The Impact of IP Access Control Lists on Firewalls & Routers
Testing the performance impact and administrative costs of loading and configuring ACLs into entry-level routers and firewalls to block network traffic by country.
Often, the best place to block unwanted IP traffic is at the network perimeter. This is traditionally done with firewalls or routers by implementing large access control lists (ACLs). This approach has the following problems:
1. IP addresses assigned to countries change daily so they must be kept current to be effective.
2. Access lists often have tens of thousands of entries, taking 15 minutes a day to load.
3. Processing large ACLs can add unacceptable network latency and reduce the device’s capacity to handle legitimate connections.
In addition to possible latency issues, labor costs, and the need for continual maintenance of country ACLs, you must contend with malicious actors operating in countries allowed by your policy. Many of the offending IPs are known and can be blocked using IP reputation lists. The problem is commercial blocklists can contain millions of IP addresses, far exceeding the capacity of most firewalls and routers, and since botnets are globally dispersed, you remain open to attack from countries allowed by your policy.
TechGuard's PoliWall® Country Blocker appliance was tested using the BreakingPoint™
The testing environment included a typical SMB router and firewall, each with 100Mbit connectivity. These devices were paired with the entry-level PoliWall M10 appliance (MSRP of $3499). The products were chosen to demonstrate the PoliWall’s capability to offload blocking of countries and known cyber-threats, while allowing the SMB devices to deliver maximum performance for their intended use. Additionally, the PoliWall added the capability to block threats from IP reputation lists containing millions of entries.
This whitepaper quantifies the performance impact on network latency, TCP connections, and administrative costs of loading ACLs into entry-level routers and firewalls. View the ACL Whitepaper page here: http://www.techguard.com/
TechGuard Security, LLC, manufacturer of the PoliWall, was founded in February 2000 to address National Cyber Defense initiatives and US Critical Infrastructure Security. TechGuard provides trusted and award-winning Cyber Security Solutions for the DoD, DHS, Federal, Financial, Energy and Healthcare communities.
www.techguard.com | sales.636.489.2230