Re: ACL design.



Off the subject a bit but I thought, I should ask this question since it's been lingering on my mind for some time now. Maybe guys around here can answer in detail.

I have a remote site getting connected to my server farm. It's our branch office. I have a router in the middle with no fire wall and the addresses on both sides of the interface are private, say 10.10.10.0/24 on my side and 10.20.20.0/24 on the other.

The only thing the branch users access on this side of the router is AD authentication, Exchange (SMTP) and some file shares.
What should be my minimal extended ACL? Currently, it' all through and through and I feel that's highly insecure.

Any advise??

At 08:58 AM 5/9/2007 +0300, Alex Nedelcu wrote:
It's also important where you place your ACLS.

If you have an advanced ACL that takes into consideration the source,
destination, ports, TOS etc you should place it as close to the source
of traffic as possible.

If the ACL is based solely on source addresses they should be placed
as close as possible to the destination.

Another thing that you should take into consideration is to never
apply ACLs in the core area of your network, in a hierarchical model
network the traffic policies should be applied at the distribution
layer. You should analyze carefully the design of your network and
find the ideal places where you should implement filtering, if you
choose badly you may get decreased perfomance.



Relevant Pages

  • Re: ACL design.
    ... It's also important where you place your ACLS. ... as close as possible to the destination. ... apply ACLs in the core area of your network, ... network the traffic policies should be applied at the distribution ...
    (Security-Basics)
  • Re: Automation of Administrative Tasks on an RHEL Box
    ... RHEL 5 works well with ACL (it is part of default ... Add user or group in ACL ... Network information accordingly and restart the Network Services. ... user or a user with some root privileges can issue. ...
    (RedHat)
  • Re: Error 403 - Access denied by access control list
    ... check the ACL on the file - ... >OR if you wish to include a script sample in your post ... >> I have a network of computers, ... >> internet connection sharing. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IIS 6 / FrontPage Group Isolation
    ... although it is still using Network and Interactive. ... Testbench ACL is provided for in the Live ACL without the Interactive ... Network Service has List which has lead it to place the over-guarantee ... > that the live server is using UNC for the homedirectories. ...
    (microsoft.public.inetserver.iis.security)
  • Re: AAA .. Control Access To Devices
    ... Windows IAS to allow the user access beyond that point. ... network using Radius for remote VPN users when they connect. ... can determine what users have access to by ACL even without IAS? ... Cisco devices arent added to AD so how ...
    (comp.dcom.sys.cisco)