RE: [fw-wiz] Comparisons between Router ACLs and Firewalls

• Previous message: Paul Robertson: "Re: [fw-wiz] port 27015"
• In reply to: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Next in thread: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Reply: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Bill James <bubbagates@comcast.net>
Date: Sat, 3 Jan 2004 18:11:02 -0500 (EST)

On Sat, 3 Jan 2004, Bill James wrote:

> The problem with using ACL's is the load they can add to a router. Most

Depends on the router, the rulesets, and what else the router has to do-
IPSec and VoIP are way worse for a router than access lists generally.

If you order your rules by traffic volume, you're not likely to case great
harm (for instance, acks from Web servers are commonly the highest traffic
volume and commonly permitted- do a permit for that first, and you're well
on your way to having a happy router. Most modern IOSs do pretty well at
fast switching ACL'd traffic.

> of Cisco's newer IOS' have IP Inspection and do OK but can add a
> tremendous load on the router. I have seen problems with IP Inspection
> process for smtp on IOS creating issues with the Domino Email server
> (Lotus Notes) where a PIX and IPTables have no issues at all
>

IP Inspection is a different animal, and requires different strategies
than normal access lists. I can't believe that any of the CBAC stuff is
optimized as well as "normal" access lists.

> Logging for a firewall based router leaves allot to be desired. I have

If it's being blocked, I'm not sure how important logging is- I suppose it
depends on your threat profile and paranoia. I've always preferred to
concentrate on logging things which were high on my threat list,
preferably off the network directly.

Router CPUs are woefully poor for hostile environments where CPU is
needed- which is why access lists have been optimized so much over time.
However, I've yet to meet a sane environment where adding in extended
access lists did anything to put a router over its normal operational
limits.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul Robertson: "Re: [fw-wiz] port 27015"
• In reply to: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Next in thread: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Reply: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]