Security Basics mailing list archives
RE: ACL design.
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 14 May 2007 16:02:08 -0700
If I read you right, both sides of this router are on private addresses and there should be no non-private addresses in the traffic. You could enforce that in ACLs, just as a sanity measure. (I sometimes see clients come onto our (guest) network with addresses from some other network; at one point, it was common to see them show up with AOL addresses....) The other main use of ACLs in this case is to limit who can connect to the router itself. (The guest gateway's interface addresses are not acceptable destinations for traffic originating within that network.) David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI Sent: Saturday, May 12, 2007 11:00 AM To: Alex Nedelcu; security-basics () securityfocus com Subject: Re: ACL design. Off the subject a bit but I thought, I should ask this question since it's been lingering on my mind for some time now. Maybe guys around here can answer in detail. I have a remote site getting connected to my server farm. It's our branch office. I have a router in the middle with no fire wall and the addresses on both sides of the interface are private, say 10.10.10.0/24 on my side and 10.20.20.0/24 on the other. The only thing the branch users access on this side of the router is AD authentication, Exchange (SMTP) and some file shares. What should be my minimal extended ACL? Currently, it' all through and through and I feel that's highly insecure. Any advise?? At 08:58 AM 5/9/2007 +0300, Alex Nedelcu wrote:It's also important where you place your ACLS. If you have an advanced ACL that takes into considerationthe source,destination, ports, TOS etc you should place it as close tothe sourceof traffic as possible. If the ACL is based solely on source addresses they shouldbe placed asclose as possible to the destination. Another thing that you should take into consideration is tonever applyACLs in the core area of your network, in a hierarchicalmodel networkthe traffic policies should be applied at the distributionlayer. Youshould analyze carefully the design of your network and findthe idealplaces where you should implement filtering, if you choose badly you may get decreased perfomance.
Current thread:
- ACL design. Nick Vaernhoej (May 03)
- RE: ACL design. David Gillett (May 04)
- Re: ACL design. Michael Painter (May 08)
- Re: ACL design. Alex Nedelcu (May 09)
- RE: ACL design. Nick Vaernhoej (May 09)
- Message not available
- Re: ACL design. WALI (May 14)
- RE: ACL design. David Gillett (May 15)
- RE: ACL design. ragdelaed (May 16)
- Re: ACL design. Michael Painter (May 08)
- RE: ACL design. David Gillett (May 04)