Re: RE: Example firewall script

[fd () ew nsci us]

On Tue, 30 Aug 2005, Rachael Treu Gomes wrote:
> > There are also issues of what KIND of ACL to 
> > use and where  to place them; Inbound or Outbound.
> >
> > In terms of the original question, the only 
> > difference between a "good" line item or a 
> > "bad" line item is whether or not the syntax 
> > is correct.
>
> Nicely put.
> > The only difference between a "good" ACL 
> > and a "bad" ACL is  whether or not it's 
> > structure is properly designed and whether
> > or not it's placed in the proper location.
>
> Again, nicely put.  I might also suggest adding the 
> idea that ACL logic and format follow with the same 
> requirements for placement, and that overarching 
> rules/guidelines regarding their structure and flow be 
> evaluated on a case-by-case basis.  It is incomplete
> and rife with exception, unfortunately, to decree that
> all ACLs and firewall feature sets be constructed in a 
> particular manner without taking into account the
> particulars surrounding their respective deployments.

Can anyone suggest a book which discusses ACL theories in different points
of view and practical (?existing) applications?  I would love to see
documentation which addresses security and manageability as it relating to
things like minimal ACL-line duplication and ingress+egress filtering
techniques.  Even in Cisco and 5xx-level networking courses, these issues
are barely touched on.  For traffic policies, much has been learned from
this list and from practical experience.

-Eric


-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/