[unisog] Are cisco router VLAN ACL's stateful like a PIX?

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Tue Feb 1 16:59:30 GMT 2005


I suggest using a two tiered approach.  Use simple ACLs on the routers
for what they are good at, short, broad swipes at control.  IE- no ICMP,
access to only certain subnets, etc with short ACLs.  Then do more in
depth control on a firewall.

My .02$ worth...

++++++++++++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++++++++++++

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Clark Gaylord
Sent: Tuesday, February 01, 2005 7:14 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Are cisco router VLAN ACL's stateful like a PIX?

Julian Y. Koh wrote:
> At 18:25 -0500 01/31/2005, Ryan Dorman wrote:
>>ACL's are packet filters, they are not stateful and do not work with
any
>>sort of session tracking IIRC.
> 
> Note that you can use the incredibly cheesy "established" keyword in
an ACL
> rule to get you a little bit closer to firewall functionality, but
that's
> definitely not stateful.

Further note: turn on deeper inspection at your own risk!  [if you like
seeing your 
CPU jump 20-50%, you can have all kinds of fun with SYN, EST, log, et
al. ... if 
you've got the headroom these can be useful, but be careful.  but you
know, you 
really can't tell what's going on without a good "debug ip packet
detail" anyway. :-)]

--ckg

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list