Re: ACL design.



Off the subject a bit but I thought, I should ask this question since it's been lingering on my mind for some time now. Maybe guys around here can answer in detail.

I have a remote site getting connected to my server farm. It's our branch office. I have a router in the middle with no fire wall and the addresses on both sides of the interface are private, say 10.10.10.0/24 on my side and 10.20.20.0/24 on the other.

The only thing the branch users access on this side of the router is AD authentication, Exchange (SMTP) and some file shares.
What should be my minimal extended ACL? Currently, it' all through and through and I feel that's highly insecure.

Any advise??

At 08:58 AM 5/9/2007 +0300, Alex Nedelcu wrote:
It's also important where you place your ACLS.

If you have an advanced ACL that takes into consideration the source,
destination, ports, TOS etc you should place it as close to the source
of traffic as possible.

If the ACL is based solely on source addresses they should be placed
as close as possible to the destination.

Another thing that you should take into consideration is to never
apply ACLs in the core area of your network, in a hierarchical model
network the traffic policies should be applied at the distribution
layer. You should analyze carefully the design of your network and
find the ideal places where you should implement filtering, if you
choose badly you may get decreased perfomance.