RE: Comparisons between Router ACLs and Firewalls

["Bill James" <bubbagates () comcast net>]

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Paul Robertson
> Sent: Saturday, January 03, 2004 6:11 PM
> To: Bill James
> Cc: 'David Pick'; firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls 
>
> On Sat, 3 Jan 2004, Bill James wrote:
>
> > The problem with using ACL's is the load they can add to a router. 
> > Most
>
> Depends on the router, the rulesets, and what else the router 
> has to do- IPSec and VoIP are way worse for a router than 
> access lists generally.

Agreed...

> If you order your rules by traffic volume, you're not likely 
> to case great harm (for instance, acks from Web servers are 
> commonly the highest traffic volume and commonly permitted- 
> do a permit for that first, and you're well on your way to 
> having a happy router.  Most modern IOSs do pretty well at 
> fast switching ACL'd traffic.

Agreed again..The case I pointed out was a worse case but one I have
seen in the "real world". It's is always best to order the ACL list by
volume
 
> > of Cisco's newer IOS' have IP Inspection and do OK but can add a 
> > tremendous load on the router. I have seen problems with IP 
> Inspection 
> > process for smtp on IOS creating issues with the Domino 
> Email server 
> > (Lotus Notes) where a PIX and IPTables have no issues at all
>
> IP Inspection is a different animal, and requires different 
> strategies than normal access lists. I can't believe that any 
> of the CBAC stuff is optimized as well as "normal" access lists.

I believe you are correct on this...case in point is the problem with
Lotus versus Exhcnage, Postfix, Sendmail etc...

> > Logging for a firewall based router leaves allot to be 
> desired. I have
>
> If it's being blocked, I'm not sure how important logging is- 
> I suppose it depends on your threat profile and paranoia.  
> I've always preferred to concentrate on logging things which 
> were high on my threat list, preferably off the network directly.

In my normal logging stance...I tend to log only what my clients want
and always off the router to a remote syslog server

> Router CPUs are woefully poor for hostile environments where CPU is
> needed- which is why access lists have been optimized so much 
> over time.
> However, I've yet to meet a sane environment where adding in 
> extended access lists did anything to put a router over its 
> normal operational limits.

I may have left you with the wrong impression here... A properly sized
and configure router will handle ACL well...the example I gave is one of
those that you do see now and again because the client refuses to spend
the need money to do it correctly

> Paul
> --------------------------------------------------------------
> ---------------
> Paul D. Robertson      "My statements in this message are 
> personal opinions
> proberts () patriot net      which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment 
> TruSecure Corporation _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards