Re:How exactly are ACLs on a switch different? (Score 2, Informative)

This is how I see the difference...Where a router ACL filters ip address and ports, a firewall can do much more i.e. they inspect application layers for RFC compliance/attack patterns, authenticate users, and log permitted & denied traffic (its nice to know who's trying to screw your systems after all...) Find a router that can do all this across more than 100 ACL entries and then maintain a decent level of performance then your laughing, but only the modern high kit is starting to get close. If ACL's in routers were efficient then surely Cisco wouldn't produce a firewall blade for their high end routers.

I've been working in the network security field for most of my career and advocate the layered/defence in depth approach, but I suggest anyone relying on router ACL's consider their requirements first. Personally I prefer firewalls on the edge of the network with lots of application layer filtering (i.e. proxies, SMTP scanning etc) to keep all the nasty stuff away, and simple (to keep maintenance easy and processing overhead low)ACL's for any internal segregation. Naturally I look at host based security as well, but that's for another post in the future.