01-08-2014 08:07 AM - edited 03-04-2019 10:01 PM
Hi everyone and thank you in advance for your assistance.
I have a legal requirement to allow access to a given set of WAN sites while blocking all other WAN sites. Yes these are MPLS sites, however its a meshed and there are no plans to "segment" the WAN. The WAN routers are managed by outside company and we would prefer to use "owned" devices to facitliate this need.
So in detail I need:
SiteA and SiteB to communicate with each other no ACLs - current configuration no issues.
SiteA and SiteB to be limited to only speak to configured WAN sites 1,3,5 using a "whitelist" ACL.
Quesions/Answer:
Use a port based ACL (ACL configed on the PHY interface) on the uplink between SiteA router and SiteA L3 Core to permit access to only approved WAN sites
Use a port based ACL (ACL configed on the PHY interface) on the uplink between SiteB router and SiteB L3 Core to permit access to only approved WAN sites
I am attaching a diagram of what I am trying to accomplish for clarity...
Solved! Go to Solution.
01-08-2014 08:45 AM
What routing protocols are in use at each site? EIGRP, OSPF? BGP across the WAN? You could most likely accomplish this with prefix lists
I'd personally need more info on how things are routed.
Say you were using EIGRP within each site, redistributing that into BGP to Sites A and B. You could then control access with route-maps and prefix lists
Perhaps you already have something like this in place, if so that would be great and yo could simply remove the network segments as applicable.
01-08-2014 08:45 AM
What routing protocols are in use at each site? EIGRP, OSPF? BGP across the WAN? You could most likely accomplish this with prefix lists
I'd personally need more info on how things are routed.
Say you were using EIGRP within each site, redistributing that into BGP to Sites A and B. You could then control access with route-maps and prefix lists
Perhaps you already have something like this in place, if so that would be great and yo could simply remove the network segments as applicable.
01-08-2014 08:58 AM
I agree with David, filter the networks in routing. Much easier to administer than ACL's all over the place.
01-08-2014 09:20 AM
Chris
As David says we would be able to give you better advice if we knew more about the environment and how things are configured. But based on what you have given us to work with so far I offer these suggestions as partial answers to your questions:
- if you do not control the WAN routers I can understand your desire to establish the controls on a device that you do control and access lists on the core to WAN link should be able to accomplish what you want.
- depending on some subtleties of the legal requirements (which we do not know) I believe that you will want both inbound and outbound access lists. An inbound or an outbound access list would be able to prevent two way communication. But if the requirement is that nothing from 2, 4, 6 can get into the network for A/B and that nothing from A/B can get into the networks of 2, 4, 6 then you need both inbound and outbound.
- I would think that an approach based on either whitelist (permit only 1, 3, 5) or on blacklist (deny 2, 4, 6) would achieve your requirements. But the white list may be easier to demonstrate that the legal requirement is satisfied.
- note that we do not have enough information to assess potential impact on typical WAN services (such as DNS, NTP, Email, etc) and that the whitelist approach will quite strictly say that communication over the WAN is only permitted with 1, 3, 5.
HTH
Rick
01-08-2014 09:30 AM
Hi everyone - I didnt even think about prefix list and blocking the routes from appearing in the routing tables. We are using BGP globally on our WAN into each sites core.
We do not default route to the WAN only our local firewalls for internet access.
If I use a prefix list "whitelisting" the contactable subnets, would that be enough to "block" traffic to the other non-contactable sites? I'll ask my security team (they have a better understanding of the legal requirements).
So a prefix list connected to a route map attached to the neighbor statement would be enough?
01-08-2014 09:40 AM
Traffic would not really be "blocked".The remote network(s) would not even be in the routing table. A downside is that you would not be able to see the traffic. DISA stated that we had to log the traffic being denied so we had to block with an ACL. That's one thing you may want to bring up.
A prefix-list with a prefix-filter in BGP attached to your neighbor would do it.
01-08-2014 09:49 AM
One of my concerns about the approach of using a prefix list to deny advertisement of routes from the sites is that it only controls sending of traffic from A/B to 2, 4, 6. It does not do anything to prevent traffic from 2, 4, 6 getting into the network of A/B. Would this fully satisfy the legal requirements?
HTH
Rick
01-08-2014 12:50 PM
Richard - wouldnt the lack of a return path to the original network aid us here? Assuming a 2,4,6 client tries to RDP to a server the returning packet would time out as there would be no return path from the core switch, correct?
01-08-2014 01:38 PM
Chris
Correct but that may not be enough for your security requirements. For example a return path may not be needed if you simply wanted to initiate a denial of service ie. you just flood the packets one way, you don't care about whether you get the response back or not.
Another example would be something like SNMP set where you simply send the command to the device and again, you do not care whether you receive a response or not.
So it depends entirely on what you are trying to stop between the networks.
Jon
01-08-2014 02:30 PM
Jon
Thank you for helping to reinforce the point that we need to understand what the security requirements really are.
Chris
You ask "wouldnt the lack of a return path to the original network aid us here". And certainly it would "aid" you. It does at least part of the job. But does it do enough? If the security requirement is that no traffic from 2, 4, 6 can get into the networks of A/B then it is not enough. So what is the security requirement (detail matters here)?
HTH
Rick
01-09-2014 07:00 AM
Hi everyone -
After further discussion with my security team, they are in agreement that a "no return path" is sufficient. We understand that this is not optimal and a firewall is honestly the best option, however we do not have that option at either site. I am going to run some tests using the filters and route-maps to verify the access and let my security team beat on it before we go full scale. I'll update the post once the testing is completed.
Thanks for the advice!
01-09-2014 07:17 AM
Chris
If the legal requirement has been determined and found that no return path is sufficient to satisfy the requirement then filtering routes from the routing table is simpler than using access lists to filter the data traffic.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide