Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Should the ACS be behind a FWSM

I understand that this should be dictated by a security policy/risk assessment, but I was hoping to get some opinions on this.

The ACS is behind the Internet firewall. We are going to place it on a LAN so that it can be accessible throughout all the WAN by any LAN. Should it go behind a Firewall Services Module? To me, putting the ACS behind a FWSM is excessive and unnecessary and just adds to overhead. The box is already hardened and has CSA running on it. Would you agree?

Hall of Fame Super Blue

Re: Should the ACS be behind a FWSM


It does depend on what information is stored locally on the ACS server and also what the ACS server is responsible for giving access to.

It also depends on how well you could lock down the firewall rule for the ACS server ie. how many IP addresses need to access it etc..

It can add to overhead but bear in mind that your ACS server can actually hold the "keys" to the estate. Putting it behind a firewall may well protect it from the casual observer and also protect it against things like denial of service.

I have worked in environments where it as behind a firewall and environments where it wasn't. If the access the ACS grants is important enough put it behind a firewall in my opinion.


Re: Should the ACS be behind a FWSM

I would suggest to keep it behind firewall as acs plays a important role in security. As Jon said that it is imp to protect acs from network attacks.



Do rate helpful posts

CreatePlease login to create content