Firewall Wizards mailing list archives
RE: Comparisons between Router ACLs and Firewalls
From: "Bill James" <bubbagates () comcast net>
Date: Sat, 3 Jan 2004 18:51:33 -0500
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul Robertson Sent: Saturday, January 03, 2004 6:11 PM To: Bill James Cc: 'David Pick'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls On Sat, 3 Jan 2004, Bill James wrote:The problem with using ACL's is the load they can add to a router. MostDepends on the router, the rulesets, and what else the router has to do- IPSec and VoIP are way worse for a router than access lists generally.
Agreed...
If you order your rules by traffic volume, you're not likely to case great harm (for instance, acks from Web servers are commonly the highest traffic volume and commonly permitted- do a permit for that first, and you're well on your way to having a happy router. Most modern IOSs do pretty well at fast switching ACL'd traffic.
Agreed again..The case I pointed out was a worse case but one I have seen in the "real world". It's is always best to order the ACL list by volume
of Cisco's newer IOS' have IP Inspection and do OK but can add a tremendous load on the router. I have seen problems with IPInspectionprocess for smtp on IOS creating issues with the DominoEmail server(Lotus Notes) where a PIX and IPTables have no issues at allIP Inspection is a different animal, and requires different strategies than normal access lists. I can't believe that any of the CBAC stuff is optimized as well as "normal" access lists.
I believe you are correct on this...case in point is the problem with Lotus versus Exhcnage, Postfix, Sendmail etc...
Logging for a firewall based router leaves allot to bedesired. I have If it's being blocked, I'm not sure how important logging is- I suppose it depends on your threat profile and paranoia. I've always preferred to concentrate on logging things which were high on my threat list, preferably off the network directly.
In my normal logging stance...I tend to log only what my clients want and always off the router to a remote syslog server
Router CPUs are woefully poor for hostile environments where CPU is needed- which is why access lists have been optimized so much over time. However, I've yet to meet a sane environment where adding in extended access lists did anything to put a router over its normal operational limits.
I may have left you with the wrong impression here... A properly sized and configure router will handle ACL well...the example I gave is one of those that you do see now and again because the client refuses to spend the need money to do it correctly
Paul -------------------------------------------------------------- --------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Comparisons between Router ACLs and Firewalls, (continued)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Message not available
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Mark Gumennik (Jan 05)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)