[nsp] PIX ASA v. ACL

Scott Morris swm at emanon.com
Wed May 21 15:14:35 EDT 2003 

There's a whole slew of ways to hit that question, but the primary thing
comes in the concept of stateful analysis.  With that, permissions can
be set up for the basic beginning of a conversation, and then specific
entries for return traffic would be created (state).  

Without the knowledge of state, an access list would need to be created
on each end, and your big problem is that you typically don't know the
source port of traffic.

Take DNS as an example (good because it's UDP, so no 'established'
concept).  To permit out, you allow anything going to a destination port
of 53.  Coming back, your ACL would permit anything from port 53
(assuming your BIND version uses this) going to any destination port
greater than 1023.  Always.  Forever.  And many hacks/attempts for
things coming into your network now have a wide open path as long as
they source from port 53.

That's just one example.  The PIX would watch state on the udp
connection.  In addition, it knows more about DNS in that after the
first reply is received, the state is closed.  This prevents DNS
hijacking or receiving false information in any regualar routine.

Firewalls are your friend.  :)  Access-lists are cool too, but require
much more administration (think through how FTP works and you'll see
more evil), and open a LOT of things up for attack possibilities.  It's
not as much a religious argument from ACL to FW (well, it is, but it
doesn't have to be), but it's an argument that there are a LOT of smart
people out there with too much time on their hands, and anything I can
do to minimize exposure of anything on my network is a good thing.

 
Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/C&S) #4713,
CCNA-WAN Switching, Security Specialist, Cable Communications
Specialist, IP Telephony Support Specialist, IP Telephony Design
Specialist, CISSP
CCSI #21903
swm at emanon.com


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Voralt
Sent: Wednesday, May 21, 2003 12:01 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] PIX ASA v. ACL


A little off topic, but does anybody know of a site that
compares/contrasts the PIX's ASA (or just the PIX in general) v. regular
access-lists?  I am trying to convince someone to use a PIX rather than
ACL's, but I am trying to come up with a list of technical reasons why
the PIX is more secure. Just saying that it's more secure isn't
convinving them.

Peder

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list