Page 68 - CSI - Cisco Security Instroduction - BT
P. 68

Converting Firewalls to Group-based Rules






                                                                                         120,000
            Example ASA Configuration


                                                                                         100,000
            Before conversion: 99,000 lines


            Converts to:                                                                   80,000


            • IP-SGT mapping file: 3,897 lines                                             60,000


            • ACL_INSIDE file: 10,493 lines
                                                                                           40,000

            • ACL_OUTSIDE file: 4,954 lines
                                                                                           20,000
            • Total 19,344 lines 80% Reduction

                                                                                                 0
                                                                                                                                   Rule Table Size

                                                                                                        Using IP Rules                    Using SGT-based Rules



             FW Rule
                                                                                                       IT OpEx
                                                                         NPV
                                             ROI
            Reduction                       140%                       $2.33M                          ▼ ~80%                            Time to Implement Changes
                                                                                                                                                       ▼ ~98%
                 80%



          71
   63   64   65   66   67   68   69   70   71   72   73