Firewall Wizards mailing list archives
RE: Firewalls v. Router ACLs
From: Carric Dooley <carric () com2usa com>
Date: Mon, 15 Dec 2003 15:59:27 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree with Ron. In an ideal world, we build the ideal security model with stateful inspection, consolidated logging and reporting integrated with our IDS and vulnerability data, but in the real world we often run into budget constraints. I have seen some BAD decisions made in the interest of saving a buck however.. Additional things to consider: Are we talking about 150 rule polices, or 30 rule policies? What is the in-house expertise in terms of crafting and maintaing ACL's, and what is the strategy for managing them on multiple routers? It's a mistake to consider just the cost of hardware and licensing, when the way the network is managed will also change. Will you deploy CiscoWorks or ACS? More cost.. I think an open-source solution is viable, and in some ways superior. It will require consciousness on of the part of the company of the resources who both build and maintain it however, because if those guys up and leave, you may well have to start over. The problem with "home-grown" is if the knowledge isn't spread around, and there is a lack of documentation, some poor soul will be stuck with: a) figuring it all out and picking up the torch, b) scrapping it in favour of spending MORE cash for the simpler commercial solution with support, c)skulking around hoping that it NEVER fails, and nobody notices that it doesn't seem to be finding any of the new stuff.. an inevitable "poke" waiting to happen. I would not want to give up a layer of security for sure, and you give up a couple of things going with an ACL-only solution: 1. logging (as you mentioned) 2. management (anyone priced the IOS that lets you SSH to the box?? or do you want to do all this through telnet... >;) 3. better security features like stateful inspection, and the new nifty-keeno application intellegence that everyone is trying to deploy (and I know you can do stateful on the firewall IOS, but again, last I checked, Cisco was not giving it way..). I don't think it's as black and white as you should do a or b. There is more to consider than "we can still segment the network if we just use ACL's and we won't have to keep shelling out all that jack to Checkpoint". Will the operations guys inherit the management of you security if it goes to the routers?? That's probably not good either, seeing as their main consideration (being that their compensation is often tied to it) is "KEEP IT WORKING", not make it the most secure that it can be. I have seen that nasty evolution as well.. you get a device that runs at 70%-80%+ load 24/7 and has 300 rules that only block about half the traffic they intend to, and considerably less than they should. Sometimes the long term strategy is "we are selling the company in a year, so if it falls apart, it's someone else's problem -- we need to get the stock price up right now so those parachutes are bigger and more laiden with booty when we bail", which is something else to consider in my long diatribe about the big picture and corporate vision of how security fits into the enterprise... Ron: good to see you still kicking around!! =) On Sat, 13 Dec 2003, R. DuFresne wrote:
This is a very inciteful and informative thread, tons of information for people to take in consideration in network design and layout. Which keeps pushing me to one of the fundemental tenants of network security, layering, the ole 'onion skin' approach. And many of the old discusions here and the old firewalls list often emphasized an approach that avoided <what is now the *in vogue* term> monoculcural 'single point of failure pathway' into the heart of the protected environment. ACL's in the routers in conjuction with a more traditional firewall layer below would be the proper approach. Perhaps the choice of Nokia's can be considered for a replacement, but one has to consider all the aspects of single vendor issues if perhaps popping pixen in there instead <a beancounters dream?>. The logging alert features alone turn this layer into a IDS as well as another layer of control and packet level refinement. Of course, as I hinted in the beginning, I'm a fundamentalist in this perspective... What I'm saying is, if a change is required here based upon costs, rather then eliminate a layer of defense, consider a vendor change at that layer that better fits the economic resources avaliable. If the internal knowledge base is open source cluefull then you can always go that route to solve this problem, or shift some costs for the short term into training to gain this, better yet, support a growing economy and hire in the expertise and better balance the understaffing most IT deptarments face. Thanks, Ron DuFresne
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Made with pgp4pine 1.75-6 iQA/AwUBP94gvlUqWOkDpMZ2EQJwVACeLW4FHF8zSz5bL2tJ2EAxqUkX6HcAni83 e7FyFKiUOAK1MHNNcvjjFYU/ =eUYW -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls v. Router ACLs WhiteHat (Dec 11)
- Re: Firewalls v. Router ACLs Victor B. Williams (Dec 12)
- RE: Firewalls v. Router ACLs Ben Nagy (Dec 12)
- RE: Firewalls v. Router ACLs R. DuFresne (Dec 13)
- RE: Firewalls v. Router ACLs Carric Dooley (Dec 17)
- RE: Firewalls v. Router ACLs R. DuFresne (Dec 13)
- Re: Firewalls v. Router ACLs pedski (Dec 12)
- <Possible follow-ups>
- RE: Firewalls v. Router ACLs MHawkins (Dec 13)
- Re: Firewalls v. Router ACLs WhiteHat (Dec 16)