cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
347
Views
0
Helpful
2
Replies

5505 ACL overkill?

ryschneider
Level 1
Level 1

Simple question.  Do you think it's overkill to secure a single system down beyond the basic outside_access_in ACLs?

The situation is one box with ssh, https, and dameware. The 8.3 ACL configuration:

access-list INTERNET_access_in remark HTTPS Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq https
access-list INTERNET_access_in remark DameWare Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 6129
access-list INTERNET_access_in remark Fwd_SSH
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 2222

...

object network obj_any
nat (inside,INTERNET) dynamic interface
object network 192-168-30-30_FwdSSH
nat (inside,INTERNET) static interface service tcp ssh 2222
object network 192-168-30-30_DameWare
nat (inside,INTERNET) static interface service tcp 6129 6129
object network 192-168-30-30_HTTPS
nat (inside,INTERNET) static interface service tcp https https
access-group INTERNET_access_in in interface INTERNET

I would like to know the general consensus. Would it be overkill to also include ACLs for the INSIDE_access_out as well?  This is a single system behind the 5505.  I have searched for the best practices on setting up the 5505 and have found that very few admins go beyond the out_access_in ACLs.

thanks

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

ryschneider wrote:

Simple question.  Do you think it's overkill to secure a single system down beyond the basic outside_access_in ACLs?

The situation is one box with ssh, https, and dameware. The 8.3 ACL configuration:

access-list INTERNET_access_in remark HTTPS Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq https
access-list INTERNET_access_in remark DameWare Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 6129
access-list INTERNET_access_in remark Fwd_SSH
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 2222

...

object network obj_any
nat (inside,INTERNET) dynamic interface
object network 192-168-30-30_FwdSSH
nat (inside,INTERNET) static interface service tcp ssh 2222
object network 192-168-30-30_DameWare
nat (inside,INTERNET) static interface service tcp 6129 6129
object network 192-168-30-30_HTTPS
nat (inside,INTERNET) static interface service tcp https https
access-group INTERNET_access_in in interface INTERNET

I would like to know the general consensus. Would it be overkill to also include ACLs for the INSIDE_access_out as well?  This is a single system behind the 5505.  I have searched for the best practices on setting up the 5505 and have found that very few admins go beyond the out_access_in ACLs.

thanks


Personally at the companies i have worked access is always tied down outbound from the internal network as well as inbound but i appreciate a lot  don't do it. The benefits however -

1) you stop any mischievous/malicious users inside doing things for which your company is utlimately responsible

2) you can stop automated software/virus getting back out of the firewall

3) you can as a side effect stop any non-routable internet addresses leaking out of the company

2) & 3) in particular can actually be stopped ny not having a default route in your network pointing to the firewall but it really depends on what you need internet access for. Where i have worked in the past a web proxy was used for internet access so we actually didn't have a default route within our network.

So i would say it is worth it if you have the time to do it. I suspect that many network admins are so busy that this sort of thing is quite low on their list of things to do.

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

ryschneider wrote:

Simple question.  Do you think it's overkill to secure a single system down beyond the basic outside_access_in ACLs?

The situation is one box with ssh, https, and dameware. The 8.3 ACL configuration:

access-list INTERNET_access_in remark HTTPS Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq https
access-list INTERNET_access_in remark DameWare Rule
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 6129
access-list INTERNET_access_in remark Fwd_SSH
access-list INTERNET_access_in extended permit tcp object WORK object 192-168-30-30_Host eq 2222

...

object network obj_any
nat (inside,INTERNET) dynamic interface
object network 192-168-30-30_FwdSSH
nat (inside,INTERNET) static interface service tcp ssh 2222
object network 192-168-30-30_DameWare
nat (inside,INTERNET) static interface service tcp 6129 6129
object network 192-168-30-30_HTTPS
nat (inside,INTERNET) static interface service tcp https https
access-group INTERNET_access_in in interface INTERNET

I would like to know the general consensus. Would it be overkill to also include ACLs for the INSIDE_access_out as well?  This is a single system behind the 5505.  I have searched for the best practices on setting up the 5505 and have found that very few admins go beyond the out_access_in ACLs.

thanks


Personally at the companies i have worked access is always tied down outbound from the internal network as well as inbound but i appreciate a lot  don't do it. The benefits however -

1) you stop any mischievous/malicious users inside doing things for which your company is utlimately responsible

2) you can stop automated software/virus getting back out of the firewall

3) you can as a side effect stop any non-routable internet addresses leaking out of the company

2) & 3) in particular can actually be stopped ny not having a default route in your network pointing to the firewall but it really depends on what you need internet access for. Where i have worked in the past a web proxy was used for internet access so we actually didn't have a default route within our network.

So i would say it is worth it if you have the time to do it. I suspect that many network admins are so busy that this sort of thing is quite low on their list of things to do.

Jon

Thanks for the response Jon.  I would say that it may add to the time and effort as you stated, both in time to implement but also when it comes to troubleshooting.  In my case it's not a big deal so I will most likely make the additions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: