nanog mailing list archives
Re: ACLs vs. full firewalls
From: Karl Auer <kauer () biplane com au>
Date: Wed, 08 Apr 2009 08:32:02 +1000
On Wed, 2009-04-08 at 07:04 +0930, Mark Smith wrote:
It seems there is a trend towards moving host protection on to the hosts themselves, onto or closer to the resource or entity being protected. It's basically following the cliche, "If you want something to be done properly, you need to do it yourself."
And IPv6 tends to push security back onto hosts, too.
If you move to the host-based firewalling model, plain packet filtering ACLs at the perimeter would be quite an adequate form of a first level of defence, while also avoiding the performance overhead of (or resources required to perform) stateful tracking of large amounts of traffic.
And a combination of the two - if you *are* performing more complex checks deeper inside the network, packet filtering can reduce the load that actually reaches those inner check points. I'd be interested to hear why people use firewalls. I've never felt the need, myself - am I living in a fool's paradise? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer () biplane com au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Justin M. Streiner (Apr 07)
- Re: ACLs vs. full firewalls Eric Gauthier (Apr 07)
- Re: ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Matthew Petach (Apr 07)
- Re: ACLs vs. full firewalls Mark Smith (Apr 07)
- Re: ACLs vs. full firewalls Karl Auer (Apr 07)
- Re: ACLs vs. full firewalls Nathan Ward (Apr 07)
- Re: ACLs vs. full firewalls Karl Auer (Apr 07)
- Re: ACLs vs. full firewalls Steven M. Bellovin (Apr 07)
- Re: ACLs vs. full firewalls Karl Auer (Apr 07)
- Re: ACLs vs. full firewalls Ravi Pina (Apr 15)
- RE: ACLs vs. full firewalls TJ (Apr 15)
- Re: ACLs vs. full firewalls ubaidali_abdul_razack (Apr 07)