cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
406
Views
0
Helpful
3
Replies

How safe are ACL's

netsquant
Level 1
Level 1

Can access lists be hacked? If should be put in place in the event they got hacked? Is there additional security on the router or is a FW appliance needed?

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

Shane

I am not sure that I fully understand your question. If someone gains access to privilege mode in your router (or switch) they could hack access lists (as well as other things). So to protect your access lists it is important to protect access to your router. Some of the things that you can do to protect your router include:

- restrict remote access to the device by using standard access lists applied to the vty lines by access-class.

- restrict remote access to the device to use SSH and disable telnet access by using the command transport input ssh under line vty.

- have strong authentication. The best is to configure AAA authentication to use an external authentication server like ACS and use local authentication only as a backup if the authentication server is not available.

- use the AAA accounting feature to log the privilege level 15 commands (including configuration commands) to the AAA server so you can track what changes have been made.

HTH

Rick

HTH

Rick

I do have strong access lists but wanted to add deep inspection, then i thought the deep inspection would be pointless because the ACL's are doing the security. I was just trying to research if there was something in addition to ACLS, but i guess as long as the ACLs are strong there is nothing else to do.

Here's a list of packet filtering methods in order from least secure to most secure:

1. (ios based) access-lists

2. ios access-lists using the estabished keyword

3. ios reflexive acl's

4. ios firewall feature set - inspection + acl's

5. true stateful firewall (eg pix/asa) using acl's.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: