ACLs vs. full firewalls

Ravi Pina ravi at cow.org
Wed Apr 15 11:45:09 CDT 2009


On Wed, Apr 08, 2009 at 08:32:02AM +1000, Karl Auer wrote:
> On Wed, 2009-04-08 at 07:04 +0930, Mark Smith wrote:
> > It seems there is a trend towards moving host protection on to the
> > hosts themselves, onto or closer to the resource or entity being
> > protected. It's basically following the cliche, "If you want something
> > to be done properly, you need to do it yourself."
> 
> And IPv6 tends to push security back onto hosts, too.
> 
> > If you move to the host-based firewalling model, plain packet
> > filtering ACLs at the perimeter would be quite an adequate form of a
> > first level of defence, while also avoiding the performance overhead
> > of (or resources required to perform) stateful tracking of large
> > amounts of traffic. 
> 
> And a combination of the two - if you *are* performing more complex
> checks deeper inside the network, packet filtering can reduce the load
> that actually reaches those inner check points.

Which would address my concern of just passing along the [D]DOS to the
host.  Mitigating attacks at the border and letting the hosts allow
what they specifically need is a good model.

> I'd be interested to hear why people use firewalls. I've never felt the
> need, myself - am I living in a fool's paradise?

By your email I'll assume you've never had to deal with HIPPA[1] or
SOx[2].  That aside I see a value in using a stateful FW that does
packet inspection to validate the type of traffic over a certain port
should really be there.

-r


[1] http://en.wikipedia.org/wiki/HIPPA
[2] http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act






More information about the NANOG mailing list