Sunday, January 12, 2014

ACL vs Firewall

While an access control list and a firewall have some similar aspects they are significantly different. 


An access control list can be used for many different purposes (such as filtering traffic on an interface, or be used in a distribute list to filter routing updates, or be used in a dialer list to identify interesting traffic, or be used in Policy Based Routing to make a routing decision, and other purposes). I believe that your question relates to the function of filtering traffic on an interface). An access control list is an implementation of a type of logic that can selectively permit or deny certain packets to go through an interface. A firewall is a device which examines traffic passing through a part of the network and makes decisions about what to let through and what to block.

Those are the similarities. Now lets talk about the differences. I would say that the first difference is that the firewall has one purpose and one use (to examine traffic and selectively pass or block that traffic) while an access list potentially has many uses.

Another important difference is that an access list does stateless inspection. By stateless inspection I mean that the access list looks at a packet and has no idea of what has come before. If an access list examines a packet that is TCP with the ACK bit set the access list can only believe that this is an acknowledgement packet but has no idea whether there is really a conversation to which this packet belongs. A firewall usually does stateful inspection. By stateful inspection I mean that the firewall not only sees the TCP packet with the ACK bit set, but the firewall can know whether there was a proper beginning of this TCP conversation.

There are other differences. But I would say that these are the two main differences.


No comments:

Post a Comment