MS is doing something very Jerico'ish with "DirectAccess" ... very loosely, "Automagic IPsec + IPv6 (via Teredo when needed) + AD-based auth" (MS's previous step was SDI (Server Domain Isolation))
/TJ >-----Original Message----- >From: Mark Smith >[mailto:na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org] >Sent: Tuesday, April 07, 2009 5:34 PM >To: Michael Helmeste >Cc: nanog@nanog.org >Subject: Re: ACLs vs. full firewalls > >On Tue, 07 Apr 2009 13:05:31 -0700 >Michael Helmeste <mhelm...@uvic.ca> wrote: > >> Hi all, >> One of the duties of my current place of employ is reorganizing the >> network. We have a few Catalyst 6500 series L3 switches, but currently >> do all packet filtering (and some routing) using a software based >> firewall. Don't ask me, I didn't design it :) >> >> Current security requirements are only based on TCP and non-stateful >> UDP src/dst net/port filtering, and so my suggestion was to use ACLs >> applied on the routed interface of each VLAN. There was some talk of >> using another software based firewall or a Cisco FWSM card to filter >> traffic at the border, mostly for management concerns. We expect full >> 1 gig traffic levels today, and 10 gig traffic levels in the future. >> >> I view ACLs as being a cheap, easy to administrate solution that >> scales with upgrades to new interface line speeds, where a full >> stateful firewall isn't necessary. However, I wanted to get other >> opinions of what packet filtering solutions people use in the border >> and in the core, and why. >> > >It seems there is a trend towards moving host protection on to the hosts >themselves, onto or closer to the resource or entity being protected. It's >basically following the cliche, "If you want something to be done properly, you >need to do it yourself." > >http://www.opengroup.org/jericho/ - they call it "de-perimeterization" > >I first came across the idea in this article: > >http://www.cs.columbia.edu/~smb/papers/distfw.html > >If you move to the host-based firewalling model, plain packet filtering ACLs at >the perimeter would be quite an adequate form of a first level of defence, >while also avoiding the performance overhead of (or resources required to >perform) stateful tracking of large amounts of traffic. > >Regards, >Mark. > > > >> What's out there, and why do you guys use it? How do you feel about >> the scalability, performance, security, and manageability of your >> solution? What kind of traffic levels do you put through it? >>
