Hello,
I am working with someone designing access control lists on a router and I wanted
the groups opinion on ACL design. The scenario is that the router basically has two
external interfaces (one leading to the world at large and one leading to dialin
devices) and a few internal interfaces. We pretty much want unfettered communication
between the two external interfaces but we want to protect the internal interfaces.
My initial thought was to put the "permits" (and implicit as well as explicit
"denys") on the internal interfaces which are directly related to the service in
question. In other words, if one of the internal segments hosts a web server, I
would think it would be better to put the "permit tcp any host webserver eq www" on
the internal interface. She suggests that we put the rules protecting the internal
services on both the external interfaces. Her reasoning is that the router itself
is less vulnerable if the packet never makes it over any interface to begin with. My
feeling is that the rulesets should be kept as straight forward as possible.
So what does the group think? Does stopping the packet at the external interface
make sense from a denial of service or some other perspective, or should I keep my
rulesets simple with the thought that convoluted rulesets are a detriment to
security?
Thanks in advance,
-- Willie
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
