Re: [fw-wiz] Firewalls v. Router ACLs

• Previous message: Aram Smith: "[fw-wiz] IPSEC Traffic blocked?"
• In reply to: WhiteHat_at_btclick.com: "[fw-wiz] Firewalls v. Router ACLs"
• Next in thread: Ben Nagy: "RE: [fw-wiz] Firewalls v. Router ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: WhiteHat@btclick.com
Date: Fri, 12 Dec 2003 09:43:09 -0600 (CST)

My main reply to that would be that firewalls are BUILT to log, as
well as handle the potentially large amount of traffic, and filter
based on their ruleset.

I don't know of a router that is ever equipped with enough CPU power
and memory to handle (and by handle, I mean to inspect, forward or
drop) a large amount of junk traffic...which is often what you get
coming through routers with these worms, trojans, and viruses. A
firewall is specifically designed to look at this traffic at a
different level and decide what to do with it (where to send it).

Also, regarding the logging function...I know of no affordable Cisco
router that will give you the log detail of a comparably-priced Cisco
PIX firewall. In this instance, they are two completely separate
devices aimed at two completely separate functions. Routers are just
that...used to ROUTE traffic, not examine and filter it. Firewalls
are just that...there to partition off or protect certain traffic from
hitting certain destinations. Both devices share some common
attributes...such as Cisco PIX firewalls now supporting dynamic
routing at some level and supporting VLANs. But the firewall is still
a specialized product, as is the router. They each have a specific
purpose, and they fulfill that purpose BETTER than any other
*alternative*.

WhiteHat@btclick.com said:
> Hi All,
>
> I hope this is the appropriate forum for my question, and I apologise
> if not but I am
> looking for information and would appreciate any help.
>
> I currently work for a department in a large company. Our department
> has always
> used firewalls (CheckPoint on Nokia) to protect our part of the
> network from network
> worms and other 'nasty stuff' on the rest of the network. Our view is
> that this
> 'segmentation' makes it easier to contain any infection. This strategy
> has been almost
> 100% successful and we have not been impacted by the numerous
> network-borne
> worms etc. over the years.
>
> We are now being pressurised to remove the firewalls by the rest of
> the company.
> The argument is that using well defined ACLs (with a default 'deny
> all' statement at
> the end) on the the Cisco WAN routers would have the same effect as
> the current
> firewalls. A secondary argument is cost - the router is seen as a
> one-off purchase
> while the Checkpoint software has an annual licence cost. I am trying
> to gather
> evidence of the pros and cons of this approach.
>
> In particular, I am concerned about:
> - performance - will the routers be able to manage this as they are
> designed to route
> traffic, not stop it?
> - logging - what would be the best way to consolidate the router logs
> for analysis etc.?
> - incident management - if a router is being hammered by a network
> worm (e.g.
> MSBlaster/LovSan), how easy will it be to manage to make any emergency
> changes
> necessary? Won't it be so busy dropping packets it becomes impossible
> to make the
> change?
> - future capability - I see the AI-type technologies evolving in
> firewalls as providing a
> useful IPS-type functionality in the future. This will allow more open
> rule sets but
> automated protection if things go wrong. Has anyone successfully
> implemented this
> yet? Can this be enough justification to keep the firewalls?
>
> Does anyone know of any case studies or horror stories of
> organisations that have
> attempted this?
>
> Has anyone had success doing this that they would be willing to share?
>
> Thanks in advance for any help.
>
> Regards
> Richard
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

"Real men don't even use monitors! I've just got a guy that can draw
real fast."

Victor Williams
Network Architect
Election Systems & Software
http://www.essvote.com
vbwilliams@essvote.net
(402) 970-1100

CONFIDENTIALITY NOTICE:
This e-mail transmission and any documents, files or previous e-mail
messages attached to it may contain information that is confidential,
protected by the attorney/client or other privileges, and may
constitute non-public information. It is intended to be conveyed only
to the designated recipient(s) named above. Any unauthorized use,
reproduction, forwarding, distribution or other dissemination of this
transmission is strictly prohibited and may be unlawful. If you are
not an intended recipient of this e-mail transmission, please notify
the sender by return e-mail and permanently delete any record of this
transmission. Your cooperation is appreciated.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Aram Smith: "[fw-wiz] IPSEC Traffic blocked?"
• In reply to: WhiteHat_at_btclick.com: "[fw-wiz] Firewalls v. Router ACLs"
• Next in thread: Ben Nagy: "RE: [fw-wiz] Firewalls v. Router ACLs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]