The Impact of IP Access Control Lists on Firewalls & Routers

Testing the performance impact and administrative costs of loading and configuring ACLs into entry-level routers and firewalls to block network traffic by country.
PoliWall M10 Country Blocker
PoliWall M10 Country Blocker
Spread the Word
Listed Under

* Acl
* Firewall
* Router

* Computers

* O Fallon - Missouri - US

* Reports

Aug. 20, 2012 - PRLog -- The overwhelming majority of Spam, Malware, and DDoS attacks come from countries outside the United States and from infected machines in global Botnets. Small and mid size businesses are working to reduce the attack space by blocking IP addresses originating from countries that offer no business value, and by using IP reputation lists to block connections from IP addresses that are tied to malicious activity.

Often, the best place to block unwanted IP traffic is at the network perimeter. This is traditionally done with firewalls or routers by implementing large access control lists (ACLs). This approach has the following problems:

1. IP addresses assigned to countries change daily so they must be kept current to be effective.

2. Access lists often have tens of thousands of entries, taking 15 minutes a day to load.

3. Processing large ACLs can add unacceptable network latency and reduce the device’s capacity to handle legitimate connections.

In addition to possible latency issues, labor costs, and the need for continual maintenance of country ACLs, you must contend with malicious actors operating in countries allowed by your policy. Many of the offending IPs are known and can be blocked using IP reputation lists. The problem is commercial blocklists can contain millions of IP addresses, far exceeding the capacity of most firewalls and routers, and since botnets are globally dispersed, you remain open to attack from countries allowed by your policy.

TechGuard's PoliWall® Country Blocker appliance was tested using the BreakingPoint™ appliance to measure product resiliency in the face of massive scale simulated cyber attacks from millions of users and hundreds of applications. The PoliWall blocks inbound and outbound traffic by country and by IP Reputation Block Lists for both IPV4 and IPV6 traffic at line-speed.

The testing environment included a typical SMB router and firewall, each with 100Mbit connectivity. These devices were paired with the entry-level PoliWall M10 appliance (MSRP of $3499).  The products were chosen to demonstrate the PoliWall’s capability to offload blocking of countries and known cyber-threats, while allowing the SMB devices to deliver maximum performance for their intended use. Additionally, the PoliWall added the capability to block threats from IP reputation lists containing millions of entries.

This whitepaper quantifies the performance impact on network latency, TCP connections, and administrative costs of loading ACLs into entry-level routers and firewalls. View the ACL Whitepaper page here:

About TechGuard
TechGuard Security, LLC, manufacturer of the PoliWall, was founded in February 2000 to address National Cyber Defense initiatives and US Critical Infrastructure Security. TechGuard provides trusted and award-winning Cyber Security Solutions for the DoD, DHS, Federal, Financial, Energy and Healthcare communities. | sales.636.489.2230
Source:TechGuard Security
Email:*** Email Verified
Tags:Acl, Firewall, Router
Location:O Fallon - Missouri - United States
Account Email Address Verified     Account Phone Number Verified     Disclaimer     Report Abuse

Like PRLog?
Click to Share