WAN interface protection best practices.

Unanswered Question
Apr 19th, 2009
User Badges:

I want to protect WAN interface, i am not sure what technology should I use. ACL or IOS Firewall?

I use WAN interface for:

1. NAT outside

2. IPSEC VTI to branches.

3. EasyVPN for home users.

What is practical difference between ACL and IOS Firewall?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Sun, 04/19/2009 - 03:08
User Badges:
  • Super Bronze, 10000 points or more

"What is practical difference between ACL and IOS Firewall?"


An IOS firewall is feature richer. For example, one major difference, most "ordinary" ACLs are stateless while firewalls rules often can be stateful. However, reflexive ACLs are stateful too, but they might not cover as many stateful situations as firewall rules.


More information for IOS firewalls can be found here: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html


Configuration guide for reflexive ACLs: http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfreflx.html

SludnevTN_2 Sun, 04/19/2009 - 06:07
User Badges:

And as I understand there are two different IOS firewals:

CBAC and Zone bazed firewall? Correct so what is the difference?

Joseph W. Doherty Sun, 04/19/2009 - 07:48
User Badges:
  • Super Bronze, 10000 points or more

Zone based is the newer. If I recall correctly, it allows security to be defined relative to "zones" to which an interface or interfaces are attached. CBAC, I think, is defined per interface. There are some feature differences too; CBAC having, I believe, some that zone based don't yet have (although they are on the road map).

Actions

This Discussion