| | > One of the advantages of firewalls is they generally come with good management systems, | i.e. the ability to manage ACLs without writing them by hand. | | Not in my experience, and I spent a decade working for the largest vendor of firewalls in | the world. All the commercial ACL-management systems I've seen are junk. I think it's more than worth mentioning that the "largest vendor of firewalls" you're talking about is not the largest vendor of firewalls in the word and has never been. I don't want to mention any commercial name here because this is not the point but this specific vendor is very well know to have very bad management systems for their firewalls. This is probably the only reason why they are not the largest vendor of firewalls in the world considering how much penetration they've got in the corporate routing and switching market. If you restrict a "firewall" to a firewall from a specific vendor, then you're only looking at the problem from a very specific angle and this can't allow you to draw real conclusions. Multiple other firewall vendors have very good management systems, this is a very well know fact. They might not meet what a Telco is expecting as firewall management, but this is a different question. cheers Florent