Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How safe are ACL's

Can access lists be hacked? If should be put in place in the event they got hacked? Is there additional security on the router or is a FW appliance needed?

Hall of Fame Super Silver

Re: How safe are ACL's


I am not sure that I fully understand your question. If someone gains access to privilege mode in your router (or switch) they could hack access lists (as well as other things). So to protect your access lists it is important to protect access to your router. Some of the things that you can do to protect your router include:

- restrict remote access to the device by using standard access lists applied to the vty lines by access-class.

- restrict remote access to the device to use SSH and disable telnet access by using the command transport input ssh under line vty.

- have strong authentication. The best is to configure AAA authentication to use an external authentication server like ACS and use local authentication only as a backup if the authentication server is not available.

- use the AAA accounting feature to log the privilege level 15 commands (including configuration commands) to the AAA server so you can track what changes have been made.



New Member

Re: How safe are ACL's

I do have strong access lists but wanted to add deep inspection, then i thought the deep inspection would be pointless because the ACL's are doing the security. I was just trying to research if there was something in addition to ACLS, but i guess as long as the ACLs are strong there is nothing else to do.


Re: How safe are ACL's

Here's a list of packet filtering methods in order from least secure to most secure:

1. (ios based) access-lists

2. ios access-lists using the estabished keyword

3. ios reflexive acl's

4. ios firewall feature set - inspection + acl's

5. true stateful firewall (eg pix/asa) using acl's.