On Tue, Aug 17, 2004 at 09:32:28PM +0200, sthaug@nethelp.no wrote:
Hosts tend to be a faster writeoff cycle than routers in companies I've worked at, therefore getting the benefit of moores law about 25% faster than the routers. Turn on firewalling in the host.
If you have a choice between access lists on a software forwarding based router and firewall on a host, this may be a good choice. If your routers have hardware forwarding, I'd go for the router every time...
Seems like the most sensible option is "defense in depth", tailored to your specific mix of equipment and clue. Throw away what you can at the edge (e.g., uRPF), spread the load (e.g., anycast), and firewall, as appropriate. Many routers with "hardware forwarding" have potentially significant limits when it comes to ACLs. Even the more capable devices don't necessarily give you the ability to look arbitrarily deep inside incoming packets, at least not without expensive additional cards. A firewall can usually perform that level of inspection, which means it will catch "bad" packets that the router didn't. None of these steps alone is perfect, but the combination can be fairly effective. One size does not have to fit all. --Jeff