Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
224
Views
0
Helpful
1
Replies

Why ACLs instead of CONDUITS?

david.kane
Level 1
Level 1

‎07-16-2003 05:18 PM - edited ‎03-09-2019 04:04 AM

Hi All,

I am a fan of conduits, and until we got a FWSM in our environment I was not forced to consider deploying PIX ACLs. Now I have come to grips with PIX ACLs, and don't have a problem with their functionality. I just have a question regarding their benefits, and what warrants the Cisco position of ACLs not conduits.

As I see it, ACLs only have the benefits of some cosmetic similarity to router ACLs, and the fact that rules related to an interface are grouped together somewhat increases readability. But they seem to come at a cost of significantly increased complexity when used on a DMZ that requires both inbound and outbound permissions.

Any comments (flames or otherwise) will be very useful.

Thanks,

David

Labels:
0 Helpful
1 Reply 1

l.mourits
Level 5
Level 5

‎07-17-2003 02:05 AM

David,

(yep, it´s me again :-))

I don´t know for sure, but I believe that in fact it was mostly driven by getting more and more into one IOS (as also done on the Catalyst switch series) with one same CLI and indeed cosmetic similarity

Also think that they did it because of the established command use, especially usefull for complex situations (with more interfaces, dmz´s, et cetera). Misconfigured established command did create larger security risk, since a lot of people did not understand them well, and confused it with the established ACL feature in Cisco IOS

But I´m also curious why they did it, so, would be nice if anyone from Cisco could tell us more :-))

Kind Regards,

Leo

0 Helpful
Customers Also Viewed These Support Documents