> -----Original Message-----
> From: firewall-wizards-admin_at_honor.icsalabs.com
> [mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf
> Of Paul Robertson
> Sent: Saturday, January 03, 2004 6:11 PM
> To: Bill James
> Cc: 'David Pick'; firewall-wizards_at_honor.icsalabs.com
> Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
>
> On Sat, 3 Jan 2004, Bill James wrote:
>
> > The problem with using ACL's is the load they can add to a router.
> > Most
>
> Depends on the router, the rulesets, and what else the router
> has to do- IPSec and VoIP are way worse for a router than
> access lists generally.
Agreed...
>
> If you order your rules by traffic volume, you're not likely
> to case great harm (for instance, acks from Web servers are
> commonly the highest traffic volume and commonly permitted-
> do a permit for that first, and you're well on your way to
> having a happy router. Most modern IOSs do pretty well at
> fast switching ACL'd traffic.
>
Agreed again..The case I pointed out was a worse case but one I have
seen in the "real world". It's is always best to order the ACL list by
volume
> > of Cisco's newer IOS' have IP Inspection and do OK but can add a
> > tremendous load on the router. I have seen problems with IP
> Inspection
> > process for smtp on IOS creating issues with the Domino
> Email server
> > (Lotus Notes) where a PIX and IPTables have no issues at all
> >
>
> IP Inspection is a different animal, and requires different
> strategies than normal access lists. I can't believe that any
> of the CBAC stuff is optimized as well as "normal" access lists.
I believe you are correct on this...case in point is the problem with
Lotus versus Exhcnage, Postfix, Sendmail etc...
>
> > Logging for a firewall based router leaves allot to be
> desired. I have
>
> If it's being blocked, I'm not sure how important logging is-
> I suppose it depends on your threat profile and paranoia.
> I've always preferred to concentrate on logging things which
> were high on my threat list, preferably off the network directly.
In my normal logging stance...I tend to log only what my clients want
and always off the router to a remote syslog server
>
> Router CPUs are woefully poor for hostile environments where CPU is
> needed- which is why access lists have been optimized so much
> over time.
> However, I've yet to meet a sane environment where adding in
> extended access lists did anything to put a router over its
> normal operational limits.
I may have left you with the wrong impression here... A properly sized
and configure router will handle ACL well...the example I gave is one of
those that you do see now and again because the client refuses to spend
the need money to do it correctly
>
> Paul
> --------------------------------------------------------------
> ---------------
> Paul D. Robertson "My statements in this message are
> personal opinions
> proberts_at_patriot.net which may have no basis whatsoever in fact."
> probertson_at_trusecure.com Director of Risk Assessment
> TruSecure Corporation _______________________________________________
> firewall-wizards mailing list
> firewall-wizards_at_honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jan 04 2004
Intro
