I can't speak for everyone, but I certainly find this discussion far more interesting and useful to security than quite a few others on here. So feel free to keep it public.
I'm not about to wade in too deeply, but I thought I'd summarize and add a few notes. ---------------------------------------------------------- STATEFUL (session-based filter) Pros - can provide other filtering services during inspection (depends on device feature set) - won't have to constantly fight battles (against admins, vendors, clients, auditors, managers, outsiders) to explain why you don't have a "firewall" - handles ephemeral ports, dynamic connections, and matches returning traffic well Cons - more DDoS susceptible - another piece of hardware so another point of failure - won't add much when you're already accepting * into IP x on port n ---------------------------------------------------------- ACLs (packet-based filter) Pros - with pure ACLs, will always be faster - as such it can scale with traffic better - excellent when you're just blanket stopping all traffic except * to x on port n Cons - poor filter for ephermeral port needs, or dynamic connections - susceptible to protocol anamolies used in attacks (includes covert channels)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/