[fw-wiz] Switch ACL vs Firewall

We have some consultants from a Large San Fran Networking company performing
a network architecture redesign and they are telling us that that we should
not use Firewalls but rather use Switch ACL's. Their point is that Switch
ACL's do the same thing as firewalls if used in conjunction with a layered
security model that uses Network IPS, Layer 7 Firewalls, and Host IPS, I
find this point difficult to argue, but from a conceptually secure design, I
am not comfortable with their approach. I feel that they are saying to
use Switch ACLs because they want us to stay inside the chassis because they
they want us to buy there security products. Again, I am not comfortable
with this, but I have to prove that this is significantly flawed, otherwise
this network design will move foreword.

Some other information you might find useful:

- Speed and Availability are ranked higher than Security - However,
security is very important to the overall design
- All application tiers are physically stitched segmented (e.g. Web,
Middle Tier, Back Office)
- There will be two aggregation points within this design:
- Router Agg - Combine all Internet pop's
- Network Agg - All Application traffic will transverse through
these Layer 3 points in order to communicate to the other App Tier
- The network Aggregation points may or may not communicate (I
am guessing they will for because of the availability requirement)
- If a route is setup wrong, the middle tier or back end
network segments could be put on the Internet because they
have traffic
routing to an aggregation point
- Each application tier will have its own security depending on
Risk Level (This is where they want to put Switch ACL's)
- Firewalls will be implemented on the Internet POPs. However, switch
ACL's will be used to segment traffic between Mid-Tier and Back End
- Not all traffic is HTTP as some are Web Services or socket

Maybe I am being sensitive and am completely off base, but I dont thing so.
Please let me know your thoughts on this.

firewall-wizards mailing list

Relevant Pages

  • RE: Rogue IP Address
    ... capability that you paid for when buying the switch, ... someone will holler about his network not working. ... prospectus based upon the core principle concepts of security. ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
  • RE: IP address conflicts
    ... If you get a network vendor like Network Hardware Resale ... >> It's amazing how money will appear out of thin air if certain oxen get ... the switch you are suggesting I cannibalise uses the EtherToken ... When dealing with a bureaucracy I have found the most effective method is ...
  • Re: ConnectComputer Problem
    ... I'm a little confused by your network configuration. ... Switch2 --- SBS Server ... switch has internet access all the time, the second switch has the client ... NICs ...
  • Re: Help with long term network problem
    ... Using a CNET network switch connected to a CNet Wireless G router Model ... Having the chart listing all of the computers is a great start. ... /all" shows only an Intel 2200BG WiFi connection - no Ethernet is apparent. ...
  • Re: LAN ip subnet is moving off from a bigger enterprise
    ... The host company runs Cisco ... Connect your switch to this ... At the CBO the network is 10.23.1.x and the gateway ... WS1 WS3 SBS HP4000 ...