5505 ACL overkill?

Answered Question
Oct 14th, 2010
User Badges:

Simple question.  Do you think it's overkill to secure a single system down beyond the basic outside_access_in ACLs?


The situation is one box with ssh, https, and dameware. The 8.3 ACL configuration:


access-list INTERNET_access_in remark HTTPS Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq https
access-list INTERNET_access_in remark DameWare Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 6129
access-list INTERNET_access_in remark Fwd_SSH
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 2222

...

object network obj_any
nat (inside,INTERNET) dynamic interface
object network 192-168-30-30_FwdSSH
nat (inside,INTERNET) static interface service tcp ssh 2222
object network 192-168-30-30_DameWare
nat (inside,INTERNET) static interface service tcp 6129 6129
object network 192-168-30-30_HTTPS
nat (inside,INTERNET) static interface service tcp https https
access-group INTERNET_access_in in interface INTERNET


I would like to know the general consensus. Would it be overkill to also include ACLs for the INSIDE_access_out as well?  This is a single system behind the 5505.  I have searched for the best practices on setting up the 5505 and have found that very few admins go beyond the out_access_in ACLs.


thanks

Correct Answer by Jon Marshall about 6 years 10 months ago

ryschneider wrote:


Simple question.  Do you think it's overkill to secure a single system down beyond the basic outside_access_in ACLs?


The situation is one box with ssh, https, and dameware. The 8.3 ACL configuration:


access-list INTERNET_access_in remark HTTPS Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq https
access-list INTERNET_access_in remark DameWare Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 6129
access-list INTERNET_access_in remark Fwd_SSH
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 2222

...

object network obj_any
nat (inside,INTERNET) dynamic interface
object network 192-168-30-30_FwdSSH
nat (inside,INTERNET) static interface service tcp ssh 2222
object network 192-168-30-30_DameWare
nat (inside,INTERNET) static interface service tcp 6129 6129
object network 192-168-30-30_HTTPS
nat (inside,INTERNET) static interface service tcp https https
access-group INTERNET_access_in in interface INTERNET


I would like to know the general consensus. Would it be overkill to also include ACLs for the INSIDE_access_out as well?  This is a single system behind the 5505.  I have searched for the best practices on setting up the 5505 and have found that very few admins go beyond the out_access_in ACLs.


thanks


Personally at the companies i have worked access is always tied down outbound from the internal network as well as inbound but i appreciate a lot  don't do it. The benefits however -


1) you stop any mischievous/malicious users inside doing things for which your company is utlimately responsible

2) you can stop automated software/virus getting back out of the firewall

3) you can as a side effect stop any non-routable internet addresses leaking out of the company


2) & 3) in particular can actually be stopped ny not having a default route in your network pointing to the firewall but it really depends on what you need internet access for. Where i have worked in the past a web proxy was used for internet access so we actually didn't have a default route within our network.


So i would say it is worth it if you have the time to do it. I suspect that many network admins are so busy that this sort of thing is quite low on their list of things to do.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 10/14/2010 - 10:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ryschneider wrote:


Simple question.  Do you think it's overkill to secure a single system down beyond the basic outside_access_in ACLs?


The situation is one box with ssh, https, and dameware. The 8.3 ACL configuration:


access-list INTERNET_access_in remark HTTPS Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq https
access-list INTERNET_access_in remark DameWare Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 6129
access-list INTERNET_access_in remark Fwd_SSH
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 2222

...

object network obj_any
nat (inside,INTERNET) dynamic interface
object network 192-168-30-30_FwdSSH
nat (inside,INTERNET) static interface service tcp ssh 2222
object network 192-168-30-30_DameWare
nat (inside,INTERNET) static interface service tcp 6129 6129
object network 192-168-30-30_HTTPS
nat (inside,INTERNET) static interface service tcp https https
access-group INTERNET_access_in in interface INTERNET


I would like to know the general consensus. Would it be overkill to also include ACLs for the INSIDE_access_out as well?  This is a single system behind the 5505.  I have searched for the best practices on setting up the 5505 and have found that very few admins go beyond the out_access_in ACLs.


thanks


Personally at the companies i have worked access is always tied down outbound from the internal network as well as inbound but i appreciate a lot  don't do it. The benefits however -


1) you stop any mischievous/malicious users inside doing things for which your company is utlimately responsible

2) you can stop automated software/virus getting back out of the firewall

3) you can as a side effect stop any non-routable internet addresses leaking out of the company


2) & 3) in particular can actually be stopped ny not having a default route in your network pointing to the firewall but it really depends on what you need internet access for. Where i have worked in the past a web proxy was used for internet access so we actually didn't have a default route within our network.


So i would say it is worth it if you have the time to do it. I suspect that many network admins are so busy that this sort of thing is quite low on their list of things to do.


Jon

ryschneider Thu, 10/14/2010 - 11:52
User Badges:

Thanks for the response Jon.  I would say that it may add to the time and effort as you stated, both in time to implement but also when it comes to troubleshooting.  In my case it's not a big deal so I will most likely make the additions.

Actions

This Discussion