RE: [Full-disclosure] RE: Example firewall script

From: Jan Nielsen (jan_at_boyakasha.dk)
Date: 08/27/05

  • Next message: mayhem: "Re: [Full-disclosure] RE: Example firewall script"
    To: <full-disclosure@lists.grok.org.uk>
    Date: Sat, 27 Aug 2005 20:24:51 +0200
    
    

    I think the rules explained here are not intended to be actual rules in
    a firewall, but more of a way to explain what is secure and what is not,
    correct me if im wrong. Oh and btw, acl's ARE used in CBAC (cisco ios
    fw) they are just a tad more intelligently created than in a regular
    acl.

    Jan

    -----Original Message-----
    From: ericscher@mac.com [mailto:ericscher@mac.com]
    Sent: 27. august 2005 18:42
    To: full-disclosure@lists.grok.org.uk
    Subject: [Full-disclosure] RE: Example firewall script

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    =================================
    ORIGINAL MESSAGE:
    -----------------
    Date: Sat, 27 Aug 2005
    From: "Exibar"
    Subject: Example firewall script

    >The absolute worse Firewal rule
    >you can have:
    >
    > Allow ANY ANY
    >
    >The best:
    >
    > Deny ANY ANY
    =================================

    REPLY:
    -------

    Actually, that's not true.
    I would agree that as a general rule of thumb
    you should have a deny statement at the end
    of every ACL. In fact, Cisco places an implicit
    DENY ANY ANY at the end of their ACL's
    automatically.

    However, Access Control Lists are not firewalls.
    Yes, we use them as firewalls, but that's not what
    they are.

    ACL's ARE TRAFFIC SHAPING DEVICES.

    As traffic shaping devices, they can be used for
    security, but they are also used for management
    purposes. For instance; many Autonomous Systems
    are multi-homed. There are decisions to be made
    about how traffic will flow in and out of the AS.
    You also have to decide if you wish to be a
    transit AS or not.

    ACLs are the tool that you use to control your
    traffic.

    While an ACL being used as a security device
    should have a deny statement at the end, proper
    construction of the ACL is more about following
    the proper construction rules.

    This is actually a huge subject, far too big
    for an individual e-mail to a list.

    But there are some basic rules to keep in mind:

    ACL's analyze traffic from top to bottom, so
    keep your most specific entries at the top,
    with more general entries near the bottom;
    and do your "permits" before your "denys".
    That means you deal with hosts first, then
    subnets, then networks, and at each level
    you have your permit statements before your
    deny statements. The reason for this is because
    once a packet matches a line, it's dealt with
    right then and there. You don't want to have
    a packet thrown away just before a line that
    would have permitted it.

    There are also issues of what KIND of ACL to
    use and where to place them; Inbound or Outbound.

    In terms of the original question, the only
    difference between a "good" line item or a
    "bad" line item is whether or not the syntax
    is correct.

    The only difference between a "good" ACL
    and a "bad" ACL is whether or not it's
    structure is properly designed and whether
    or not it's placed in the proper location.

    This subject REALLY calls for a book, not
    an e-mail response. I've said very little
    in this post and look at all the room
    it took up.

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    --------------------------------------------------------------------
    mail2web - Check your email from the web at
    http://mail2web.com/ .

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: mayhem: "Re: [Full-disclosure] RE: Example firewall script"

    Relevant Pages

    • RE: [inbox] RE: [Full-disclosure] RE: Example firewall script
      ... FireWall 101 if you will :-) ... > of every ACL. ... > ACL's ARE TRAFFIC SHAPING DEVICES. ... > should have a deny statement at the end, ...
      (Full-Disclosure)
    • RE: [inbox] [Full-disclosure] RE: Example firewall script
      ... If you had ONLY "Allow ANY ANY", why bother having the firewall in place at ... list, "Deny ANY ANY" should be the last rule, IMHO. ... > of every ACL. ... > ACL's ARE TRAFFIC SHAPING DEVICES. ...
      (Full-Disclosure)
    • Re: firewall auditing/testing
      ... Looking at your ACL activity logs is good, but how do you KNOW they are ... To FULLY prove what your firewall is allowing and blocking, ... current firewall security is really secured. ... Download FREE whitepaper on how a managed service can ...
      (Pen-Test)
    • Re: [Full-disclosure] RE: Example firewall script
      ... > of every ACL. ... > DENY ANY ANY at the end of their ACL's ... > should have a deny statement at the end, ... situations where large numbers of disparate hosts ...
      (Full-Disclosure)
    • RE: firewall auditing/testing
      ... Looking at your ACL activity logs is good, but how do you KNOW they are ... To FULLY prove what your firewall is allowing and blocking, ... Download FREE whitepaper on how a managed service can ...
      (Pen-Test)