Educause Security Discussion mailing list archives
Re: Network Access Control Changes - Firewall and ACL policy changes
From: Paul Keser <pkeser () STANFORD EDU>
Date: Tue, 5 Jun 2007 08:34:23 -0700
Gary- We have a large installed base of Juniper/Netscreen firewalls including several ISG2000's. We have some huge policies. I believe our NS5400 had 8-9000 rules at one point. We make changes during production with no ill effects using either the browser interface or cli...well usually no ill effects...there is the occasional fat finger error ;-) We are currently deploying 9 HA pairs of 5200's to firewall our departments. Each department goes in their own vsys (virtual firewall). We are moving 3-5 departments per week behind firewalls so needless to say there are a lot of rule changes... -PaulK Paul Keser Assoc. Information Security Officer Stanford University 650.724.9051 GPG Fingerprint: DBA3 E20F CE91 28AA DA1C 4A77 3BD9 C82D 2699 24FB Gary Flynn wrote:
Hi, We extensively use Cisco ACLs for our network access controls. Our current method of handling ACLs, that has worked for over a decade, is centered around two text files containing the security configuration for all our internet and core routers. After editing, a perl script breaks out the ACL configurations for individual routers and vlans and stores them on a tftp server. When an access change is needed, we edit the file, generate the ACL configuration files, and reload the appropriate router with just the ACL. The new Cisco router architectures have hardware assist for ACL processing. With the new hardware, reloading one of our ACLs now results in 20-60 second network outages. For example, we've got a 7206 on one Internet connection and a new 7604 on the other. Near identical ACL for both. On the old router it takes seconds to load with no visible outage. On the new router, it takes 90 seconds with network traffic cut off for 60 of them. TAC tells me the behavior is because it takes longer to load the ACL into the hardware than it does to initiate it in software. While the new architecture may process the ACL faster and eliminate the problem of unwanted traffic during the ACL load, it has really messed up our business process. We are accustomed to and expect to be able to make multiple changes in real time without adverse effects. Generally, we make several a day for things like new service deployments, troubleshooting, exceptions to our Internet default deny policy, quarantining infected computers, and reacting to outside malicious activity. While hand editing the live config is an option in an emergency, I don't believe it practical long term due to the complexity of an ACL with hundreds ( nearly thousands ) of entries and the risk associated with changing the live configuration on a frequent basis. Our Juniper ISG IPS has firewall capabilities and we're looking at the Cisco FWSM for the core routers but I was hoping someone with that type of hardware already installed would comment on their experiences with real-time changes to large policies and ACLs during production. Thanks for any assistance and information.
Current thread:
- Re: Network Access Control Changes - Firewall and ACL policy changes Luke Sheppard (Jun 04)
- <Possible follow-ups>
- Re: Network Access Control Changes - Firewall and ACL policy changes David LaPorte (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Mike Iglesias (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Paul Keser (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Michael Hornung (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Greg T. Grimes (Jun 06)