RE: ACL design.

There is, I believe, an O'Reilly book dedicated to the subject.

I work with (extended) ACLs extensively, and there are a couple of
basic things to keep in mind:

1. Every packet starts at the top of the list and works its way down
until it matches. So the more packets you can match near the top of
the list, the less having an ACL will impact your network performance.
So, for instance, your "permit tcp any any established" line should
be right near the top. Try to put general rules near the top and more
specific rules near the bottom.

2. Every rule's processing includes matching, even if the match fails
and the packet falls through to the next rule, so try to avoid duplicating
effort. Filter out bad source addresses early (anti-spoofing) so you can
just use "any" as the source for the remaining rules.

3. While it never makes sense to have a discontiguous subnet mask,
sometimes you can save a rule or two by having a discontiguous wildcard
mask in an ACL. Get very comfortable with wildcard masks.

4. There are some issues for which you NEED a stateful firewall, and
ACLs just won't cut it. Understand these issues, and don't try to build
baroque ACL structures to "work around" them. Know the limitations of
your tools.

5. This is a reasonably good forum to ask for help with specifics; there
may be even better ones out there.

David Gillett

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Nick Vaernhoej
Sent: Thursday, May 03, 2007 12:53 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: ACL design.

Good afternoon,

What reading material can you guys suggest to establish a
good/great understanding of how to implement and maintain
access control lists.
Imagine going from no ACL's and dumb switches to a number of
core switches and plenty of ACl options. Aside from the
manual telling me how to create them it would be great with
some guidance.


Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."

This electronic transmission is intended for the addressee
(s) named above. It contains information that is privileged,
confidential, or otherwise protected from use and disclosure.
If you are not the intended recipient you are hereby notified
that any review, disclosure, copy, or dissemination of this
transmission or the taking of any action in reliance on its
contents, or other use is strictly prohibited. If you have
received this transmission in error, please notify the sender
that this message was received in error and then delete this message.
Thank you.

Relevant Pages

  • Re: importing autocorrect / autotext entries
    ... You're probably right in your interpretation, in which case the macro would ... In that case it's the Default ACL that needs to be salvaged. ... text files or simple lists of words. ... in word 04 i was able to import both lists as autocorrect entries via ...
  • Re: ifconfig ath0 list mac - no list
    ... This lists installed acls. ... macs are added and the acl is working the thing is that the macs are not listed any more like before ... wepkey 1:40-bit ...
  • RE: squid and its config, a question
    ... That would first let the right people surf, and then deny everything else. ... squid and it's config, ... > as opposed to the squid lists, as I prefer to ask the FBSD list first ... > acl internal src ...
  • Re: export autocorrection list excel2K to excel2003 ?
    ... I made a small change to my ACL list and then closed excel. ... > 1- entries you add to the autocorrection list in either Word or Excel ... > autocorrection lists. ...
  • Re: VGER does gradual SPF activation (FAQ matter)
    ... it would be three lines of extra code in my Exim configuration ... be able to get at those lists directly, ... all you have to do to trigger greylisting for a particular 'offence' is ... greylisting by the snippet of ACL code which I've put in its own file at ...