David,
>From the work I have done looking at it, the hub of the Firewall Feature Set (Or
>CiscoSecure Integrated Software as they now call it) is basically access control
>lists. The access control lists are quite good, because they'll stop all packets bang
>dead, but it is kind of scary that they seem to be the hub of the 'feature'.
The main problem we have seen from our concerns is that the logging on the router is
awful. You need to allocate sufficient buffer space, and you could easily lose it.
However, if you have a local UNIX box you can bung all your logging straight to it
using syslog. It's not too bad when you do that. You can log all denies on the access
list, and you can also log all CBAC connections. However, I
am not sure what you would need to do to log other traffic. I guess set an access list
up as a 'permit all log', or to some lesser degree.
One of the other main issues is the current limitations of CBAC, which doesn't really
handle a lot of protocols. The application filtering is trivial in some cases. For
example, SMTP is hardcoded to allow EXPN and VRFY straight through as permitted
commands, even though they can lead to information leaks. There is no way to change
that. It is also limited to UDP and TCP traffic, which means
that if you want to allow ICMP or anything else you have to start poking holes in your
access lists, which can be dodgy ! CBAC is supposed to check outgoing packets and then
open a hole in your access list to allow their responses back in. It does this very
well, and very responsively.
There are also some anti-DoS measures, which are quite good. They've got some fairly
flexible rules to govern inbound SYN connections and the like.
To sum it up I have two main issues. As a router with a firewall feature I think it is
really good. As a firewall on a router I am not so impressed. Too much is hardcoded
with no chance to see what is really going on. My second issue is more to do with the
people who support it. A few times now I have seen router people trying to do firewall
security with a Cisco router, but without really a
clue. As the firewall world and the router world have always been slightly different
there are a lot of vital security skills that have not yet permeated across to the
router world (the case is also vice versa, but not an issue here). The router people
tend to think that if they can do routers then they can do firewalls, and so if they
know IOS then they can configure a secure IOS firewall. I
do both, and I deal with both, so I have seen it a lot, and I have seen, time after
time, router people get it wrong. That is not to say that there aren't a lot of people
who can sit in the middle, but I would be very hesitant about asking a load of router
configurators to take over my firewalls !!
Anyway, I hope this bit of personal opinion is of some use. The IOS is really much
better a firewall that I ever expected, but I am still testing it and forming a final
opinion.
Cheers,
Joe
(personal opinions, represent only myself, etc....)
David Leach wrote:
> Has anyone used the FFS or can give recommendations for or against? A router
>engineer I'm trying to work with has suggested replacing all the firewalls in a
>proposed design with routers and Access control lists. I feel confident that I have
>the information necessary to make the argument against doing that. However, I don't
>want to be caught off guard by somehting I don't know much about.
>
> Any help is greatly appreciated.
>
> Dave Leach, MCSE+ I
> Systems Security Engineer
> EWA, Information and Infrastructure Technologies
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
