Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
3
Replies

How to use ACL for Filtering Network Traffic

Akbar ali Sultan
Level 1
Level 1

‎06-06-2016 11:45 AM - edited ‎02-20-2020 09:44 PM

Dear All,

kindly tell me how can i use ACL for network filtering on all uplink and switch ports, below observation and recommendation from security officer 

Observation During our review we have noted that 62 network interfaces on CSW01 had no network filtering rules assigned, 

Recommendation It is recommended that all network interfaces should be configured filtering to help prevent unauthorized access to network services and hosts. (i don't understand which traffic i have to block and allow "usually which traffic do you block in your network". What is the best practices ??)

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎06-06-2016 04:01 PM

Hi

it seems that you have been asked to do acl for 62 SVI. It's on a switch?

in order to have a lisible and simple configuration, you can use object groups then you can re-use them in all acls.

what are best practices? It really depends on what users behind each networks needs to access.

for sure, you will have to permit dns and dhcp, maybe some icmp for your troubleshooting,.. But it really depend on what you want to filter. You may ask you security officer, what he's expecting to be blocked and allow on the network.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Akbar ali Sultan
Level 1
Level 1
In response to Francesco Molino

‎06-07-2016 01:30 AM

Actually he mentioned physical ports & Trunk port all ports are connected to client PCS and servers we have proxy, DC and Exchange servers. Sure i will ask him, also i want to know from security engineers what they block in their network for better understanding.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Akbar ali Sultan

‎06-07-2016 04:23 AM

On my side, I'm deploying dot1x on quite all networks and authorizing only dns, dhcp and radius server. The policy is then pushed by radius depending on user authentication. After authentication, I deploy SGT (Cisco Trustsec) or doing acls depending on customer security (which user should access which services). 

For smallest network, where there ain't radius server, I'm doing mac security on physical ports but acls as explained before. 

The goal is to build a matrix of what should be accessed by users, doing acls and applying to SVI. 

For trunks between switches (if supported), you can use macsec to encrypt traffic. 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents