Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Switch ACL vs Firewall
From: "Martin Hoz" <martinhoz () gmail com>
Date: Thu, 11 May 2006 21:18:43 -0500

On 5/7/06, Grant Bourzikas <strongrant () gmail com> wrote:
not use Firewalls but rather use Switch ACL's.  Their point is that Switch
ACL's do the same thing as firewalls if used in conjunction with a layered
security model that uses Network IPS, Layer 7 Firewalls, and Host IPS,  I

That's sort-of-right: modern firewalls do that as well: they put VPN,
QoS and IPS/deep inspection technlogy and it makes sense... several
customers use that are happy...

What's the point of distributing that functionality when having some
of it integrated makes more sense?
- How do you add VPNs in the architecture they are proposing for example?
- Would all of those things be managed from the same point, or are
those different managements?
- How many things would you have to learn, operate, update (in a word:
manage) so you can do the same things you do today with what you have
and are happy?
- What about reporting? - How much hard work would you have to do to
get useful reports that mean something to you (and to your
- How can be the whole thing audited?
- How does that design scale to give you more Gbps, Connections-per-second?

And finally... seems like they want to tie you...
- What guarantees vendor independency/interoperability in their
design? How is that achieved?
- If you don't like a part of their design in the future (let's say
you prefer a new IPS, or another firewall, plain and simple), how easy
can you replace that component without affecting the overall design in
performance, reliability and security?

Interesting... huh? :-)

- Martín.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]