On Tue, 30 Aug 2005, Rachael Treu Gomes wrote:
There are also issues of what KIND of ACL to
use and where to place them; Inbound or Outbound.
In terms of the original question, the only
difference between a "good" line item or a
"bad" line item is whether or not the syntax
is correct.
Nicely put.
The only difference between a "good" ACL
and a "bad" ACL is whether or not it's
structure is properly designed and whether
or not it's placed in the proper location.
Again, nicely put. I might also suggest adding the
idea that ACL logic and format follow with the same
requirements for placement, and that overarching
rules/guidelines regarding their structure and flow be
evaluated on a case-by-case basis. It is incomplete
and rife with exception, unfortunately, to decree that
all ACLs and firewall feature sets be constructed in a
particular manner without taking into account the
particulars surrounding their respective deployments.
Can anyone suggest a book which discusses ACL theories in different points
of view and practical (?existing) applications? I would love to see
documentation which addresses security and manageability as it relating to
things like minimal ACL-line duplication and ingress+egress filtering
techniques. Even in Cisco and 5xx-level networking courses, these issues
are barely touched on. For traffic policies, much has been learned from
this list and from practical experience.
-Eric
--
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
