Re:How exactly are ACLs on a switch different?
on
Tear Down the Firewall
·
· Score: 2, Informative
This is how I see the difference...Where a router ACL filters ip address and ports, a firewall can do much more i.e. they inspect application layers for RFC compliance/attack patterns, authenticate users, and log permitted & denied traffic (its nice to know who's trying to screw your systems after all...) Find a router that can do all this across more than 100 ACL entries and then maintain a decent level of performance then your laughing, but only the modern high kit is starting to get close. If ACL's in routers were efficient then surely Cisco wouldn't produce a firewall blade for their high end routers.
I've been working in the network security field for most of my career and advocate the layered/defence in depth approach, but I suggest anyone relying on router ACL's consider their requirements first. Personally I prefer firewalls on the edge of the network with lots of application layer filtering (i.e. proxies, SMTP scanning etc) to keep all the nasty stuff away, and simple (to keep maintenance easy and processing overhead low)ACL's for any internal segregation. Naturally I look at host based security as well, but that's for another post in the future.
Myselfy and a friend have a few little IT projects, and decided to rent a dedcicate server. To recover our costs we sub-let some of the space to friends and family who want websites, webmail etc under their own domain name. Through the use of plesk we can do all the admin dead quick. We consider ourselves a private ISP, i.e you can only have an account if we know you or have been recommended to us. In this way we're not bogged down with random support requests. So far we've recovered all our costs.... who knows we may even make a profit next year.
Slashdot Mirror
I've been working in the network security field for most of my career and advocate the layered/defence in depth approach, but I suggest anyone relying on router ACL's consider their requirements first. Personally I prefer firewalls on the edge of the network with lots of application layer filtering (i.e. proxies, SMTP scanning etc) to keep all the nasty stuff away, and simple (to keep maintenance easy and processing overhead low)ACL's for any internal segregation. Naturally I look at host based security as well, but that's for another post in the future.
Myselfy and a friend have a few little IT projects, and decided to rent a dedcicate server. To recover our costs we sub-let some of the space to friends and family who want websites, webmail etc under their own domain name. Through the use of plesk we can do all the admin dead quick. We consider ourselves a private ISP, i.e you can only have an account if we know you or have been recommended to us. In this way we're not bogged down with random support requests. So far we've recovered all our costs.... who knows we may even make a profit next year.