Thank you, it seems as if its a case-scenario of "toe-(mae)-toe,
t(ah)-(mah)-toe" :), each person having their own definition of what works
better then the other. I think also, what plays into the scenario is the
size of the network and each size having its own requirements. Thanks again.
Eric
==============================================================
Eric S. Hines [EMAIL PROTECTED]
Information Security Group (ISG) Pgr: (888) 887-2553
NUASIS Corporation Cell: (408) 807-4428
Email Pager: [EMAIL PROTECTED] Dir: (408) 350-4997
--------------------------------------------------------------
NUASIS Corporation Ph: (408) 350-4900
260 Gish Rd. Fx: (408) 350-4999
San Jose, Ca TF: (877) 9NUASIS
95112 CS: (877) NUCUSTOMER
==============================================================
-----Original Message-----
From: Matthew [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 02, 2000 2:13 PM
To: Eric S. Hines
Cc: [EMAIL PROTECTED]
Subject: Re: Cisco ACL v/s Firewall
Eric,
In many cases Cisco ACLs provide the same level of security as
alternative firewall solutions. However, it is much easier to make
mistakes with ACLs - I know, I've made many. There are problems: load,
you have already mentioned, but the same can be said of any platform;
load should be taken into account when deciding what platform to buy -
there are very large cisco boxes which, no doubt, can handle larger
loads. Another problem is when you want to change an ACL. During the
change you may either have no security, a minimal security, or a drop in
connectivity. Although this window is small, with large bandwidth (say
OC-48s or 100Mb ethernet) then this may be a problem.
Some other firewalls have similar problems.
Remember there is no firewall one size fits all; each case merits its
own analysis and appropriate solution deployed. Saying that a cisco box
using ACLs is not a _real_ firewall begs the question of definition of a
'real' firewall. The resultant flame war would not be worth the effort.
Matthew
"Eric S. Hines" wrote:
>
> I have an associate who works for a company that uses Cisco ACL's in all
of
> their routers instead of a real firewall solution. Is there anyone out
there
> that can provide me with a valid rebute to the use of ACL's over a real
> hardware-based or software-based firewall like FW-1 or even Raptor..
> possibly even a hardware-based box like Sonicwall.
>
> The company does VoIP/VoVPN solution, managed call centers and I already
> have stated the issue of load problems when the ACL's span 10-20 pages in
> length. Does anyone know of any current ACL circumventions or even
security
> issues with using such a method for firewalling/filtering.
>
> Your advice would be appreciated.
>
> ESH
>
> ==============================================================
> Eric S. Hines [EMAIL PROTECTED]
> Information Security Group (ISG) Pgr: (888) 887-2553
> NUASIS Corporation Cell: (408) 807-4428
> Email Pager: [EMAIL PROTECTED] Dir: (408) 350-4997
> --------------------------------------------------------------
> NUASIS Corporation Ph: (408) 350-4900
> 260 Gish Rd. Fx: (408) 350-4999
> San Jose, Ca TF: (877) 9NUASIS
> 95112 CS: (877) NUCUSTOMER
> ==============================================================
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Delmer Harris
> Sent: Friday, June 02, 2000 12:21 PM
> To: Eric S. Hines
> Cc: [EMAIL PROTECTED]
> Subject: Re: Ok, this may be off topic..
>
> Look for documentation on syslog. This is available in many versions of
> Un*x.
>
> "Eric S. Hines" <[EMAIL PROTECTED]> on 06/02/2000 01:22:14 PM
>
> To: [EMAIL PROTECTED]
>
> cc:
>
> Subject: Ok, this may be off topic..
>
> Hello fellow industry execs,
>
> This might be off topic, so I apologize. But, I need to setup a remote log
> server. Does anyone know of a HOW-TO or whitepaper describing how to
> configure servers to remotely log their log files to a remote system?
> Your help would be appreciated.
>
> ESH
>
> ==============================================================
> Eric S. Hines [EMAIL PROTECTED]
> Information Security Group (ISG) Pgr: (888) 887-2553
> NUASIS Corporation Cell: (408) 807-4428
> Email Pager: [EMAIL PROTECTED] Dir: (408) 350-4997
> --------------------------------------------------------------
> NUASIS Corporation Ph: (408) 350-4900
> 260 Gish Rd. Fx: (408) 350-4999
> San Jose, Ca TF: (877) 9NUASIS
> 95112 CS: (877) NUCUSTOMER
> ==============================================================
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Eric S. Hines
> Sent: Friday, June 02, 2000 10:43 AM
> To: Rohit Gupta; [EMAIL PROTECTED]
> Subject: RE: ping of death
>
> Just my 2 cents, but turn off ICMP ping packets at the firewall or router.
>
> ESH
>
> ===========================================================
> Eric S. Hines [EMAIL PROTECTED]
> Information Security Group NUASIS Corporation
> Page: [EMAIL PROTECTED]
> -----------------------------------------------------------
> NUASIS Corporation Ph: (408) 350-4900
> 260 Gish Rd. Fx: (408) 350-4999
> San Jose, Ca TF: (877) 9NUASIS
> 95112 CS: (877) NUCUSTOMER
> ===========================================================
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Rohit Gupta
> Sent: Friday, June 02, 2000 10:10 AM
> To: [EMAIL PROTECTED]
> Subject: ping of death
>
> Can somebody tell me if there is any tool to secure my server from ping of
> death...
> please Help urgently reqd
> Rohit
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
