ACLs vs. full firewalls

• Previous message (by thread): ACLs vs. full firewalls
• Next message (by thread): ACLs vs. full firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2009-04-08 at 07:04 +0930, Mark Smith wrote:
> It seems there is a trend towards moving host protection on to the
> hosts themselves, onto or closer to the resource or entity being
> protected. It's basically following the cliche, "If you want something
> to be done properly, you need to do it yourself."

And IPv6 tends to push security back onto hosts, too.

> If you move to the host-based firewalling model, plain packet
> filtering ACLs at the perimeter would be quite an adequate form of a
> first level of defence, while also avoiding the performance overhead
> of (or resources required to perform) stateful tracking of large
> amounts of traffic. 

And a combination of the two - if you *are* performing more complex
checks deeper inside the network, packet filtering can reduce the load
that actually reaches those inner check points.

I'd be interested to hear why people use firewalls. I've never felt the
need, myself - am I living in a fool's paradise?

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090408/63a4cfa7/attachment.sig>

• Previous message (by thread): ACLs vs. full firewalls
• Next message (by thread): ACLs vs. full firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]