Should the ACS be behind a FWSM

Unanswered Question
Mar 12th, 2009
User Badges:

I understand that this should be dictated by a security policy/risk assessment, but I was hoping to get some opinions on this.

The ACS is behind the Internet firewall. We are going to place it on a LAN so that it can be accessible throughout all the WAN by any LAN. Should it go behind a Firewall Services Module? To me, putting the ACS behind a FWSM is excessive and unnecessary and just adds to overhead. The box is already hardened and has CSA running on it. Would you agree?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 03/12/2009 - 12:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


It does depend on what information is stored locally on the ACS server and also what the ACS server is responsible for giving access to.

It also depends on how well you could lock down the firewall rule for the ACS server ie. how many IP addresses need to access it etc..

It can add to overhead but bear in mind that your ACS server can actually hold the "keys" to the estate. Putting it behind a firewall may well protect it from the casual observer and also protect it against things like denial of service.

I have worked in environments where it as behind a firewall and environments where it wasn't. If the access the ACS grants is important enough put it behind a firewall in my opinion.


Jagdeep Gambhir Fri, 03/13/2009 - 10:06
User Badges:
  • Red, 2250 points or more

I would suggest to keep it behind firewall as acs plays a important role in security. As Jon said that it is imp to protect acs from network attacks.



Do rate helpful posts


This Discussion