Security Basics mailing list archives

RE: Cisco Router security basics and ASA firewall rules


From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Tue, 12 Dec 2006 10:14:12 -0500

Hello,

Perhaps they want to capture all inbound attempts in the firewall logs.

If they believe their firewall can handle this load, then that is a good
way to have only one log.

Dropping traffic at the router would prevent some of the load on the
firewall, but would require a syslog server if this traffic wanted to be
logged.  This would mean two logs for traffic analysis, instead of just
one if all the traffic was allowed to hit the firewall.  It would also
mean a hole through the firewall to the syslog server would be required.

Best Regards,
Scott Ramsdell

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of pelesmk () gmail com
Sent: Monday, December 11, 2006 3:51 PM
To: security-basics () securityfocus com
Subject: Cisco Router security basics and ASA firewall rules

What types of ACls if any or other security rules should be used on an
edge router or internal router which stands in front of an ASA firewall.


I over recently overheard a conversation where they didn't want any ACLs
on the router and have all ACLs happening at the firewall. I have a
problem with this thought because of ip spoofing, DoS attacks, etc that
would target the router. Am I thinking correctly or is there a way to
defend against this at the firewall? I understand some ACLs can be made
at the firewall and implementing long ACLs on the router can cause
adverse network speeds, but some of the most basic ACLs must be at the
edge router.

Please fill me in as I'm fairly new to ACLs and firewall
implementations.

------------------------------------------------------------------------
---
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetec
t
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------


Current thread: