* Gadi Evron: > Anyone ever considered just closing these ports? People will pay you > more and just for your ACL services!
People call me mad because I designed a system which can handle 10,000+ ACL entries with negligible personal overhead (keep in mind that you cannot give end users direct access to ACL settings because they don't know what to do). Some issues I ran into clearly showed that this was a very, very unusual thing to do. It still has to be this way if you look at the number of hoops you have to jump through if you want to atomically replace an ACL on a Cisco router. In other words, neither people nor technology are quite ready. > Why is this such a bad idea? My fear is that most organizations will opt for blocks without exceptions (or ridiculous processes to obtain exceptions). AFAICS, this is what happened on most academic networks. As a result, protocol designers make sure that their application looks like HTTP at layer 4, and everyone loses.
