cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
860
Views
0
Helpful
0
Replies

ACL Security lock down questions

Shadowtech
Level 1
Level 1

Before I get into the question, I understand that the better method would be to use a firewall for what I am trying to accomplish however I need to work within the scope of what I have right now, so no new hardware etc.  Also the powers that be have dictated some factors and regardless of if its the best method to accomplish this or not I once again have to stay within the below setup.  So considering that, off to the races. 

 

We currently have a network that has production servers and the infrastructure supporting it (virtualization, SAN, backup servers etc etc) on two different VLAN's 

 

VLAN100 - servers (192.168.10.0/24)

VLAN200 - infrastructure (192.168.20.0/24)

Both of these VLAN's are technically connected behind a single port group 

On top of these networks we have client workstations on several different network segments.  

Finally we do have a firewall of course at the head end that blocks traffic there as well. 

 

On both VLAN 100 and VLAN 200 we have the same IN and OUT ACL's applied to them (splitting to separate ACL's might be an option but to start lets assume they are not)

 

So lets call the ACL's, "MAIN_APP_ACL_IN" and "MAIN_APP_ACL_OUT"

 

Now these ACL's have existed for several years now and have been modified by several parties not all of whom are still with us, and these control the traffic in and out of these VLAN's for a mission critical application that can not have any downtime.  

 

Our task whether or not we choose to accept it is to clean up the ACL, but more importantly we need to have it all end with a "DENY IP ANY ANY" on both sides so that any traffic not explicitly approved can get through for security. 

 

We currently have several rules in there and the end have a permit from clients to the network with logging function enabled so we can go through everything and clean up the traffic to account for everything.  Also regarding the logging of traffic, were going to assume we do not have a malicious actor on the network already so any traffic found in the logs is legitimate traffic (I know bad assumption).

 

One current rule we are pulling into the mix that was not used before was the "established" switch in the ACL lines to account for ephemeral ports etc, but i do not think we are using it correctly.  Also since security is an issue with this we CAN NOT do a blatant  "PERMIT TCP ANY ANY ESTABLISHED"

 

So for this setup lets we have a object group that has all client computers in it named "OG_CLIENT_PCS" , also there are Object and Port groups for the servers and the ports they are listening on.  Lets say OG_SERVERS1, OG_SERVERS2, PG_SERVERS1, PG_SERVERS2 (may add in additional ones if needed below but you get the concept)

 

Now lets say that all client computers need to talk to the servers in server and object group 1. 

 

On the  OUT ACL we have a line 

 

permit TCP addgroup OG_CLIENT_PCS addgroup OG_SERVERS1 portgroup PG_SERVERS1

 

On the IN ACL we have a reciprocal rule of 

 

permit TCP addgroup  addgroup OG_SERVERS1 portgroup PG_SERVERS1 addgroup OG_CLIENT_PCS

 

now with some of this communication we are still seeing traffic with high level / ephemeral ports, so we added in the "established" switch at the end of both sides but it still seems to have some traffic showing up.  

 

So from this as a basic example a few things I would like to figure out what should be best practice for securing the network as well as with what we are required to have how would be the best way to write some rules to accomplish the below items without killing access when both the IN / OUT side end up having a "DENY IP ANY ANY" added to the end.

 

- Client computers make inbound connections to servers on known ports and have rules setup properly to account for high level ports etc 

- Servers actually establish connections outbound to client computers for some processes. 

- Servers need to have access out to the internet, specified IP's and Port's 

- Cross VLAN traffic from the 192.168.0.10 to the 192.168.0.20 ranges for server to server communication, specific applications, backups etc. 

- Outside vendors needing access to specific sets of servers on either VLAN directly in from an external IP (VPN in DMZ that the router deals with NAT etc) 

- Application traffic that seems to open up additional ports to allow server to server communication that has high level ports on both sides for additional traffic, this seems to be one of the weird ones that I'm fighting.  

 

Thanks again in advance for anyone who can help with this.   And if we need some more info let me know, however I need to keep it as generic as possible.   

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: