On Tue, 30 Aug 2005, Rachael Treu Gomes wrote: > > There are also issues of what KIND of ACL to > > use and where to place them; Inbound or Outbound. > > > > In terms of the original question, the only > > difference between a "good" line item or a > > "bad" line item is whether or not the syntax > > is correct. > > Nicely put. > > > > The only difference between a "good" ACL > > and a "bad" ACL is whether or not it's > > structure is properly designed and whether > > or not it's placed in the proper location. > > Again, nicely put. I might also suggest adding the > idea that ACL logic and format follow with the same > requirements for placement, and that overarching > rules/guidelines regarding their structure and flow be > evaluated on a case-by-case basis. It is incomplete > and rife with exception, unfortunately, to decree that > all ACLs and firewall feature sets be constructed in a > particular manner without taking into account the > particulars surrounding their respective deployments.
Can anyone suggest a book which discusses ACL theories in different points of view and practical (?existing) applications? I would love to see documentation which addresses security and manageability as it relating to things like minimal ACL-line duplication and ingress+egress filtering techniques. Even in Cisco and 5xx-level networking courses, these issues are barely touched on. For traffic policies, much has been learned from this list and from practical experience. -Eric -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
