Ingress verses egress ACL filtering

Posted on 2006-05-07
Medium Priority
Last Modified: 2012-06-22
Assuming the need for filtering on an internal VLANs on a network, what is considered to be the best practice between the two if you have limited resources and can choose only one?  Assume a setup of at least two VLANS with standard workstations and a server VLAN.  Assume a mixtures of Voice and data networks, and assume that Windows and Linux networks are in place.  Are there exceptions to this rule that you set up because of certain technologies?  What are the reasons for your opinions?
Question by:awakenings
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 16624992
The phrasing of the question makes it sound like a homework assignment, but I've read some of your other questions and comments, so I'll bite on this one.

Ingress and Egress can have two different meanings with two different scenarios.
Ingress/Egress to/from a network - Ingress from outside world into the network, Egress out of the network to the rest of the world. We typically see very stringent access rules on what can come in (unsolicited) to the network, for example only port 80 to a specific web server, only port 25 to a specific mail server, etc. We set up Egress filters to restrict outgoing traffc to match our local policies. For instance, we can restrict outbound smtp to only the ip address of the mail server, restrict outbound port 80 to the www server, restrict certain ip subnets to only using web services outbound to port 80 only, etc, etc..

Ingress/Egress from a Cisco device perspective - Ingress is a filter on any interface coming into the box, regardless of perspective from the network point of view. Filters in/out  can be described in this way:
Think of the cisco device as a room. From outside this room, every door (interface) is marked "IN". From inside this room, every door is marked "OUT".
On the outside of each door, there is a doorman. His name is 'ingress'. He must check everyone's ID against a list before allowing entrance.
On the inside of the room is one bouncer. His name is "egress". He has his rules that require certain guests be only allowed to go out certain doors (based on route tables among other things).
One entrace has no doorman at all (this is the "inside" interface to the local LAN) so no packets are challenged getting into the room. Now it is up to "egress" to determine what to do with all these guests (packets).

If you put an ingress doorman (filter, acl-group "in") on the outer door, you reduce the work on the bouncer.
If you only put an egress rule on the bouncer (filter, acl-group "out") but don't restrict what gets into the room, then the lone bouncer (CPU) has to do all the work.
It is far more efficient to put the doormen on the outsides of the room and never allow anything in at all that the bouncer would just have to kick out anyway (to the bit bucket). We very rarely apply cisco access-list filters "out" on an interface because we block at the other interface (nearest the source) "in".
So, even an Egress filter restricting outbound traffic from the network to the world is applied as an Ingress filter at the cisco device.


Author Comment

ID: 16726265

     I completely forgot.  I'm sorry.  I had something I was thinking in regards to this.  Your arguments are very good. I was thinking purely of internal networks, but neglected to mention this.  Let me throw a couple more ideas your way.  Lets assume that you wanted to protect a network.  Obviously the kinds of likely threats are worms, spyware, etc.  If you had say 20 or 30 different VLANs that you wanted to put ACLs on, would you choose internal or external?  What if your object was security and not productivity, but didn't want to upset the business unit with slow speeds?  Would your answer change?  Would you put ACLs on the outbound or inbound?  In other words, if you do outbound traffic, you would slow things down somewhat, but you could potentially protect other networks from potentially negligent traffic or from some worms, etc.  If you did inbound you assume that all is "bad" from other subnets and protect them people connecting where they shouldn't.  What would you choose to do and why?

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question