5505 ACL overkill?

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

5505 ACL overkill?

Post by Guest » Mon Jan 03, 2011 10:50 am

Simple question.  Do you think its overkill to secure a single system down beyond the basic outside_access_in ACLs?  The situation is one box with ssh, https, and dameware. The 8.3 ACL configuration: access-list INTERNET_access_in remark HTTPS Ruleaccess-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq httpsaccess-list INTERNET_access_in remark DameWare Ruleaccess-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 6129access-list INTERNET_access_in remark Fwd_SSHaccess-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 2222...object network obj_any nat inside,INTERNET dynamic interfaceobject network 192-168-30-30_FwdSSH nat (inside,INTERNET) static interface service tcp ssh 2222object network 192-168-30-30_DameWare nat (inside,INTERNET) static interface service tcp 6129 6129object network 192-168-30-30_HTTPS nat (inside,INTERNET) static interface service tcp https httpsaccess-group INTERNET_access_in in interface INTERNET I would like to know the general consensus. Would it be overkill to also include ACLs for the INSIDE_access_out as well?  This is a single system behind the 5505.  I have searched for the best practices on setting up the 5505 and have found that very few admins go beyond the out_access_in ACLs. thanks

Guest

Re:5505 ACL overkill?

Post by Guest » Mon Jan 03, 2011 11:48 am

ryschneider wrote: Simple question.  Do you think its overkill to secure a single system down beyond the basic outside_access_in ACLs?  The situation is one box with ssh, https, and dameware. The 8.3 ACL configuration: access-list INTERNET_access_in remark HTTPS Ruleaccess-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq httpsaccess-list INTERNET_access_in remark DameWare Ruleaccess-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 6129access-list INTERNET_access_in remark Fwd_SSHaccess-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 2222...object network obj_anynat (inside,INTERNET) dynamic interfaceobject network 192-168-30-30_FwdSSHnat (inside,INTERNET) static interface service tcp ssh 2222object network 192-168-30-30_DameWarenat (inside,INTERNET) static interface service tcp 6129 6129object network 192-168-30-30_HTTPSnat (inside,INTERNET) static interface service tcp https httpsaccess-group INTERNET_access_in in interface INTERNET I would like to know the general consensus. Would it be overkill to also include ACLs for the INSIDE_access_out as well?  This is a single system behind the 5505.  I have searched for the best practices on setting up the 5505 and have found that very few admins go beyond the out_access_in ACLs. thanksPersonally at the companies i have worked access is always tied down outbound from the internal network as well as inbound but i appreciate a lot  don do it. The benefits however - 1) you stop any mischievous/malicious users inside doing things for which your company is utlimately responsible2) you can stop automated software/virus getting back out of the firewall3) you can as a side effect stop any non-routable internet addresses leaking out of the company 2) & 3) in particular can actually be stopped ny not having a default route in your network pointing to the firewall but it really depends on what you need internet access for. Where i have worked in the past a web proxy was used for internet access so we actually didn have a default route within our network. So i would say it is worth it if you have the time to do it. I suspect that many network admins are so busy that this sort of thing is quite low on their list of things to do. Jon

Guest

Re:5505 ACL overkill?

Post by Guest » Mon Jan 03, 2011 1:17 pm

Thanks for the response Jon.  I would say that it may add to the time and effort as you stated, both in time to implement but also when it comes to troubleshooting.  In my case its not a big deal so I will most likely make the additions.

Post Reply