ACL best practices

Unanswered Question
Oct 1st, 2009

What are the best practices when dealing with ACLs?

For example, if I have network 10.10.10.0/24 and in here the only outbound traffic these hosts need to reach is any destination at port 8584, then will only 1 ACL applied in the IN direction suffice?

What about a second ACL applied in the OUT direction? will this be needed? the servers on the 10.10.10.0 networks need to be protected and they only expect outside hosts initiating connections destined to port 4999 on a host 10.10.10.3

What is the best approach possible to a situation like this? security is the number one concern and we assume that hackers will be testing this heavily.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 10/01/2009 - 12:56

It depends. What device(s) are you using? If there is high risk associated with this, you may also want to limit tcp connections, use CoPP, etc. Does the 10.10.10.3 host ever initiate communications eg updates, NTP, authentication, etc?

insccisco Thu, 10/01/2009 - 15:56

lol, there is a concern but at least not that heavy to support the implementation of CoPP.

It is an 1800 series router. The 10.10.10.0 hosts only initiate connections to one or 2 ports, and host 10.10.10.3 takes connections at port 4999.

With these requirements, I'd suspect an IN ACL will be applied to the interface and this ACL will only allow the internal 10.10.10.0 hosts to reach ANY destination at only 2 ports.

But what about for connections destined (in other words, initiated on the outside) to these hosts, especially host 10.10.10.3? How will that be protected?

pompeychimes Thu, 10/01/2009 - 18:43

Use an inbound ACL on the outside interface of the 1800 to protect your internal hosts. Permit only the traffic you need deny the rest.

If security is the primary concern put a stateful firewall in the path.

insccisco Thu, 10/01/2009 - 20:24

Although is an IOS router, what's the closest we can configure it to an Stateful Firewall? by enabling the inspection engines?

Collin Clark Fri, 10/02/2009 - 05:54

You probably won't need to use the stateful firewall. Let's use some examples-

access-list 100 permit tcp any host 10.10.10.3 eq 4999

access-list 101 permit tcp any any eq 8584

Let's assume that port FastEthernet0/0 is on the 10.10.10.0/24 network and FastEthernet0/1 is the "outside".

interface FastEthernet0/0

ip access-group 101 in

interface FastEthernet0/1

ip access-group 100 in

This applies the ACL to the interface in the IN direction. This means traffic that enters the interface from the local connection.

We could also do this-

interface FastEthernet0/0

ip access-group 100 out

interface FastEthernet0/1

ip access-group 101 out

This applies the ACL to the interface in the OUT direction. This means traffic that enters through the router and out to the the local connection.

The fundamental purpose here (and this applies to configuring the inspection engine as well) is if your router has multiple interfaces, where do you want to apply restriction/inspection? Let's say you have 4 interface on a router; we'll call them inside, outside, dmz1 and dmz2. If we want to restrict traffic from the outside to the interfaces, would it make sense to block OUT at inside, dmz1, and dmz2? Not really, because we can block everything at one interface, the outside interface. The same goes for outbound traffic. In this case inspection makes it clearer. We want to inspect all traffic leaving the router. You have two options; create an inspection rule for the inside interface, another for dmz1, and another for dmz2. What you should do is create 1 inspection rule and apply it to the outside interface. These are not hard and fast rules, either option will work and may vary depending on your situtation. One is a cleaner, less resource intensive configuration. Remember the old rule, Restrict traffic as close to the source as possible.

insccisco Fri, 10/09/2009 - 07:33

Thank you very much for the answer.

Which one do you mean is cleaner and less resource intensive? I assume the ACL, right? can you confirm?

Enabling the inspection engines on IOSs have given me some problems in the past, so this is the reason I assume that enabling them is more cpu intense for the router. let me know

thanks

Collin Clark Mon, 10/12/2009 - 05:33

It's cleaner, meaning it's standard practice. It less resource intensive becuase the router block unwanted packets before routing/inspecting/nbar/etc.

Actions

This Discussion