RE: [fw-wiz] Comparisons between Router ACLs and Firewalls

• Previous message: Don Parker: "Re: [fw-wiz] port 27015"
• In reply to: Marcus J. Ranum: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Next in thread: Wes Noonan: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Reply: Wes Noonan: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Sat, 3 Jan 2004 18:39:51 -0500 (EST)

On Sat, 3 Jan 2004, Marcus J. Ranum wrote:

> I've never found any good studies of ACL performance. Do you have any
> references you can point us to?

Cisco used to publish some "can do $foo access lists without impact" stuff
with certain models. If we're lucky, maybe Brian will see this and post
some pointers.

The not-normal-ACL stuff carries a heavy penalty - as the extended ACL
stuff does if you want silicon switching- I did a whole look at the
switching methods versus performance stuff a while back when writing
TruSecure's router essential config guide- and for almost everything (AIR,
there were two cards on one model where things sucked) you didn't get into
trouble until you had more rules than sense. I think I left most of the
switching mode stuff out of the document in the end, because it just
confused people.

Now, send packets *to* the router, or send packets where the router has to
go to CPU land to process them, and things get significantly different
(which is why you really want to ACL off your routers from the rest of the
world.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Don Parker: "Re: [fw-wiz] port 27015"
• In reply to: Marcus J. Ranum: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Next in thread: Wes Noonan: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Reply: Wes Noonan: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Cisco IOS vulnerability ... You are vulnerable unless you have deny statement which blocks all ... packets other than say ICMP or IPSEC coming to the router interface ... Even though the packets targeted *at* the routers interface is only ... (Incidents) Re: Router stops routing after changing MAC Address ... I have a Linux router and I need the ability to swap hardware without ... How to change MAC addresses is documented well enough - and it works - ... ip link set eth0 down ... the right side and back with echo request and reply packets. ... (Linux-Kernel) Low Reliability on Ethernet interface 2610 ... After rebooting both router & connected Switch the ... from lan pc drop around 2% of the packets while invistigating the ... I tried to change both the ethernet ... 8192K bytes of processor board System flash (Read/Write) ... (comp.dcom.sys.cisco) Re: Problems with 7206vxr-npe400 ... indication that you just can move that many packets through it. ... happening is that you are exceeding the capacity of the router, ... pondered enabling cflow for traffic analysis but I am a little ... hesitant due to already mentioned load. ... (comp.dcom.sys.cisco) RE: NIDS/NIPS implications on HSRP ... Another event that may trigger HSRP to send out packets outside of your ... primary and secondary router is another router coming online. ... HSRP/VRRP/whatever packets should be the determing ... FREE Network Security Webinar - How to implement IPSec security into VPN ... (Focus-IDS)