[fw-wiz] Switch ACL vs Firewall

We have some consultants from a Large San Fran Networking company performing
a network architecture redesign and they are telling us that that we should
not use Firewalls but rather use Switch ACL's. Their point is that Switch
ACL's do the same thing as firewalls if used in conjunction with a layered
security model that uses Network IPS, Layer 7 Firewalls, and Host IPS, I
find this point difficult to argue, but from a conceptually secure design, I
am not comfortable with their approach. I feel that they are saying to
use Switch ACLs because they want us to stay inside the chassis because they
they want us to buy there security products. Again, I am not comfortable
with this, but I have to prove that this is significantly flawed, otherwise
this network design will move foreword.

Some other information you might find useful:

- Speed and Availability are ranked higher than Security - However,
security is very important to the overall design
- All application tiers are physically stitched segmented (e.g. Web,
Middle Tier, Back Office)
- There will be two aggregation points within this design:
- Router Agg - Combine all Internet pop's
- Network Agg - All Application traffic will transverse through
these Layer 3 points in order to communicate to the other App Tier
- The network Aggregation points may or may not communicate (I
am guessing they will for because of the availability requirement)
- If a route is setup wrong, the middle tier or back end
network segments could be put on the Internet because they
have traffic
routing to an aggregation point
- Each application tier will have its own security depending on
Risk Level (This is where they want to put Switch ACL's)
- Firewalls will be implemented on the Internet POPs. However, switch
ACL's will be used to segment traffic between Mid-Tier and Back End
- Not all traffic is HTTP as some are Web Services or socket

Maybe I am being sensitive and am completely off base, but I dont thing so.
Please let me know your thoughts on this.

firewall-wizards mailing list