04-22-2010 02:20 AM - edited 03-11-2019 10:36 AM
Dear friends,
Thanks
Tahir
04-22-2010 02:48 AM
Hi,
With regards to documenting rulebases, I think its more an individual thing and how your current documentation is laid out, having worked with multiple customers some just keep the raw ACL's in configuration backups. Others run spreadsheets which they add to whenever a change comes in, however the later soon starts to get huge.:)
Secure desktop or VPN client should give you the granular control over what they can/cant do, it will also give you the option of checking for valid anti-virus etc.. etc.. The main thing here is to make sure they only have access to what they need and the specific services.
In my opinion the issue of RSA token to external companies is always the best option when it come to password security.
Hope this heps
Scott
04-22-2010 02:52 AM
Hi Scott,
Thanks for the advice, My rulebase is already huge - I need to take control over it. How would i document a spreadsheet?
Also when i issue the command "show access-list" there is alot of access-list that do not get hit. is there a way to monitor access list apart from the hit count.
Thanks
Tahir
04-22-2010 03:07 AM
Hi Tahir,
I presume you are using object groups within your configuration, if this is the case the spreadsheets i have seen (I have never personally constructed one) have a sheet with all the object groups in and the relevent ip address, and then seperate sheets for each interface. Hence the easiest way I can think of when starting from scratch would be to get the rule base comma delliminated so you can import it into the spreadsheet.
As for 0 hit rules, its all down to house keeping and is always common to find lots of rules with no hits that were added as knee jerk reactions to faults or requests. I don't think there is any otherway to monitor the acl's with zero hit on the actual device, you would need to look at a reporting/management platform I guess that could collate the data for you.
Scott
If you found any of this helpfull please rate the posts..
04-22-2010 03:23 AM
Scott,
Thanks for the advice
Tahir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide