RE: Firewalls v. Router ACLs

[Carric Dooley <carric () com2usa com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I agree with Ron. In an ideal world, we build the ideal security model
with stateful inspection, consolidated logging and reporting integrated
with our IDS and vulnerability data, but in the real world we often run
into budget constraints. I have seen some BAD decisions made in the
interest of saving a buck however..

Additional things to consider: Are we talking about 150 rule polices, or
30 rule policies? What is the in-house expertise in terms of crafting and
maintaing ACL's, and what is the strategy for managing them on multiple
routers? It's a mistake to consider just the cost of hardware and
licensing, when the way the network is managed will also change. Will you
deploy CiscoWorks or ACS? More cost..

I think an open-source solution is viable, and in some ways superior. It
will require consciousness on of the part of the company of the resources
who both build and maintain it however, because if those guys up and
leave, you may well have to start over. The problem with "home-grown" is
if the knowledge isn't spread around, and there is a lack of
documentation, some poor soul will be stuck with: a) figuring it all out
and picking up the torch, b) scrapping it in favour of spending MORE cash
for the simpler commercial solution with support, c)skulking around hoping
that it NEVER fails, and nobody notices that it doesn't seem to be finding
any of the new stuff.. an inevitable "poke" waiting to happen.

I would not want to give up a layer of security for sure, and you give up
a couple of things going with an ACL-only solution:

1. logging (as you mentioned)

2. management (anyone priced the IOS that lets you SSH to the box?? or do
you want to do all this through telnet... >;)

3. better security features like stateful inspection, and the new
nifty-keeno application intellegence that everyone is trying to deploy
(and I know you can do stateful on the firewall IOS, but again, last I
checked, Cisco was not giving it way..). 

I don't think it's as black and white as you should do a or b. There is
more to consider than "we can still segment the network if we just use
ACL's and we won't have to keep shelling out all that jack to Checkpoint".
Will the operations guys inherit the management of you security if it goes
to the routers?? That's probably not good either, seeing as their main
consideration (being that their compensation is often tied to it) is "KEEP
IT WORKING", not make it the most secure that it can be. I have seen that
nasty evolution as well.. you get a device that runs at 70%-80%+ load 24/7
and has 300 rules that only block about half the traffic they intend to,
and considerably less than they should.

Sometimes the long term strategy is "we are selling the company in a year,
so if it falls apart, it's someone else's problem -- we need to get the
stock price up right now so those parachutes are bigger and more laiden
with booty when we bail", which is something else to consider in my long
diatribe about the big picture and corporate vision of how security fits
into the enterprise...

Ron: good to see you still kicking around!! =)

On Sat, 13 Dec 2003, R. DuFresne wrote:

> > This is a very inciteful and informative thread, tons of information for
> > people to take in consideration in network design and layout.  Which keeps
> > pushing me to one of the fundemental tenants of network security,
> > layering, the ole 'onion skin' approach.  And many of the old discusions
> > here and the old firewalls list often emphasized an approach that avoided
> > <what is now the *in vogue* term> monoculcural 'single point of failure
> > pathway' into the heart of the protected environment.  ACL's in the
> > routers in conjuction with a more traditional firewall layer below would
> > be the proper approach.  Perhaps the choice of Nokia's can be considered
> > for a replacement, but one has to consider all the aspects of single
> > vendor issues if perhaps popping pixen in there instead <a beancounters
> > dream?>.  The logging alert features alone turn this layer into a IDS as
> > well as another layer of control and packet level refinement.  Of course,
> > as I hinted in the beginning, I'm a fundamentalist in this perspective...
> >
> >
> > What I'm saying is, if a change is required here based upon costs, rather
> > then eliminate a layer of defense, consider a vendor change at that layer
> > that better fits the economic resources avaliable.  If the internal
> > knowledge base is open source cluefull then you can always go that route
> > to solve this problem, or shift some costs for the short term into
> > training to gain this, better yet, support a growing economy and hire in
> > the expertise and better balance the understaffing most IT deptarments
> > face.
> >
> >
> > Thanks,
> >
> > Ron DuFresne

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Made with pgp4pine 1.75-6

iQA/AwUBP94gvlUqWOkDpMZ2EQJwVACeLW4FHF8zSz5bL2tJ2EAxqUkX6HcAni83
e7FyFKiUOAK1MHNNcvjjFYU/
=eUYW
-----END PGP SIGNATURE-----


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards