There is something missing in these discussions. Security is not something
which you only put at the firewall; security is something you apply wherever
it makes sense. Hence, we use Cisco ACLs on our routers AND use a firewall.
The ACLs do some of the "gross" level filtering while the firewall does some
of the finer filtering.
For example, our routers have rules which prevent packets from passing
through which have our network in both the source and destination fields,
which have the "internal only" networks in either (10.x.x.x,
17.16--17.31.x.x, 192.168.x.x), and such. We also block all IP addresses
(and reserved ports) which we know we don't want at internally. We then let
the firewalls deal with the details.
This isn't to say that the firewall could do all the filtering: it could. It
also means that the firewall (or intrusion tools) don't see network wide
port scans (although the router logs will tell you these things). It also
means that, where absolutely necessary, we can "bend" the security model in
very specific point-to-point situations.
I know of security personnel who have argued so effectively about sending
everything through a firewall that they are then politically prevented from
applying any other security method when the situation arises (thinking
specifically of dedicated circuits using predefined ports to business
partners).
Whenever I see a "either this or that" discussion about security, I cringe.
Security, in order to be effective, needs to be applied in appropriate
levels in the proper (multiple) places. Security needs to balance risk
against the ability to do business. For me, this means router ACLs,
firewalls, and other unnamed things. The risk of not having a firewall, to
me, is too great. And, with minimal effort, I can augment the firewall's
security with ACLs.
You mention huge ACL lists. At some point, the rules get somewhat hard to
track. The goal is to keep everything simple. "Gross" level filtering (as
above) makes sense in routers. In our firewall, we also have some "gross"
level rules which also apply for everything; I generally add these rules
outside of the normal "GUI" based mechanism. The reason for this is that
this simplifies the number of rules managed by the GUI which keeps accidents
down. The "GUI" does the fine tuning within the constraints of the "gross"
rules.
> -----Original Message-----
> From: Eric S. Hines [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, June 02, 2000 4:34 PM
> To: Steve Kalman; [EMAIL PROTECTED]
> Subject: RE: Cisco ACL v/s Firewall
>
> Steve,
> This is *EXACTLY* what I was looking for. My thanks goes to you.
>
> Eric
>
> ==============================================================
> Eric S. Hines [EMAIL PROTECTED]
> Information Security Group (ISG) Pgr: (888) 887-2553
> NUASIS Corporation Cell: (408) 807-4428
> Email Pager: [EMAIL PROTECTED] Dir: (408) 350-4997
> --------------------------------------------------------------
> NUASIS Corporation Ph: (408) 350-4900
> 260 Gish Rd. Fx: (408) 350-4999
> San Jose, Ca TF: (877) 9NUASIS
> 95112 CS: (877) NUCUSTOMER
> ==============================================================
>
>
> -----Original Message-----
> From: Steve Kalman [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 02, 2000 2:17 PM
> To: Eric S. Hines; [EMAIL PROTECTED]
> Subject: RE: Cisco ACL v/s Firewall
>
>
> Others will give detailed lists, but let me start off with the obvious.
> ACL's can act on any field in the headers from Transport down. They do not
> an cannot act on the contents of the packets. Also, with the exception of
> monitoring syn/ack bits, they are not stateful. With a few exceptions
> based
> on sequential packets to the same socket, every packet is treated as a new
> case.
>
> Firewalls change this behavior. They can notice when DoS or even DDoS
> attacks are taking place. They can examine the contents of packets looking
> for phrases such as the virus out last year with a woman's name, or the
> recent "lovely" one (I avoided the common names because some firewalls
> would
> have filtered this message had I used them.) They can do signature based
> and
> heuristic virus scans. They can scan for ActiveX or other dangerous
> content
> and remove it. They can log.
>
> Steve
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Eric S. Hines
> Sent: Friday, June 02, 2000 4:13 PM
> To: [EMAIL PROTECTED]
> Subject: Cisco ACL v/s Firewall
>
> I have an associate who works for a company that uses Cisco ACL's in all
> of
> their routers instead of a real firewall solution. Is there anyone out
> there
> that can provide me with a valid rebute to the use of ACL's over a real
> hardware-based or software-based firewall like FW-1 or even Raptor..
> possibly even a hardware-based box like Sonicwall.
>
> The company does VoIP/VoVPN solution, managed call centers and I already
> have stated the issue of load problems when the ACL's span 10-20 pages in
> length. Does anyone know of any current ACL circumventions or even
> security
> issues with using such a method for firewalling/filtering.
>
> Your advice would be appreciated.
>
> ESH
>
> ==============================================================
> Eric S. Hines [EMAIL PROTECTED]
> Information Security Group (ISG) Pgr: (888) 887-2553
> NUASIS Corporation Cell: (408) 807-4428
> Email Pager: [EMAIL PROTECTED] Dir: (408) 350-4997
> --------------------------------------------------------------
> NUASIS Corporation Ph: (408) 350-4900
> 260 Gish Rd. Fx: (408) 350-4999
> San Jose, Ca TF: (877) 9NUASIS
> 95112 CS: (877) NUCUSTOMER
> ==============================================================
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Delmer Harris
> Sent: Friday, June 02, 2000 12:21 PM
> To: Eric S. Hines
> Cc: [EMAIL PROTECTED]
> Subject: Re: Ok, this may be off topic..
>
>
>
>
> Look for documentation on syslog. This is available in many versions of
> Un*x.
>
>
>
>
> "Eric S. Hines" <[EMAIL PROTECTED]> on 06/02/2000 01:22:14 PM
>
>
>
> To: [EMAIL PROTECTED]
>
> cc:
>
>
>
> Subject: Ok, this may be off topic..
>
>
>
>
>
>
> Hello fellow industry execs,
>
> This might be off topic, so I apologize. But, I need to setup a remote log
> server. Does anyone know of a HOW-TO or whitepaper describing how to
> configure servers to remotely log their log files to a remote system?
> Your help would be appreciated.
>
> ESH
>
> ==============================================================
> Eric S. Hines [EMAIL PROTECTED]
> Information Security Group (ISG) Pgr: (888) 887-2553
> NUASIS Corporation Cell: (408) 807-4428
> Email Pager: [EMAIL PROTECTED] Dir: (408) 350-4997
> --------------------------------------------------------------
> NUASIS Corporation Ph: (408) 350-4900
> 260 Gish Rd. Fx: (408) 350-4999
> San Jose, Ca TF: (877) 9NUASIS
> 95112 CS: (877) NUCUSTOMER
> ==============================================================
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Eric S. Hines
> Sent: Friday, June 02, 2000 10:43 AM
> To: Rohit Gupta; [EMAIL PROTECTED]
> Subject: RE: ping of death
>
>
> Just my 2 cents, but turn off ICMP ping packets at the firewall or router.
>
> ESH
>
> ===========================================================
> Eric S. Hines [EMAIL PROTECTED]
> Information Security Group NUASIS Corporation
> Page: [EMAIL PROTECTED]
> -----------------------------------------------------------
> NUASIS Corporation Ph: (408) 350-4900
> 260 Gish Rd. Fx: (408) 350-4999
> San Jose, Ca TF: (877) 9NUASIS
> 95112 CS: (877) NUCUSTOMER
> ===========================================================
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Rohit Gupta
> Sent: Friday, June 02, 2000 10:10 AM
> To: [EMAIL PROTECTED]
> Subject: ping of death
>
>
> Can somebody tell me if there is any tool to secure my server from ping of
> death...
> please Help urgently reqd
> Rohit
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
