Re: [FW1] NT Server & Workstation Service.

["Paul D. Robertson" <proberts@clark.net>]

On Tue, 1 Jun 1999, Peter Schwalger wrote:

> Our attitude here is that the router is our first line of defense so why not
> use access-lists to drop packets that you know you dont want to allow before
> it even gets to the firewall.

Defense in depth is *always* a good policy.  

At least in older versions of Cisco IOS, *outbound* access lists were fast 
swtiched and inbound ones were process switched.  That means that other than 
for rules that *must* be inbound (perhaps anti-spoofing ones), it's better to 
apply an outbound access list on the internal interface than an inbound access
list on the external interface.  Your routers will perform better if they can 
fast switch rather than process switch the packets.

Of course, IOS has changed a lot over time, so the above may not be as 
accurate as it once was.  I know that frags stopped being process switched 
around IOS 11.1 on 75xx's, but I can't find a reference to process 
switching and access lists on CCO at the moment.

Ultimately it's probably worth testing and/or checking with the router vendor 
for any screening router you're using to see if there are ways to decrease the
overhead of packet screening.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================