Firewall Wizards mailing list archives
RE: Firewalls v. Router ACLs
From: MHawkins () TULLIB COM
Date: Sat, 13 Dec 2003 08:46:01 -0500
hi there, It is important to remember to turn off console logging and do not log all your ACL entries. If you do leave console logging on, you can cause the console port to overflow and also, on Cisco routers, every console character is a processor interrupt. So thousands of ACL logs per second can ratchet your processor utilization up higher enough to make it almost useless. Having said that, ACL's on most routers are easily capable of dropping at high rates. The ACL is generally applied to the actual physical interface which means that the packets can be dropped in hardware (PLC chips or other). In my experience, ACL's can and do regularly outperform any software router such as CheckPoint. But, CheckPoint AI and NG have far superior higher level packet inspection than ACL's (which have none). CheckPoints MAD (malicious activity detection now called smartdefense) is far superior to Cisco's PIX. CheckPoint has implemented protection against many more attacks than the PIX (yes PIX does protect against several). But CheckPoint kicks in when you start looking at their WORM catcher which is fully programmable by the user. And further, when you enable http header detection you can start blocking and controlling Kazaa, IM and others very well indeed. But you gotta ask yourself, am I using these firewalls to protect against those threats. I note, that none of the preceeding emails on this topic make mention of the risk analysis that you should be doing as part of your decision making process. Your risk analysis would have to include examining the assets that you are protecting and examining the expected threats. Determine the qualitative and quantitative costs that would be incurred if your threats were to compromise your systems (and by what methods) and determine how much money you are willing to apply to the security problem in order to protect your assets from those threats. I would suggest that if you examine the threats that are likely to exist and "attack" your network from WITHIN your Company (ie: but on the other side of your firewall) then ACL's will do the job very nicely indeed. First, they provide basic user (host or network) restrictions on where they can get to inside your network. Second, they provide protection against worms and other unknown attacks from new virii by applying the no access except what I permit paradigm. They don't provide all the fancy client VPN, client authentication, specific worm catching etc of higher end firewalls but you don't need that anyway. One note, if this firewall connects to the Internet then keep it. ACL's are NOT enough to protect from the threats that exist on the Internet. Mike H -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of pedski Sent: Friday, December 12, 2003 8:15 PM To: WhiteHat () btclick com Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Firewalls v. Router ACLs i have to agreee on the acl...with are doing the acl with router very succesfull....the firewall in your swan ement complicate your enviroment...... you will save money and yes the routers can handle it...as a fact the router in my enviroment are proctecting the checkpoint on nokia because the checkpoint can't handle the worm blocking.. we have about 15,000 users and yes we were hit hard by the virus ...we contained it with acl WhiteHat () btclick com wrote:
Hi All, I hope this is the appropriate forum for my question, and I apologise if
not but I am
looking for information and would appreciate any help. I currently work for a department in a large company. Our department has
always
used firewalls (CheckPoint on Nokia) to protect our part of the network
from network
worms and other 'nasty stuff' on the rest of the network. Our view is that
this
'segmentation' makes it easier to contain any infection. This strategy has
been almost
100% successful and we have not been impacted by the numerous network-borne
worms etc. over the years. We are now being pressurised to remove the firewalls by the rest of the
company.
The argument is that using well defined ACLs (with a default 'deny all'
statement at
the end) on the the Cisco WAN routers would have the same effect as the
current
firewalls. A secondary argument is cost - the router is seen as a one-off
purchase
while the Checkpoint software has an annual licence cost. I am trying to
gather
evidence of the pros and cons of this approach. In particular, I am concerned about: - performance - will the routers be able to manage this as they are
designed to route
traffic, not stop it? - logging - what would be the best way to consolidate the router logs for
analysis etc.?
- incident management - if a router is being hammered by a network worm
(e.g.
MSBlaster/LovSan), how easy will it be to manage to make any emergency
changes
necessary? Won't it be so busy dropping packets it becomes impossible to
make the
change? - future capability - I see the AI-type technologies evolving in firewalls
as providing a
useful IPS-type functionality in the future. This will allow more open rule
sets but
automated protection if things go wrong. Has anyone successfully
implemented this
yet? Can this be enough justification to keep the firewalls? Does anyone know of any case studies or horror stories of organisations
that have
attempted this? Has anyone had success doing this that they would be willing to share? Thanks in advance for any help. Regards Richard _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls v. Router ACLs WhiteHat (Dec 11)
- Re: Firewalls v. Router ACLs Victor B. Williams (Dec 12)
- RE: Firewalls v. Router ACLs Ben Nagy (Dec 12)
- RE: Firewalls v. Router ACLs R. DuFresne (Dec 13)
- RE: Firewalls v. Router ACLs Carric Dooley (Dec 17)
- RE: Firewalls v. Router ACLs R. DuFresne (Dec 13)
- Re: Firewalls v. Router ACLs pedski (Dec 12)
- <Possible follow-ups>
- RE: Firewalls v. Router ACLs MHawkins (Dec 13)
- Re: Firewalls v. Router ACLs WhiteHat (Dec 16)