Security Basics mailing list archives

RE: ACL design.

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 14 May 2007 16:02:08 -0700

  If I read you right, both sides of this router are on private
addresses and there should be no non-private addresses in the 
traffic.  You could enforce that in ACLs, just as a sanity measure.
(I sometimes see clients come onto our (guest) network with addresses 
from some other network; at one point, it was common to see them
show up with AOL addresses....)

  The other main use of ACLs in this case is to limit who can connect
to the router itself.  (The guest gateway's interface addresses are
not acceptable destinations for traffic originating within that
network.)

David Gillett

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of WALI
Sent: Saturday, May 12, 2007 11:00 AM
To: Alex Nedelcu; security-basics () securityfocus com
Subject: Re: ACL design.

Off the subject a bit but I thought, I should ask this 
question since it's been lingering on my mind for some time 
now. Maybe guys around here can answer in detail.

I have a remote site getting connected to my server farm. 
It's our branch office. I have a router in the middle with no 
fire wall and the addresses on both sides of the interface 
are private, say 10.10.10.0/24 on my side and 10.20.20.0/24 
on the other.

The only thing the branch users access on this side of the 
router is AD authentication, Exchange (SMTP) and some file shares.
What should be my minimal extended ACL? Currently, it' all 
through and through and I feel that's highly insecure.

Any advise??

At 08:58 AM 5/9/2007 +0300, Alex Nedelcu wrote:

It's also important where you place your ACLS.

If you have an advanced ACL that takes into consideration

the source,

destination, ports, TOS etc you should place it as close to

the source

of traffic as possible.

If the ACL is based solely on source addresses they should

be placed as

close as possible to the destination.

Another thing that you should take into consideration is to

never apply

ACLs in the core area of your network, in a hierarchical

model network

the traffic policies should be applied at the distribution

layer. You

should analyze carefully the design of your network and find

the ideal

places where you should implement filtering, if you choose badly you 
may get decreased perfomance.

Current thread:

ACL design. Nick Vaernhoej (May 03)
- RE: ACL design. David Gillett (May 04)
  - Re: ACL design. Michael Painter (May 08)
    - Re: ACL design. Alex Nedelcu (May 09)
  - RE: ACL design. Nick Vaernhoej (May 09)
  - Message not available
    - Re: ACL design. WALI (May 14)
    - RE: ACL design. David Gillett (May 15)
    - RE: ACL design. ragdelaed (May 16)