Firewalls: Dynamically Re-arranged Access Lists?

Firewalls
(January 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Dynamically Re-arranged Access Lists?
From:	steveg @ cseic . saic . com (Stephen Harold Goldstein)
Date:	Thu, 26 Jan 95 16:28:09 EST
To:	firewalls @ greatcircle . com

I just got back from ComNet '95 in D.C., and heard some rather
disturbing "info" from a firewall vendor who shall remain nameless.
He claimed that some manufacturer's routers (wouldn't specify) will
re-arrange the order in which ACL entries are processed for efficiency
reasons, possibly leading to unintended results such as packets getting
through that should have been blocked.

Does anyone know if this is true with any currently available 
routers, or if it was true as a feature or bug of out-dated models/firmware?

I suspect he may have been blowing smoke as he was espousing an
approach utilizing application gateways/proxies, but it sounded plausible.

Stephen Goldstein     steveg @
 cseic .
 saic .
 com
       Disclaimer:    That's not what I said.

Follow-Ups:

Re: Dynamically Re-arranged Access Lists?
From: Joe Matuscak <matuscak @ rohrer . com>
Re: Dynamically Re-arranged Access Lists?
From: Paul Traina <pst @ cisco . com>
Re: Dynamically Re-arranged Access Lists?
From: Rens Troost <rens @ imsi . com>

Indexed By Date	Previous:	Re: How many firewalls & what IS one? From: smb @ research . att . com
Indexed By Date	Next:	Re: Write protecting drives From: Joe Judge <Joe . Judge @ FMR . Com>
Indexed By Thread	Previous:	How many & what is From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread	Next:	Re: Dynamically Re-arranged Access Lists? From: Rens Troost <rens @ imsi . com>