On Wed, Apr 08, 2009 at 08:32:02AM +1000, Karl Auer wrote:
> On Wed, 2009-04-08 at 07:04 +0930, Mark Smith wrote:
> > It seems there is a trend towards moving host protection on to the
> > hosts themselves, onto or closer to the resource or entity being
> > protected. It's basically following the c
---
>From: Mark Smith
>[mailto:na...@85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org]
>Sent: Tuesday, April 07, 2009 5:34 PM
>To: Michael Helmeste
>Cc: nanog@nanog.org
>Subject: Re: ACLs vs. full firewalls
>
>On Tue, 07 Apr 2009 13:05:31 -0700
>Michael Helmeste wrote:
>
>> Hi all,
>
agents/NAC Agents
Regards
Ubaidali Abdul Razack
+65.65436404 (Office)
+65.65436278 (Fax)
Roland Dobbins
04/08/2009 08:28 AM
To
NANOG list
cc
Subject
Re: ACLs vs. full firewalls
On Apr 8, 2009, at 4:05 AM, Michael Helmeste wrote:
> However, I wanted to get other opinions of w
On Apr 8, 2009, at 4:05 AM, Michael Helmeste wrote:
However, I wanted to get other opinions of what packet filtering
solutions people use in the border and in the
core, and why.
Stateless ACLs in hardware at the edge are important both for
infrastructure self-protection (i.e., iACLs) and
On Wed, 08 Apr 2009 09:20:34 +1000
Karl Auer wrote:
> On Wed, 2009-04-08 at 10:46 +1200, Nathan Ward wrote:
> > > I'd be interested to hear why people use firewalls.
>
> > End hosts are not always trustworthy.
> >
> > If a host is compromised, should it be able to send anything and
> > everyt
On Wed, 2009-04-08 at 10:46 +1200, Nathan Ward wrote:
> > I'd be interested to hear why people use firewalls.
> End hosts are not always trustworthy.
>
> If a host is compromised, should it be able to send anything and
> everything out to the public network?
A packet filter looks at the "top s
On 8/04/2009, at 10:32 AM, Karl Auer wrote:
I'd be interested to hear why people use firewalls. I've never felt
the
need, myself - am I living in a fool's paradise?
End hosts are not always trustworthy.
If a host is compromised, should it be able to send anything and
everything out to th
On Wed, 2009-04-08 at 07:04 +0930, Mark Smith wrote:
> It seems there is a trend towards moving host protection on to the
> hosts themselves, onto or closer to the resource or entity being
> protected. It's basically following the cliche, "If you want something
> to be done properly, you need to do
While there are no specific audit requirements, overall traffic auditing
(not just for dropped packets) is definitely something I'm considering.
One way of gathering this data without using a firewall would seem to be
netflow; I don't think netflow specifically calls out (or even shows?)
traffic bl
Sam Crooks
-Original Message-
From: Michael Helmeste [mailto:mhelm...@uvic.ca]
Sent: Tuesday, April 07, 2009 3:06 PM
To: nanog@nanog.org
Subject: ACLs vs. full firewalls
Hi all,
One of the duties of my current place of employ is reorganizing the
network. We have a few Catalyst 6500
On Tue, 07 Apr 2009 13:05:31 -0700
Michael Helmeste wrote:
> Hi all,
> One of the duties of my current place of employ is reorganizing the
> network. We have a few Catalyst 6500 series L3 switches, but currently
> do all packet filtering (and some routing) using a software based
> firewall. Don
On 4/7/09, Michael Helmeste wrote:
> Hi all,
> One of the duties of my current place of employ is reorganizing the
> network. We have a few Catalyst 6500 series L3 switches, but currently
> do all packet filtering (and some routing) using a software based
> firewall. Don't ask me, I didn't de
Michael,
Do you have logging or audit requirements to your filters?
We use ACLs almost everywhere for non-stateful filtering, but
there are a few locations (e.g. HIPPA) that require an
audit trail which is perhaps better accomplished by a firewall.
Eric :)
On Tue, Apr 07, 2009 at 01:05:31PM -0
On Tue, 7 Apr 2009, Michael Helmeste wrote:
Current security requirements are only based on TCP and non-stateful
UDP src/dst net/port filtering, and so my suggestion was to use ACLs
applied on the routed interface of each VLAN. There was some talk of
using another software based firewall or a C
Hi all,
One of the duties of my current place of employ is reorganizing the
network. We have a few Catalyst 6500 series L3 switches, but currently
do all packet filtering (and some routing) using a software based
firewall. Don't ask me, I didn't design it :)
Current security requirements are o
15 matches
Mail list logo
