We have a new situation developing whereby we have entered into an agreement to host a company's equipment in our data center, use our Internet feed and provide some basic support services to them.
This company will be taking some floors in a building we already own and use.
Our data center is in another building so I think they will need to route using our existing infrastructure...
What I was envisaging doing was giving them two IP ranges (One for their client end and one for their server end) within our address range and doing the following:
Inbound Extended ACL at their client end allowing only to their server IP range
Inbound Extended ACL at their server end allowing only to their client IP range
However after looking around I have noticed people saying that ACL's are not secure and can be bypassed by setting ACK flags etc? I understand the concept of this but how would an attack with this actually take place, as would any receiving clients not respond because they have no idea of the TCP/IP conversation?
Are firewalls the only answer with this and if so, would I need two (One at each end) to accomplish the security?
Using ACL will be fine for separating the traffic from the other company. In regards to ACL security, the article that I read stated that it was a false alarm. I will leave a link to the article below.
this is for TCP established ACLs which were the first "stateful" firewalling implementation on Cisco IOS but it is only for TCP based communication and you can move to more advanced stuff like reflexive ACLs or better CBAC or ZBF if you really want to implement a stateful firewall on your IOS device.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...