ACLs vs. full firewalls

• Previous message (by thread): ACLs vs. full firewalls
• Next message (by thread): ACLs vs. full firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michael,

Do you have logging or audit requirements to your filters?
We use ACLs almost everywhere for non-stateful filtering, but
there are a few locations (e.g. HIPPA) that require an 
audit trail which is perhaps better accomplished by a firewall.

Eric :)


On Tue, Apr 07, 2009 at 01:05:31PM -0700, Michael Helmeste wrote:
> Hi all,
>   One of the duties of my current place of employ is reorganizing the
> network. We have a few Catalyst 6500 series L3 switches, but currently
> do all packet filtering (and some routing) using a software based
> firewall. Don't ask me, I didn't design it :)
> 
>   Current security requirements are only based on TCP and non-stateful
> UDP src/dst net/port filtering, and so my suggestion was to use ACLs
> applied on the routed interface of each VLAN. There was some talk of
> using another software based firewall or a Cisco FWSM card to filter
> traffic at the border, mostly for management concerns. We expect full 1
> gig traffic levels today, and 10 gig traffic levels in the future.
> 
>   I view ACLs as being a cheap, easy to administrate solution that
> scales with upgrades to new interface line speeds, where a full stateful
> firewall isn't necessary. However, I wanted to get other opinions of
> what packet filtering solutions people use in the border and in the
> core, and why.
> 
>   What's out there, and why do you guys use it? How do you feel about
> the scalability, performance, security, and manageability of your
> solution? What kind of traffic levels do you put through it?

• Previous message (by thread): ACLs vs. full firewalls
• Next message (by thread): ACLs vs. full firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]