Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
6
Replies

ACL - Maintain security

Rossy
Level 1
Level 1

‎12-01-2017 03:24 AM - edited ‎03-05-2019 09:34 AM

Hi guys , I would like to ask any advise how to secure a network or site. How to maintain security. Should I apply an ACL and what ACLs?

 

Heres the scenario. 

In one site, there is Finance Network who has 10 users. It has Internet access but staffs are not allowed to use it too due to security concern. There is 1 IT Support whos maintaining the server of the Finance Network. So what I did, I added a VLAN for Finance Network and for IT Support on this site. 

 

There is another site, Sales Department- 5 users who has internet access and one user who has restricted access to a secure Finance Server via VPN. The Sales Department has a highly restricted basis. The sales department will use the same computer to access the Finance Network.

In the site where there is the Sales Department, there is also IT Department who can remotely manage all servers on each site.  I also added VLAN for Sales and IT Department. 

 

For this scenario, I thought about using a Remote Desktop so that IT support can manage each site servers. I am not sure about the VPN. 

 

Can you please give me any ideas how can I restrict the access to Finance Department? For the internet, I thought about putting an ACL for the Finance network so that Staff won't be able to access the internet. By doing this, do you think, the one user from Sales Department still has access to Finance network? 

 

 

Labels:
0 Helpful
6 Replies 6

Julio E. Moisa
VIP Alumni
VIP Alumni

‎12-01-2017 04:00 AM - edited ‎12-01-2017 07:32 AM

Hi

You could use ACL to restrict ports or networks, if you are managing the edge device where the NAT is configured to get Internet acccess you can remove the Finance department from the list and specify what subnet will be able to reach Internet. 

 

Now Im not really sure how is your topology, please correct me if I understand wrong but is IT included on the Finance and Sales VLANs? I prefer provide to IT support a specific VLAN, if the traffic is in the same site you could use RDP to reach the servers. VPN can be an option if the connection is through Internet from remote sites. 

 

Remember you need a L3 device to enable communication between VLANs

 

:-)

 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Rossy
Level 1
Level 1
In response to Julio E. Moisa

‎12-01-2017 11:29 AM - edited ‎12-01-2017 11:40 AM

Hi Julio. Thank u fr taking time to give me an idea. 

The Finance department and 1 IT support belongs to a different site.

 

1st site. I have VLAN for Finance Department and VLAN for this One IT support. 

 

There is also 1 computer in Sales site that is only used to access the Finance Department.

2nd site. The Sales Department and IT Department. I created VLAN for Sales and another VLAN for IT department. 

There is only 1 computer in Sales site that is only used to access the Finance Department.

 

If i disable the Internet access of Finance Department, can IT Department remotely manage the server in Finance (although theres 1 IT support in that site already.)

Will RDP works if I disable their Internet access? If I have VPN, do i still need RDP? 

 

@Julio E. Moisa wrote:

Hi

You could use ACL to restrict ports or networks, if you are managing the edge device where the NAT is configured to get Internet acccess you can remove the Finance department from the list and specify what subnet will be able to reach Internet. 

 

Now Im not really sure how is your topology, please correct me if I understand wrong but is IT included on the Finance and Sales VLANs? I prefer provide to IT support a specific VLAN, if the traffic is in the same site you could use RDP to reach the servers. VPN can be an option if the connection is through Internet from remote sites. 

 

Remember you need a L3 device to enable communication between VLANs

 

:-)

 

 

 

Hi Julio. Thank u fr taking time to give me an idea. 

The Finance department and 1 IT support belongs to a different site. I have VLAN for Finance Department and VLAN for this One IT support. 

The Sales Department and IT Department is on the other sites. I created VLAN for Sales and another VLAN for IT department. 

If i disable the Internet access of Finance Department, can IT Department remotely manage the server in Finance (although theres 1 IT support in that site already.)

Will RDP works if I disable their Internet access? 

0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Rossy

‎12-01-2017 11:34 AM - edited ‎12-01-2017 11:48 AM

Hi,

do you have a topology of your network? or any picture representing how the sites are interconnected. If you are connecting to the server remotely through private link or VPN you could disable the Internet for specific network. You have to identify the data traffic and internet traffic they could have different flow path.  




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Rossy
Level 1
Level 1
In response to Julio E. Moisa

‎12-01-2017 05:39 PM

Hi Julio,

Heres the network design:

 

Preview file
70 KB
0 Helpful

Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Rossy

‎12-02-2017 04:09 AM - edited ‎12-02-2017 04:10 AM

Thank you Rossy,

I see, you will not have any problem disabling the internet for specific networks because the data traffic is going through the MPLS network, for example if New Zealand Outskirt user wants to connect to the server  in Washingtong will use the MPLS to reach it via RDP and it can be confirmed through a traceroute. 

 

Data Traffic represents the communication internally into your company using your private network segments. In your case MPLS is being used to interconnect all your sites, it is a private infrastructure. 

 

Internet traffic is used to reach unknown networks outside of your company. 

 

:-)

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Rossy
Level 1
Level 1
In response to Julio E. Moisa

‎12-02-2017 10:46 AM - edited ‎12-02-2017 10:49 AM

Julio, Thank you so much for your clear explanation. I was all over the place until you explain this to me in a simple way.

 

I will just add an ACL in Router 1 to restrict the Finance Department Network to access the Internet with this ACL rule: 

 

     FinanceVLAN 20 – 172.16.2.128/28 Wild Card- 0.0.0.15

      IT Support - VLAN 11- 172.168.0.0/30 Wild Card- 0.0.0.1

 

Access-list 100 deny tcp 172.16.2.128/28 0.0.0.15 eq www

Access-list 100 permit any any eq www

! This will deny Finance network only and permit IT Support to access the Internet.

Is this right? 

 

 

What do you think is the best solution for Sales Department to have restricted access to Finance Department?

 

I am not sure if should I add the ACL to the Router1 where Finance and 1 IT support resides or in Router3 where Sales and IT support resides.

 

Can I add this ACL rule in Router3 where Sales Department and IT support reside?

access-list 101 permit IP <Host IP Address-Marketing> <Wildcard>

<Finance Department Network Address> <Wildcard>

access-list 101 permit IP <IT Support Department Network Address> <Wildcard>

<Finance Department Network Address> <Wildcard>

 

What I understand on this ACL I am applying to the Router3 is to permit one computer from Sales Support and permit IT support to have access Finance Department.

 

Or should I add an ACL in Router1 where Finance Department and 1 IT support reside?

 

Thank you so much, Julio.

 

0 Helpful
Customers Also Viewed These Support Documents