Willie,
you bring up two good points. One from the routers perspective it costs less
(resources) to drop a packet at the external interface due to minimal
processing. Conversely this makes a more complicated ruleset in some cases.
The benefits of this complication in how lists are applied must be weighed
carefully against the benefit in resource utilization of a potential DoS
attack. Typically the larger the router the less important this argument
becomes, due to the ability to handle increased traffic. Also this argument
is relative to the speed of the internet connection attaching to the
external interfaces(s). To DoS the router resources, one must first push
enough traffic down a company's internet connection to accomplish this.
Typically the bandwidth will become "Oversubscribed" before the router's
resources are exhausted. So yes, you are both correct. Since security is
dependant on humans to implement it, the more convulted it is the more
chance for human error when changes are needed. All in all you are probably
quite safe applying the service related lists on the relvant interfaces and
your spoofing/rfc1918 lists on the external interface(s) (assuming this is
an edge router). HTH.
Ken Claussen MCSE CCNA CCA
[EMAIL PROTECTED]
"The Mind is a Terrible thing to Waste!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of William Kupersanin
Sent: Saturday, March 24, 2001 9:19 AM
To: [EMAIL PROTECTED]
Subject: Access lists
Hello,
I am working with someone designing access control lists on a router and I
wanted
the groups opinion on ACL design. The scenario is that the router basically
has two
external interfaces (one leading to the world at large and one leading to
dialin
devices) and a few internal interfaces. We pretty much want unfettered
communication
between the two external interfaces but we want to protect the internal
interfaces.
My initial thought was to put the "permits" (and implicit as well as
explicit
"denys") on the internal interfaces which are directly related to the
service in
question. In other words, if one of the internal segments hosts a web
server, I
would think it would be better to put the "permit tcp any host webserver eq
www" on
the internal interface. She suggests that we put the rules protecting the
internal
services on both the external interfaces. Her reasoning is that the router
itself
is less vulnerable if the packet never makes it over any interface to begin
with. My
feeling is that the rulesets should be kept as straight forward as possible.
So what does the group think? Does stopping the packet at the external
interface
make sense from a denial of service or some other perspective, or should I
keep my
rulesets simple with the thought that convoluted rulesets are a detriment to
security?
Thanks in advance,
-- Willie
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
