[fw-wiz] Firewalls v. Router ACLs
WhiteHat_at_btclick.com
Date: 12/11/03
- Previous message: Melson, Paul: "RE: [fw-wiz] No connection once the translation rules are applied"
- Next in thread: Victor B. Williams: "Re: [fw-wiz] Firewalls v. Router ACLs"
- Reply: Victor B. Williams: "Re: [fw-wiz] Firewalls v. Router ACLs"
- Reply: Ben Nagy: "RE: [fw-wiz] Firewalls v. Router ACLs"
- Reply: pedski: "Re: [fw-wiz] Firewalls v. Router ACLs"
- Maybe reply: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Firewalls v. Router ACLs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@nfr.net Date: Thu, 11 Dec 2003 14:48:37 -0000
Hi All,
I hope this is the appropriate forum for my question, and I apologise if not but I am
looking for information and would appreciate any help.
I currently work for a department in a large company. Our department has always
used firewalls (CheckPoint on Nokia) to protect our part of the network from network
worms and other 'nasty stuff' on the rest of the network. Our view is that this
'segmentation' makes it easier to contain any infection. This strategy has been almost
100% successful and we have not been impacted by the numerous network-borne
worms etc. over the years.
We are now being pressurised to remove the firewalls by the rest of the company.
The argument is that using well defined ACLs (with a default 'deny all' statement at
the end) on the the Cisco WAN routers would have the same effect as the current
firewalls. A secondary argument is cost - the router is seen as a one-off purchase
while the Checkpoint software has an annual licence cost. I am trying to gather
evidence of the pros and cons of this approach.
In particular, I am concerned about:
- performance - will the routers be able to manage this as they are designed to route
traffic, not stop it?
- logging - what would be the best way to consolidate the router logs for analysis etc.?
- incident management - if a router is being hammered by a network worm (e.g.
MSBlaster/LovSan), how easy will it be to manage to make any emergency changes
necessary? Won't it be so busy dropping packets it becomes impossible to make the
change?
- future capability - I see the AI-type technologies evolving in firewalls as providing a
useful IPS-type functionality in the future. This will allow more open rule sets but
automated protection if things go wrong. Has anyone successfully implemented this
yet? Can this be enough justification to keep the firewalls?
Does anyone know of any case studies or horror stories of organisations that have
attempted this?
Has anyone had success doing this that they would be willing to share?
Thanks in advance for any help.
Regards
Richard
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Melson, Paul: "RE: [fw-wiz] No connection once the translation rules are applied"
- Next in thread: Victor B. Williams: "Re: [fw-wiz] Firewalls v. Router ACLs"
- Reply: Victor B. Williams: "Re: [fw-wiz] Firewalls v. Router ACLs"
- Reply: Ben Nagy: "RE: [fw-wiz] Firewalls v. Router ACLs"
- Reply: pedski: "Re: [fw-wiz] Firewalls v. Router ACLs"
- Maybe reply: MHawkins_at_TULLIB.COM: "RE: [fw-wiz] Firewalls v. Router ACLs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
