What are the best practices when dealing with ACLs?
For example, if I have network 10.10.10.0/24 and in here the only outbound traffic these hosts need to reach is any destination at port 8584, then will only 1 ACL applied in the IN direction suffice?
What about a second ACL applied in the OUT direction? will this be needed? the servers on the 10.10.10.0 networks need to be protected and they only expect outside hosts initiating connections destined to port 4999 on a host 10.10.10.3
What is the best approach possible to a situation like this? security is the number one concern and we assume that hackers will be testing this heavily.
It depends. What device(s) are you using? If there is high risk associated with this, you may also want to limit tcp connections, use CoPP, etc. Does the 10.10.10.3 host ever initiate communications eg updates, NTP, authentication, etc?
You probably won't need to use the stateful firewall. Let's use some examples-
access-list 100 permit tcp any host 10.10.10.3 eq 4999
access-list 101 permit tcp any any eq 8584
Let's assume that port FastEthernet0/0 is on the 10.10.10.0/24 network and FastEthernet0/1 is the "outside".
ip access-group 101 in
ip access-group 100 in
This applies the ACL to the interface in the IN direction. This means traffic that enters the interface from the local connection.
We could also do this-
ip access-group 100 out
ip access-group 101 out
This applies the ACL to the interface in the OUT direction. This means traffic that enters through the router and out to the the local connection.
The fundamental purpose here (and this applies to configuring the inspection engine as well) is if your router has multiple interfaces, where do you want to apply restriction/inspection? Let's say you have 4 interface on a router; we'll call them inside, outside, dmz1 and dmz2. If we want to restrict traffic from the outside to the interfaces, would it make sense to block OUT at inside, dmz1, and dmz2? Not really, because we can block everything at one interface, the outside interface. The same goes for outbound traffic. In this case inspection makes it clearer. We want to inspect all traffic leaving the router. You have two options; create an inspection rule for the inside interface, another for dmz1, and another for dmz2. What you should do is create 1 inspection rule and apply it to the outside interface. These are not hard and fast rules, either option will work and may vary depending on your situtation. One is a cleaner, less resource intensive configuration. Remember the old rule, Restrict traffic as close to the source as possible.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...