> -----Original Message-----
> From: Johnson, Carl [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 25 August 2000 3:38 AM
> To: 'Justin Tamakawa'; '[EMAIL PROTECTED]'
> Subject: RE: cisco access-lists
[snip]
>
> There are some pretty hefty security flaws with all of this.
> You shouldn't
> rely on Cisco access-lists
> for any sort of reasonable security.
I disagree. Or, insofar as I agree I'd say the same for most shipping
stateful packet filters.
> An exception is if you
> use firewall
> code on your router
> and implement CBAC (Content Based Access Control).
I still disagree. I'm suspicious of CBAC.
> This will
> allow stateful
> inspection of
> your connections and eliminate the need to globally allow
> return traffic.
You can get stateful ACLs without using CBAC - check out reflexive
access-lists.
>
> Carl
My main gripe with Cisco ACLs (reflexive or otherwise) is that there is no
decent logging / auditing (without doing a lot of syslog parsing yourself -
and who trusts syslog anyway?).
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
