[sent this in yesterday, apparently never made it to the list]
> On Thu, 22 Apr 1999, Jim Fletcher wrote:
> > Does anyone have any experience with Cisco's IOS? And for a novice
> > - would it be resonable secure enough to use as a primary
> > firewall? or should it be used for perimeter security with a
> > another proxy server behind it.
A firewall implements a security policy. Whether a Cisco router is
"secure enough" depends on what policy you are trying to implement.
In other words, you have to define your requirements before you can
ask if a particular firewall will meet them.
Carric Dooley <[EMAIL PROTECTED]> writes:
> Using a router as your primary means of protection is a bad idea. The
> more complex your filters get, the more load you will put on the router's
> CPU; packet filtering is a crappy method of protecting yourself; unless
> you know IOS well, managing ACL's will rapidly become a nightmare.
While slapping a bunch of ACL's on an already loaded router is a bad
idea, an appropriately sized and configured router can be a good
match for some requirements--more so as ACLs get more sophisticated.
Ben Nagy <[EMAIL PROTECTED]> writes:
> You can get pretty good basic packet filtering with IOS. If you start with
> "permit tcp any any established" (allow only packets with the Ack bit set,
> which will usually only be the case if someone on the inside has requested
> the connection)
[...]
> Now, if you're trying to support a hundred or so users that want a full
> gamut of services (NNTP, Gopher, non-passive FTP, WAIS, Real *&(&^%& Audio,
> Lions and Tigers and Bears, or even ICQ (lord help us!)) then you'll quickly
> start hating life and your job.
You can do better than that (for a price) now that the IOS firewall
feature set is available on many Cisco routers. With the firewall
feature set, the router monitors outgoing connections and opens up
appropriate temporary ACLs for just the return traffic. You can get
rid of "tcp any any established" (which is spoofable enough to leak
information about your network), it works with UDP (via a configurable
conversation timeout), and it understands a short list of troublesome
protocols like non-PASV ftp and RealAudio and installs the appropriate
temporary ACLs to make 'em work.
We recently installed a 3640 with the firewall feature set to protect
our lab network (just a small subnet of Cornell's net). As is common
at universities, we were wide open until then. Our requirements were
(informally) to preserve that openness as much as possible while
keeping the script kiddies away--and, perhaps most importantly,
establish control over our network perimeter so we can implement
additional measures as our requirements change. We're supporting a
few hundred users that *do* want the full gamut of services, and so
far it has been remarkably painless (at least partially because we
spent months beforehand monitoring our network, figuring out what
traffic we wanted to support and what we didn't, and communicating to
our users what was about to happen).
We did break ICQ, which I don't regret in the least, and so far nobody
has had the temerity to complain.
Such a box could be an appropriate solution for substantially more
severe requirements than ours--but you have to know what you are
trying to accomplish first.
--
Dan Riley [EMAIL PROTECTED]
Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/>
"History teaches us that days like this are best spent in bed"
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
