nappyshock
asked on
inside interface access list on firewall
This is not a problem, i after peoples expert opinion. I've been installing the odd firewall (mainly ASA's) over the years and i have never put an inbound access-list on the inside (trusted) interface, i have always relied on having inbound access-lists on the outside and DMZ interfaces for protection and the only reason i could see for one on the inside interface would be to control what your users can access in the outside world.
I have just started at a new company and am expected to take over looking after numerous existing customers with existing network setups and i have noticed that the previous engineer who i'm replacing and who installed them all always put an inbound access-list on the inside interface on every firewall he installed, this makes administration alot more involved as you must take into account permitting traffic out from your LAN as well as in from the outside world.
I'm tempted to remove these access-lists but i'm thinking maybe it is me who has been doing things wrong over the years.
So my question is... Is this good security practice or is it unnessasary overkill?
I have just started at a new company and am expected to take over looking after numerous existing customers with existing network setups and i have noticed that the previous engineer who i'm replacing and who installed them all always put an inbound access-list on the inside interface on every firewall he installed, this makes administration alot more involved as you must take into account permitting traffic out from your LAN as well as in from the outside world.
I'm tempted to remove these access-lists but i'm thinking maybe it is me who has been doing things wrong over the years.
So my question is... Is this good security practice or is it unnessasary overkill?
In my opinion it is good security practice to apply the extra access list. The prinicple of least privilege applies, if all outbound traffic is not required then don't permit it.
Take a example in a small business with an on site email server, such as Microsoft Small Business Server. In most cases only this machine will need outbound access on tcp port 25 for smtp. Therefore you should define an access-list which prevents all other machines sending out traffic on tcp port 25. Then if a desktop pc gets infected with a mass mailing virus it cannot access the internet to transmit the messages and you have limited the impact it will have on the network. There are countless other examples.
Take a example in a small business with an on site email server, such as Microsoft Small Business Server. In most cases only this machine will need outbound access on tcp port 25 for smtp. Therefore you should define an access-list which prevents all other machines sending out traffic on tcp port 25. Then if a desktop pc gets infected with a mass mailing virus it cannot access the internet to transmit the messages and you have limited the impact it will have on the network. There are countless other examples.
ASKER
Hmmmm, one opinion for and one against, that doesn't help me much!
On our companies inhouse firewall (fairly big company), by far the biggest and most complex access-list is the inside in access-list, it is pages long.
Perhaps a compromise is called for, how about an access-list that ends in a permit all, but only denies specified traffic such as Saineolai suggests ie smtp. This would make it alot more managable.
On our companies inhouse firewall (fairly big company), by far the biggest and most complex access-list is the inside in access-list, it is pages long.
Perhaps a compromise is called for, how about an access-list that ends in a permit all, but only denies specified traffic such as Saineolai suggests ie smtp. This would make it alot more managable.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your views guys
So for me, normally I don't apply those lists but it completely depends on the individual situation and/or policies.