ACL or Firewall

[fishchips]

Hi all,

At present I control access in and out of our network with access lists on a pair of routers with a dmz in between.

I've recently been trying to find out if there are any reasons why I should use firewalls instead but I can't see anything which would convince me to change.

Does anybody have any thoughts on this or specific reasons why a firewall is better than access lists.

Thanks for your thoughts.

 

[burtsbees]

Usually firewalls inherently have some sort of IDS/IPS protection. What kind of router are you using right now?
I have a Cisco 2620XM, with Advanced EEnterprise version 12.4(9) on it, and it does everything that a PIX firewall can do---it really depends on the image on the router, and hhow much DRAM and flash memory it has to be able to support things like TCP Intercept, which may constantly proxy answer a server trying to DoS you r network, or CBAC, which may work the CPU a lot, trying to dynamnically change acl's.
ACL's will not protect you against access layer attacks, like with Java script, etc. It can only protect you at layer 3---a firewall will protect all 7 layers.

Burt

 

[fishchips]

Thanks for the info Burt, and the fact that they only work at layer 3 especially.

The routers are a 2821 and a 2801 running 12.3 (8) and 12.4 (7a) resectively.

Is there any way to monitor the load on the cpu or memory.

 

[burtsbees]

SDM is the easiest way, and it is free. It is also the only way that I know of...

Burt

 

[brianinms]

Show proc and show mem will show you the utilization. A Cisco ASA is a million times better than a router running IOS firewall. The main reason being is that the firewall denies everything by default and you have to permit it and the routers are just the opposite. You have to be on top of your game to lock down a router

 

[burtsbees]

Show proc I don't think tells you what percentages the CPU is being utilized---SDM shows you a meter in real time.
Also, with routers, the first permit statement only permits just that---everything else will be denied, so it is only one step behind an ASA, really, as far as acl's go.

Burt

 

[brianinms]

Yes a show proc shows cpu utilization ....

R1#show proc
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
1 Cwe 8044B698 0 1 0 5800/6000 0 Chunk Manager
2 Csp 80472214 516 7093461 0 2612/3000 0 Load Meter
3 M* 0 72 49 146910388/12000 66 Virtual Exec
4 Lst 80457740 21773052 4198092 5186 5744/6000 0 Check heaps
5 Cwe 8045CCA0 4804 3604 1332 5560/6000 0 Pool Manager
6 Lwe 8037DB48 0 1 0 5796/6000 0 AAA_SERVER_DEADT
7 Mst 803A20D0 0 2 0 5568/6000 0 Timers
8 Mwe 8000C0DC 4 1870 2 5580/6000 0 Serial Backgroun
9 Mwe 8037970C 0 2 0 5572/6000 0 AAA high-capacit

 

[plshlpme]

sh proc cpu history

give you a nice little graph too...

idealy though you dont want to be in the situation where you have to manually type that command all the time to see how its doing..

im sure you could set up mrtg or some other snmp agent to collect the stats for you.

 

[burtsbees]

Sorry, brian---I never noticed the first line of the output like that. In that case, you could schedule a "sh proc" or "sh proc hist" with kron, with logging to a syslog server, like Kiwi (free).

Burt