Router ACLs filter based on port, IP address, or MAC address - correct?
MAC address is useless once you pass the first router - right?
IP address can be spoofed "easily"
How tightly controlled is physical access to your partners' machines? Do you
trust ALL employees at your partners' sites equally? How about the vendor they
have on-site doing unsupervised repair on network-connected systems?
How much do you stand to lose if the "wrong person" gains access to your site?
Is your internal protection strong enough that you want to let unspecified
individuals have access to your entire network?
______________________________ Reply Separator _________________________________
Subject: ACL vulnerability
Author: "Benvenuto; Vincent A." <vbenvenu%faxint .
Date: 3/3/97 1:33 PM
We are in the middle of a great debate as to the proper way to firewall 15
remote sites. We need to essentially open dedicated lines to our partners
to allow incoming/outgoing FTP, X.400, and SMTP. One camp says ACLs in
routers will be sufficient, another says stick with Firewall-1 and
proliferate it like hell. The cost difference network wide between the two
approaches is huge.
Where can I find an (authoritative) threat analysis that describes the
vulnerability of router based static ACLs (non-stateful inspection)? Also,
what methods (toolsets) are available to launch attacks through a router
configured with ACLs? any advice suggestions, etc appreciated.
Thanks in advance.