nanog mailing list archives

Re: ACLs vs. full firewalls

From: Michael Helmeste <mhelmest () uvic ca>
Date: Tue, 07 Apr 2009 15:29:27 -0700

While there are no specific audit requirements, overall traffic auditing
(not just for dropped packets) is definitely something I'm considering.
One way of gathering this data without using a firewall would seem to be
netflow; I don't think netflow specifically calls out (or even shows?)
traffic blocked by ACLs though, which could be a point for consideration.

Eric Gauthier wrote:

Michael,

Do you have logging or audit requirements to your filters?
We use ACLs almost everywhere for non-stateful filtering, but
there are a few locations (e.g. HIPPA) that require an 
audit trail which is perhaps better accomplished by a firewall.

Eric :)
[...]

Current thread:

ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Justin M. Streiner (Apr 07)
- Re: ACLs vs. full firewalls Eric Gauthier (Apr 07)
  - Re: ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Matthew Petach (Apr 07)
- Re: ACLs vs. full firewalls Mark Smith (Apr 07)
  - Re: ACLs vs. full firewalls Karl Auer (Apr 07)
    - Re: ACLs vs. full firewalls Nathan Ward (Apr 07)
    - Re: ACLs vs. full firewalls Karl Auer (Apr 07)
    - Re: ACLs vs. full firewalls Steven M. Bellovin (Apr 07)
    - Re: ACLs vs. full firewalls Ravi Pina (Apr 15)
  - RE: ACLs vs. full firewalls TJ (Apr 15)
- RE: ACLs vs. full firewalls Crooks, Sam (Apr 07)
- Re: ACLs vs. full firewalls Roland Dobbins (Apr 07)

(Thread continues...)