Access-List replacing Stateful Inspection Firewall

routingbyrumorroutingbyrumor Member Posts: 93 ■■□□□□□□□□
I am configuring a Nortel SR1004 which is has a very similar CLI to Cisco and I am wondering if Access-list would be a good solution over the built in firewall. I cannot find out a sample config to go with for configuring the Nortel Firewall feature so I was thinking as a shortcut I could just create a ACL that denies all inbound traffic and provides selected ports such as IChat, and PCAnywhere. I need to get this done because my boss refuses to pay bandwidth.com our ISP another 150 for a firewall config and I am going crazy trying to figure out the firewall features. Is this a good idea?

Thanks.

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    As long as the implementation isn't off the Stateful firewall should provide you with much better and versatile protection than a static access list. Why not use both in conjunction with each other? Depends on if you meant you can't configure the firewall period or if you just can't get into the low level detail but do have it operating. If nothing else then yup an acl is your best bet, but work on getting the stateful operational.
    Also you might want to remind your boss that if he adds up the salary hours you will spend on this alone (not minding any possible loss due to not being adequately protected or in lost productivity due to the inflexibility of ACLs) that $150 might well be worth it....and you'd have a config to learn from so you won't have to dole out for help in the future.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • routingbyrumorroutingbyrumor Member Posts: 93 ■■□□□□□□□□
    Thanks for the reply, I'll let him know and look into getting a config for the firewall.
  • dissolveddissolved Inactive Imported Users Posts: 228
    I am configuring a Nortel SR1004 which is has a very similar CLI to Cisco and I am wondering if Access-list would be a good solution over the built in firewall. I cannot find out a sample config to go with for configuring the Nortel Firewall feature so I was thinking as a shortcut I could just create a ACL that denies all inbound traffic and provides selected ports such as IChat, and PCAnywhere. I need to get this done because my boss refuses to pay bandwidth.com our ISP another 150 for a firewall config and I am going crazy trying to figure out the firewall features. Is this a good idea?

    Thanks.
    You could just deny all traffic and explicitly permit certain services. Keep in mind the ACL will leave you very vulnerable and you should never rely on ACLs for proper protection. If you're not familiar with the Nortel firewall, I wouldn't waste my time on it in a production environment
Sign In or Register to comment.