Firewall Wizards mailing list archives
RE: Comparisons between Router ACLs and Firewalls
From: Paul Robertson <proberts () patriot net>
Date: Sat, 3 Jan 2004 18:11:02 -0500 (EST)
On Sat, 3 Jan 2004, Bill James wrote:
The problem with using ACL's is the load they can add to a router. Most
Depends on the router, the rulesets, and what else the router has to do- IPSec and VoIP are way worse for a router than access lists generally. If you order your rules by traffic volume, you're not likely to case great harm (for instance, acks from Web servers are commonly the highest traffic volume and commonly permitted- do a permit for that first, and you're well on your way to having a happy router. Most modern IOSs do pretty well at fast switching ACL'd traffic.
of Cisco's newer IOS' have IP Inspection and do OK but can add a tremendous load on the router. I have seen problems with IP Inspection process for smtp on IOS creating issues with the Domino Email server (Lotus Notes) where a PIX and IPTables have no issues at all
IP Inspection is a different animal, and requires different strategies than normal access lists. I can't believe that any of the CBAC stuff is optimized as well as "normal" access lists.
Logging for a firewall based router leaves allot to be desired. I have
If it's being blocked, I'm not sure how important logging is- I suppose it depends on your threat profile and paranoia. I've always preferred to concentrate on logging things which were high on my threat list, preferably off the network directly. Router CPUs are woefully poor for hostile environments where CPU is needed- which is why access lists have been optimized so much over time. However, I've yet to meet a sane environment where adding in extended access lists did anything to put a router over its normal operational limits. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Comparisons between Router ACLs and Firewalls, (continued)
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Message not available
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Mark Gumennik (Jan 05)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)