ACLs vs. full firewalls

TJ trejrco at gmail.com
Wed Apr 15 15:22:34 UTC 2009


MS is doing something very Jerico'ish with "DirectAccess" ... very loosely,
"Automagic IPsec + IPv6 (via Teredo when needed) + AD-based auth"   
(MS's previous step was SDI (Server Domain Isolation))


/TJ


>-----Original Message-----
>From: Mark Smith
>[mailto:nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org]
>Sent: Tuesday, April 07, 2009 5:34 PM
>To: Michael Helmeste
>Cc: nanog at nanog.org
>Subject: Re: ACLs vs. full firewalls
>
>On Tue, 07 Apr 2009 13:05:31 -0700
>Michael Helmeste <mhelmest at uvic.ca> wrote:
>
>> Hi all,
>>   One of the duties of my current place of employ is reorganizing the
>> network. We have a few Catalyst 6500 series L3 switches, but currently
>> do all packet filtering (and some routing) using a software based
>> firewall. Don't ask me, I didn't design it :)
>>
>>   Current security requirements are only based on TCP and non-stateful
>> UDP src/dst net/port filtering, and so my suggestion was to use ACLs
>> applied on the routed interface of each VLAN. There was some talk of
>> using another software based firewall or a Cisco FWSM card to filter
>> traffic at the border, mostly for management concerns. We expect full
>> 1 gig traffic levels today, and 10 gig traffic levels in the future.
>>
>>   I view ACLs as being a cheap, easy to administrate solution that
>> scales with upgrades to new interface line speeds, where a full
>> stateful firewall isn't necessary. However, I wanted to get other
>> opinions of what packet filtering solutions people use in the border
>> and in the core, and why.
>>
>
>It seems there is a trend towards moving host protection on to the hosts
>themselves, onto or closer to the resource or entity being protected. It's
>basically following the cliche, "If you want something to be done properly,
you
>need to do it yourself."
>
>http://www.opengroup.org/jericho/ - they call it "de-perimeterization"
>
>I first came across the idea in this article:
>
>http://www.cs.columbia.edu/~smb/papers/distfw.html
>
>If you move to the host-based firewalling model, plain packet filtering
ACLs at
>the perimeter would be quite an adequate form of a first level of defence,
>while also avoiding the performance overhead of (or resources required to
>perform) stateful tracking of large amounts of traffic.
>
>Regards,
>Mark.
>
>
>
>>   What's out there, and why do you guys use it? How do you feel about
>> the scalability, performance, security, and manageability of your
>> solution? What kind of traffic levels do you put through it?
>>





More information about the NANOG mailing list