Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
4
Replies

New requirement - use ACL as security?

Jellyman_4eva
Level 1
Level 1

‎03-09-2012 02:42 AM - edited ‎03-07-2019 05:27 AM

Hi,

We have a new situation developing whereby we have entered into an agreement to host a company's equipment in our data center, use our Internet feed and provide some basic support services to them.

This company will be taking some floors in a building we already own and use.

Our data center is in another building so I think they will need to route using our existing infrastructure...

What I was envisaging doing was giving them two IP ranges (One for their client end and one for their server end) within our address range and doing the following:

Inbound Extended ACL at their client end allowing only to their server IP range

Inbound Extended ACL at their server end allowing only to their client IP range

However after looking around I have noticed people saying that ACL's are not secure and can be bypassed by setting ACK flags etc? I understand the concept of this but how would an attack with this actually take place, as would any receiving clients not respond because they have no idea of the TCP/IP conversation?

Are firewalls the only answer with this and if so, would I need two (One at each end) to accomplish the security?

Labels:
0 Helpful
4 Replies 4

swordcrowned
Level 1
Level 1

‎03-09-2012 03:17 AM

Jellyman,

Using ACL will be fine for separating the traffic from the other company.  In regards to ACL security, the article that I read stated that it was a false alarm.  I will leave a link to the article below. 

http://www.cisco.com/en/US/products/sw/iosswrel/ps1824/products_security_notice09186a008022fa2c.html

Hope that helps you out.

Bryan Hefner

0 Helpful

Jellyman_4eva
Level 1
Level 1
In response to swordcrowned

‎03-09-2012 06:37 AM

Hi,

I was wondering about it too and found this also..

If you search google for this book: Managing Cisco network security

The it opens it in quick view... if you search for penetrating established ACL

There is a whole paragraph about this?

0 Helpful

swordcrowned
Level 1
Level 1
In response to Jellyman_4eva

‎03-09-2012 07:25 AM

Jellyman,

I downloaded the book.  I did a quick search with key words and did not find anything relating to bypassing or penetrating ACL's.  If you found it, please send me the page number that you found it on.

Bryan

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Jellyman_4eva

‎03-09-2012 07:38 AM

Hi,

this is for TCP established ACLs which were the first "stateful" firewalling implementation on Cisco IOS but it is only for TCP based communication and you can move to more advanced stuff like reflexive ACLs or better CBAC or ZBF if you really want to implement a stateful firewall on your IOS device.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card