Re: How secure are (cisco) ACL's?

["Dave O'Shea" <daveoshea () email msn com>]

-----Original Message-----
From: Chris Hughes <chughes () rpm com>
To: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Thursday, October 01, 1998 6:16 AM
Subject: How secure are (cisco) ACL's?


> In a discussion I had with a co-worker, I expressed my opinion that
> Firewall1 bounded by two routers (choke/gate/choke) was probably a better
> solution than a PIX front-ended by a single router (choke/gate).


I'd probably agree. front, side, and head airbags PLUS seatbelts is my
taste.:-) But having to live within my means, I'll forego the least amount
of protection that saves the most amount of money.

> His response was that ACL's on the front-ended PIX would be sufficient
> security.  In fact, he stated, a single router with comprehensive ACL's
> would be sufficient for low-bandwidth internet connections.

A lot of people have done just that. It's not at all airtight, and the
stateless nature means that a lot of "interesting" traffic could easily get
by - even if you expect it. If you've got a smaller pool of computers with
limited and known vulnerabilities, it's possibly acceptable.

> On the surface, it does seem that NAT in conjunction with comprehensive
> ACL's is secure.  However, I have read about stateful inspection(not well
> implemented on cisco) and know that this can be a problem when depending on
> ACL's to do the job.

One other concern is possible (and not yet discovered) security weaknesses
in various routers. If it's possible to crash a certain router, it might be
possible to take advantage of a vulnerable state while it is still coming
up. I like designs in which cascaded failures turn off communication, not
open it up.

In fact, you've got me thinking a little, now. Suppose NAT were used to
create an address space that exists only inside the firewall area? And
cannot exist outside it? Like an RFC1918 address pool that's banned inside
the firewall (and outside, unless the ISP is asleep at the switch)

> With my limited knowledge I was not able to argue my point.  Can someone
> explain and/or point me to material I can digest and come back swinging in
> my next encounter like this?  Also, I need to read up on choke/gate/choke
> and other security architectures.  Any guiding shove in the right direction
> will be deeply appreciated.


The software vendors will tell you one thing, the hardware vendors another.
A solution that involves a mix, and is not fully predictable by either an
insider or an outsider, is a good thing. Think of airport security: Some
days, they inspect every laptop like it's got plutonium dust on it. Next day
they do something different. The idea is to introduce an element of
unpredictability, make people think about security, and give the guy who's
teetering on the edge of doing something dumb a really bad case of
indigestion.


> Commentary is welcome...