ACLs vs. full firewalls
Michael Helmeste
mhelmest at uvic.ca
Tue Apr 7 22:29:27 UTC 2009
While there are no specific audit requirements, overall traffic auditing
(not just for dropped packets) is definitely something I'm considering.
One way of gathering this data without using a firewall would seem to be
netflow; I don't think netflow specifically calls out (or even shows?)
traffic blocked by ACLs though, which could be a point for consideration.
Eric Gauthier wrote:
> Michael,
>
> Do you have logging or audit requirements to your filters?
> We use ACLs almost everywhere for non-stateful filtering, but
> there are a few locations (e.g. HIPPA) that require an
> audit trail which is perhaps better accomplished by a firewall.
>
> Eric :)
> [...]
More information about the NANOG
mailing list