Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

New requirement - use ACL as security?

Hi,

We have a new situation developing whereby we have entered into an agreement to host a company's equipment in our data center, use our Internet feed and provide some basic support services to them.

This company will be taking some floors in a building we already own and use.

Our data center is in another building so I think they will need to route using our existing infrastructure...

What I was envisaging doing was giving them two IP ranges (One for their client end and one for their server end) within our address range and doing the following:

Inbound Extended ACL at their client end allowing only to their server IP range

Inbound Extended ACL at their server end allowing only to their client IP range

However after looking around I have noticed people saying that ACL's are not secure and can be bypassed by setting ACK flags etc? I understand the concept of this but how would an attack with this actually take place, as would any receiving clients not respond because they have no idea of the TCP/IP conversation?

Are firewalls the only answer with this and if so, would I need two (One at each end) to accomplish the security?

4 REPLIES
New Member

New requirement - use ACL as security?

Jellyman,

Using ACL will be fine for separating the traffic from the other company.  In regards to ACL security, the article that I read stated that it was a false alarm.  I will leave a link to the article below. 

http://www.cisco.com/en/US/products/sw/iosswrel/ps1824/products_security_notice09186a008022fa2c.html

Hope that helps you out.

Bryan Hefner

New Member

New requirement - use ACL as security?

Hi,

I was wondering about it too and found this also..

If you search google for this book: Managing Cisco network security

The it opens it in quick view... if you search for penetrating established ACL

There is a whole paragraph about this?

New Member

New requirement - use ACL as security?

Jellyman,

I downloaded the book.  I did a quick search with key words and did not find anything relating to bypassing or penetrating ACL's.  If you found it, please send me the page number that you found it on.

Bryan

Purple

New requirement - use ACL as security?

Hi,

this is for TCP established ACLs which were the first "stateful" firewalling implementation on Cisco IOS but it is only for TCP based communication and you can move to more advanced stuff like reflexive ACLs or better CBAC or ZBF if you really want to implement a stateful firewall on your IOS device.

Regards.

Alain

Don't forget to rate helpful posts.
163
Views
0
Helpful
4
Replies
CreatePlease login to create content