Security Basics mailing list archives

Re: Cisco Router security basics and ASA firewall rules

From: Roman Shirokov <insecure () yandex ru>
Date: Tue, 12 Dec 2006 18:17:55 +0000

Hello pelesmk,

Monday, December 11, 2006, 9:51:18 PM, you wrote:

What types of ACls if any or other security rules should be used on
an edge router or internal router which stands in front of an ASA firewall.

I over recently overheard a conversation where they didn't want any
ACLs on the router and have all ACLs happening at the firewall. I
have a problem with this thought because of ip spoofing, DoS
attacks, etc that would target the router. Am I thinking correctly
or is there a way to defend against this at the firewall? I
understand some ACLs can be made at the firewall and implementing
long ACLs on the router can cause adverse network speeds, but some
of the most basic ACLs must be at the edge router.

Please fill me in as I'm fairly new to ACLs and firewall implementations.

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

__________ NOD32 1917 (20061212) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com


Once again we return to the question that security must be implemented
on all possible levels. Attacker may sit behind the firewall
(i.e."insider"). But everything depends on the network design, do they
have DMZ, any inside servers with restricted access (except in DMZ)?
Provide more info.

Remember, that every piece of network can be compromised, bugs exist
even in expensive, well known firewalls.


-- 
Best regards,

Roman Shirokov

e-mail:insecure () yandex ru
http://securitybox.org.ru 


---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Current thread:

Cisco Router security basics and ASA firewall rules pelesmk (Dec 12)
- Re: Cisco Router security basics and ASA firewall rules Roman Shirokov (Dec 12)
- <Possible follow-ups>
- RE: Cisco Router security basics and ASA firewall rules Scott Ramsdell (Dec 12)