Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
2
Replies

Access-Lists on Router v/s FW IOS

cpalayoor
Level 1
Level 1

‎08-27-2003 09:36 AM - edited ‎03-09-2019 04:34 AM

Hi there,

I am evaluating a cost effective solution for a firewall to a DMZ with no access to the internal network.

We have a couple of 2600 routers with 16 MB of RAM and flash respectively.

Now I can either use these routers (in an HSRP with load balancing configuration) and purchase the FW-IOS with more memory or install an Open BSD box and set it up as a firewall.

Personally I am all for the FW-IOS option.

However considering the high resource requirements of the IOS firewall and the inherent limitations of the IOS firewall vis a vis a regular application firewall, would I be better off just simply putting in access-lists and forget about investing in the FW-IOS.

In short is an IOS firewall worth the investment.

Regards

CP

Labels:
0 Helpful
2 Replies 2

tohuang
Level 1
Level 1

‎08-27-2003 11:12 PM

Hi CP,

Without IOS FW enable, the rules for access list will be deny some traffic and permit ip any any at the end of list.

With IOS FW enable, it will be totally different, you will permit specific traffic that you want to allow and have deny ip any any at the end of the list.

As you can see, with IOS firewall enable, you can secure your network before someone attack your network. Not like regular ACL, you block the traffic after you found out the source which attacked your network.

Therefore, IOS firewall is totally worth the investment.

Thanks

Tony

0 Helpful

ovt
Level 4
Level 4
In response to tohuang

‎08-28-2003 07:27 AM

!?!?!?!

Tony,

the question was about firewall that secures access from the outside to the dmz _with_ _no_ _access_ _to_ _the_ _inside_. So, the ACL would be "permit http, deny any" or like that anyway.

Actually, when protecting www (or other server), in addition to regular ACLs IOS firewall can:

- struggle SYN flood attacks (very poorly implemented and enterprise IOS also has this functionality);

- do inline IDS (very limited even in 12.2(15)T)

- restrict SMTP command set;

- allow passive ftp from the outside to the inside (yes, this is useful);

- that's it.

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents