ACLs vs. full firewalls
Mark Smith
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Tue Apr 7 21:34:02 UTC 2009
On Tue, 07 Apr 2009 13:05:31 -0700
Michael Helmeste <mhelmest at uvic.ca> wrote:
> Hi all,
> One of the duties of my current place of employ is reorganizing the
> network. We have a few Catalyst 6500 series L3 switches, but currently
> do all packet filtering (and some routing) using a software based
> firewall. Don't ask me, I didn't design it :)
>
> Current security requirements are only based on TCP and non-stateful
> UDP src/dst net/port filtering, and so my suggestion was to use ACLs
> applied on the routed interface of each VLAN. There was some talk of
> using another software based firewall or a Cisco FWSM card to filter
> traffic at the border, mostly for management concerns. We expect full 1
> gig traffic levels today, and 10 gig traffic levels in the future.
>
> I view ACLs as being a cheap, easy to administrate solution that
> scales with upgrades to new interface line speeds, where a full stateful
> firewall isn't necessary. However, I wanted to get other opinions of
> what packet filtering solutions people use in the border and in the
> core, and why.
>
It seems there is a trend towards moving host protection on to the
hosts themselves, onto or closer to the resource or entity being
protected. It's basically following the cliche, "If you want something
to be done properly, you need to do it yourself."
http://www.opengroup.org/jericho/ - they call it "de-perimeterization"
I first came across the idea in this article:
http://www.cs.columbia.edu/~smb/papers/distfw.html
If you move to the host-based firewalling model, plain packet
filtering ACLs at the perimeter would be quite an adequate form of a
first level of defence, while also avoiding the performance overhead
of (or resources required to perform) stateful tracking of large
amounts of traffic.
Regards,
Mark.
> What's out there, and why do you guys use it? How do you feel about
> the scalability, performance, security, and manageability of your
> solution? What kind of traffic levels do you put through it?
>
More information about the NANOG
mailing list