Michael, Do you have logging or audit requirements to your filters? We use ACLs almost everywhere for non-stateful filtering, but there are a few locations (e.g. HIPPA) that require an audit trail which is perhaps better accomplished by a firewall.
Eric :) On Tue, Apr 07, 2009 at 01:05:31PM -0700, Michael Helmeste wrote: > Hi all, > One of the duties of my current place of employ is reorganizing the > network. We have a few Catalyst 6500 series L3 switches, but currently > do all packet filtering (and some routing) using a software based > firewall. Don't ask me, I didn't design it :) > > Current security requirements are only based on TCP and non-stateful > UDP src/dst net/port filtering, and so my suggestion was to use ACLs > applied on the routed interface of each VLAN. There was some talk of > using another software based firewall or a Cisco FWSM card to filter > traffic at the border, mostly for management concerns. We expect full 1 > gig traffic levels today, and 10 gig traffic levels in the future. > > I view ACLs as being a cheap, easy to administrate solution that > scales with upgrades to new interface line speeds, where a full stateful > firewall isn't necessary. However, I wanted to get other opinions of > what packet filtering solutions people use in the border and in the > core, and why. > > What's out there, and why do you guys use it? How do you feel about > the scalability, performance, security, and manageability of your > solution? What kind of traffic levels do you put through it?
