[fw-wiz] Comparisons between Router ACLs and Firewalls

Date: 12/18/03

  • Next message: auto92089_at_hushmail.com: "[fw-wiz] denycomm, blocks IPs 4 different ways"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 17 Dec 2003 19:30:15 -0500

    I'm an undergraduate student studying computer engineering and do not possess
    the expertise I'm sure you all do, so I came here to get some help.

    This post is related to and inspired by the post (and responses) titled
    "Firewalls vs. Router ACLs" posted by Richard here:

    I'm looking to compare the use of router ACLs versus firewalls in enforcing
    network security. If you could provide me with the pros and cons of using each
    method I would be most grateful. Please spare NO details or thoughts of your own.

    Further, I've come up with some possible points of comparison between the two
    methods. Please inject thoughts of your own on which method is better for each

    - Performance: what are the performance capabilities of each method and how does
    the throughput compare?

    - Logging capabilities: how effective is the logging done by each method? How
    much of a network manager's ability to monitor incoming and outgoing packets is
    lost if firewall logging is dropped? How effectively can network managers
    monitor traffic with only router ACLs?

    - Manageability: how easily can each system be maintained and updated? Does the
    ACL grow too unwieldy once it grow large and hamper the ability to expand it?
    Does the GUI of popular firewall software provide an attraction to using
    firewalls over ACLs?

    - Cost: routers are a one-time purchase, whereas firewall fees are ongoing? How
    do the cost of popular products compare? What are the drawbacks of sacrificing
    performance for cost? For a limited budget, which is the preferred method?

    - Fundamental purpose: routers are designed to route traffic, not stop it,
    whereas firewalls are designed to examine and accept/reject traffic. Do these
    fundamental differences hamper the ability of router ACLs to perform accurately?

    - Ability to enforce policies: firewalls dig deeper into the packets (stateful
    inspection), unlike router ACLs, which don't examine as deeply. How does this
    hinder abilities to enforce policies?

    - Incident management: how easily can either system perform while the victim of
    an attack?

    - Which of the two or what structure of a combination of the two would you
    recommend for an enterprise network?
    - What conclusions can you draw on one method over the other or on using both
    - What recommendations would you make to a large corporation looking to
    modernize their security policy and integrate their connectivity and security areas?

    As I'm learning about the two technologies, I thought I'd come to the source. I
    was pretty happy when I came across this mailing list and the "Firewalls vs.
    Router ACLs" post I referred to. Any help is extremely appreciated.

    Thank you,
    Scott McLeod.

    This mail sent through www.mywaterloo.ca
    firewall-wizards mailing list

  • Next message: auto92089_at_hushmail.com: "[fw-wiz] denycomm, blocks IPs 4 different ways"

    Relevant Pages

    • Req: Networking Firewall / Network Security Consultant
      ... Networking Firewall / Network Security Consultant ... Working knowledge of NetScreen firewalls and NSM. ... Very strong ability ...
    • RE: [fw-wiz] Firewalls v. Router ACLs
      ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
    • [fw-wiz] IDS/IPS and LOGS
      ... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack. ... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...
    • Re: Establish persistant outbound connection for covert application
      ... which firewalls are running etc.) and then communicate its ... the actual network layer. ... They do have 2 network interfaces in case I want to chain them between a PC ... They also have a wireless interface so I can hook into the machine if I am ...
    • Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
      ... but today's firewalls let too much stuff back ... > why people feel they need to compromise. ... Last spring we completely re-engineered the network for a large school ... All these segments are set up on separate VLANs and communicate with each ...