Security Basics mailing list archives
Re: ACL design.
From: WALI <hkhasgiwale () gmail com>
Date: Sat, 12 May 2007 22:00:11 +0400
Off the subject a bit but I thought, I should ask this question since it's been lingering on my mind for some time now. Maybe guys around here can answer in detail.
I have a remote site getting connected to my server farm. It's our branch office. I have a router in the middle with no fire wall and the addresses on both sides of the interface are private, say 10.10.10.0/24 on my side and 10.20.20.0/24 on the other.
The only thing the branch users access on this side of the router is AD authentication, Exchange (SMTP) and some file shares. What should be my minimal extended ACL? Currently, it' all through and through and I feel that's highly insecure.
Any advise?? At 08:58 AM 5/9/2007 +0300, Alex Nedelcu wrote:
It's also important where you place your ACLS. If you have an advanced ACL that takes into consideration the source, destination, ports, TOS etc you should place it as close to the source of traffic as possible. If the ACL is based solely on source addresses they should be placed as close as possible to the destination. Another thing that you should take into consideration is to never apply ACLs in the core area of your network, in a hierarchical model network the traffic policies should be applied at the distribution layer. You should analyze carefully the design of your network and find the ideal places where you should implement filtering, if you choose badly you may get decreased perfomance.
Current thread:
- ACL design. Nick Vaernhoej (May 03)
- RE: ACL design. David Gillett (May 04)
- Re: ACL design. Michael Painter (May 08)
- Re: ACL design. Alex Nedelcu (May 09)
- RE: ACL design. Nick Vaernhoej (May 09)
- Message not available
- Re: ACL design. WALI (May 14)
- RE: ACL design. David Gillett (May 15)
- RE: ACL design. ragdelaed (May 16)
- Re: ACL design. Michael Painter (May 08)
- RE: ACL design. David Gillett (May 04)