Should the ACS be behind a FWSM

Aaron Greene · ‎03-12-2009

I understand that this should be dictated by a security policy/risk assessment, but I was hoping to get some opinions on this.

The ACS is behind the Internet firewall. We are going to place it on a LAN so that it can be accessible throughout all the WAN by any LAN. Should it go behind a Firewall Services Module? To me, putting the ACS behind a FWSM is excessive and unnecessary and just adds to overhead. The box is already hardened and has CSA running on it. Would you agree?

Jon Marshall · ‎03-12-2009

Aaron

It does depend on what information is stored locally on the ACS server and also what the ACS server is responsible for giving access to.

It also depends on how well you could lock down the firewall rule for the ACS server ie. how many IP addresses need to access it etc..

It can add to overhead but bear in mind that your ACS server can actually hold the "keys" to the estate. Putting it behind a firewall may well protect it from the casual observer and also protect it against things like denial of service.

I have worked in environments where it as behind a firewall and environments where it wasn't. If the access the ACS grants is important enough put it behind a firewall in my opinion.

Jon

Jagdeep Gambhir · ‎03-13-2009

I would suggest to keep it behind firewall as acs plays a important role in security. As Jon said that it is imp to protect acs from network attacks.

Regards,

~JG

Do rate helpful posts