a fact the 
router in my enviroment are proctecting the checkpoint on nokia because 
the checkpoint can't handle the worm blocking..

we have about 15,000 users and yes we were hit hard by the virus ...we 
contained it with acl


WhiteHat () btclick com wrote:

> Hi All,
>
> I hope this is the appropriate forum for my question, and I apologise if
not but I am 
> looking for information and would appreciate any help.
>
> I currently work for a department in a large company. Our department has
always 
> used firewalls (CheckPoint on Nokia) to protect our part of the network
from network 
> worms and other 'nasty stuff' on the rest of the network. Our view is that
this 
> 'segmentation' makes it easier to contain any infection. This strategy has
been almost 
> 100% successful and we have not been impacted by the numerous network-borne

> worms etc. over the years.
>
> We are now being pressurised to remove the firewalls by the rest of the
company. 
> The argument is that using well defined ACLs (with a default 'deny all'
statement at 
> the end) on the the Cisco WAN routers would have the same effect as the
current 
> firewalls. A secondary argument is cost - the router is seen as a one-off
purchase 
> while the Checkpoint software has an annual licence cost. I am trying to
gather 
> evidence of the  pros and cons of this approach.
>
> In particular, I am concerned about:
> - performance - will the routers be able to manage this as they are
designed to route 
> traffic, not stop it?
> - logging - what would be the best way to consolidate the router logs for
analysis etc.?
> - incident management - if a router is being hammered by a network worm
(e.g. 
> MSBlaster/LovSan), how easy will it be to manage to make any emergency
changes 
> necessary? Won't it be so busy dropping packets it becomes impossible to
make the 
> change?
> - future capability - I see the AI-type technologies evolving in firewalls
as providing a 
> useful IPS-type functionality in the future. This will allow more open rule
sets but 
> automated protection if things go wrong. Has anyone successfully
implemented this 
> yet? Can this be enough justification to keep the firewalls?
>
> Does anyone know of any case studies or horror stories of organisations
that have 
> attempted this? 
>
> Has anyone had success doing this that they would be willing to share?
>
> Thanks in advance for any help.
>
> Regards
>       Richard
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards