ACLs vs. full firewalls
Justin M. Streiner
streiner at cluebyfour.org
Tue Apr 7 20:44:45 UTC 2009
On Tue, 7 Apr 2009, Michael Helmeste wrote:
> Current security requirements are only based on TCP and non-stateful
> UDP src/dst net/port filtering, and so my suggestion was to use ACLs
> applied on the routed interface of each VLAN. There was some talk of
> using another software based firewall or a Cisco FWSM card to filter
> traffic at the border, mostly for management concerns. We expect full 1
> gig traffic levels today, and 10 gig traffic levels in the future.
The FWSM can handle 1 Gb/s but not 10. The connection between the FWSM
and the backplane is a 6x1 Gig Etherchannel, and the published max
throughput is about 5.5 Gb/s, but I've never stressed one to more than
about 35% of that in a production environment.
The only Cisco firewalls that I'm awre of today that are rated to 10 Gb/s
or more are the ASA 5580-20 and 5580-40, but how suitable they'd be for
you depends very much on our design goals, including how complex your
firewall rules and service policies will be. You might also be able
to shoe-horn an ASR into this role. Other considerations include
functional support for IPv6, long term support strategy/development
roadmap, whether you need to support VPN traffic directly on your
firewall, etc... Cisco seems to be moving away from IPSEC for remote
access VPNs and pushing people toward SSL.
There are some other interesting offerings from Juniper/Netscreen, Palo
Alto, and others, unless you're specifically married to Cisco gear.
> I view ACLs as being a cheap, easy to administrate solution that
> scales with upgrades to new interface line speeds, where a full stateful
> firewall isn't necessary. However, I wanted to get other opinions of
> what packet filtering solutions people use in the border and in the
> core, and why.
ACLs can be used as part of a 'defense in depth' strategy, though if you
need stateful filtering, their utility might be somewhat limited. If
there is traff that you know you don't care about, you can block it with
an ACL and save the resources on your firewall. Just remember that those
same ACLs can complicate your troubleshooting efforts when something does
break.
jms
More information about the NANOG
mailing list