Ingress verses egress ACL filtering

Assuming the need for filtering on an internal VLANs on a network, what is considered to be the best practice between the two if you have limited resources and can choose only one?  Assume a setup of at least two VLANS with standard workstations and a server VLAN.  Assume a mixtures of Voice and data networks, and assume that Windows and Linux networks are in place.  Are there exceptions to this rule that you set up because of certain technologies?  What are the reasons for your opinions?
awakeningsAsked:
Who is Participating?
 
lrmooreCommented:
The phrasing of the question makes it sound like a homework assignment, but I've read some of your other questions and comments, so I'll bite on this one.

Ingress and Egress can have two different meanings with two different scenarios.
Ingress/Egress to/from a network - Ingress from outside world into the network, Egress out of the network to the rest of the world. We typically see very stringent access rules on what can come in (unsolicited) to the network, for example only port 80 to a specific web server, only port 25 to a specific mail server, etc. We set up Egress filters to restrict outgoing traffc to match our local policies. For instance, we can restrict outbound smtp to only the ip address of the mail server, restrict outbound port 80 to the www server, restrict certain ip subnets to only using web services outbound to port 80 only, etc, etc..

Ingress/Egress from a Cisco device perspective - Ingress is a filter on any interface coming into the box, regardless of perspective from the network point of view. Filters in/out  can be described in this way:
Think of the cisco device as a room. From outside this room, every door (interface) is marked "IN". From inside this room, every door is marked "OUT".
On the outside of each door, there is a doorman. His name is 'ingress'. He must check everyone's ID against a list before allowing entrance.
On the inside of the room is one bouncer. His name is "egress". He has his rules that require certain guests be only allowed to go out certain doors (based on route tables among other things).
One entrace has no doorman at all (this is the "inside" interface to the local LAN) so no packets are challenged getting into the room. Now it is up to "egress" to determine what to do with all these guests (packets).

If you put an ingress doorman (filter, acl-group "in") on the outer door, you reduce the work on the bouncer.
If you only put an egress rule on the bouncer (filter, acl-group "out") but don't restrict what gets into the room, then the lone bouncer (CPU) has to do all the work.
It is far more efficient to put the doormen on the outsides of the room and never allow anything in at all that the bouncer would just have to kick out anyway (to the bit bucket). We very rarely apply cisco access-list filters "out" on an interface because we block at the other interface (nearest the source) "in".
So, even an Egress filter restricting outbound traffic from the network to the world is applied as an Ingress filter at the cisco device.


HTH
0
 
awakeningsAuthor Commented:
Irmoore,

     I completely forgot.  I'm sorry.  I had something I was thinking in regards to this.  Your arguments are very good. I was thinking purely of internal networks, but neglected to mention this.  Let me throw a couple more ideas your way.  Lets assume that you wanted to protect a network.  Obviously the kinds of likely threats are worms, spyware, etc.  If you had say 20 or 30 different VLANs that you wanted to put ACLs on, would you choose internal or external?  What if your object was security and not productivity, but didn't want to upset the business unit with slow speeds?  Would your answer change?  Would you put ACLs on the outbound or inbound?  In other words, if you do outbound traffic, you would slow things down somewhat, but you could potentially protect other networks from potentially negligent traffic or from some worms, etc.  If you did inbound you assume that all is "bad" from other subnets and protect them people connecting where they shouldn't.  What would you choose to do and why?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.