inside interface access list on firewall

This is not a problem, i after peoples expert opinion. I've been installing the odd firewall (mainly ASA's) over the years and i have never put an inbound access-list on the inside (trusted) interface, i have always relied on having inbound access-lists on the outside and DMZ interfaces for protection and the only reason i could see for one on the inside interface would be to control what your users can access in the outside world.
I have just started at a new company and am expected to take over looking after numerous existing customers with existing network setups and i have noticed that the previous engineer who i'm replacing and who installed them all always put an inbound access-list on the inside interface on every firewall he installed, this makes administration alot more involved as you must take into account permitting traffic out from your LAN as well as in from the outside world.
I'm tempted to remove these access-lists but i'm thinking maybe it is me who has been doing things wrong over the years.
So my question is... Is this good security practice or is it unnessasary overkill?
Who is Participating?
Ernie BeekConnect With a Mentor ExpertCommented:
Well I'm not against, I only think you have to assess each situation separately.
On paper it is a good security practice to use inside access lists, IRL it doesn't always apply.

You could first have a look at the current access list and see if it can be cleaned up and/or 'compressed' by combining multpile lines to one. The lists have a tendency to grow because lines are being added but not cleaned up when no longer needed.

Your compromise is also a good idea, as long as you take great care in setting that up (but of course you know that :)
Ernie BeekExpertCommented:
Imho it depends on the company policy. If there is no policy on what user/machines may connect to, I normally don't apply outgoing access-lists (because of the overhead in management as you said). There can be times you do want such an access list. For example: disallowing everyone to be able to send mail out, except for the mail server.
So for me, normally I don't apply those lists but it completely depends on the individual situation and/or policies.
In my opinion it is good security practice to apply the extra access list.  The prinicple of least privilege applies, if all outbound traffic is not required then don't permit it.

Take a example in a small business with an on site email server, such as Microsoft Small Business Server.  In most cases only this machine will need outbound access on tcp port 25 for smtp.  Therefore you should define an access-list which prevents all other machines sending out traffic on tcp port 25.  Then if a desktop pc gets infected with a mass mailing virus it cannot access the internet to transmit the messages and you have limited the impact it will have on the network.  There are countless other examples.

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

nappyshockAuthor Commented:
Hmmmm, one opinion for and one against, that doesn't help me much!

On our companies inhouse firewall (fairly big company), by far the biggest and most complex access-list is the inside in access-list, it is pages long.
Perhaps a compromise is called for, how about an access-list that ends in a permit all, but only denies specified traffic such as Saineolai suggests ie smtp. This would make it alot more managable.
SaineolaiConnect With a Mentor Commented:
I also agree that you have to assess each situation separately.  For example a guest internet access facility may not require an outbound ACL, although opinions vary on that too.

However for a reasonably sized corporate network, you will most likely want some control on outbound traffic.  While the outbound list may get long if you explicitly permit traffic at least you will know what is going out.  If you explicit block some stuff and then permit everything else then you lose that knowledge.  

You could ask yourself is it easier to define what I want to allow, than what I want to block?  In a corporate enviroment you may have a list of the applications that users are allowed to use.  You also have a good starting point in that the ACLs are there and working.  I would strongly advocate keeping them, especially if you are not coming under pressure from users or management to remove them.
nappyshockAuthor Commented:
Thanks for your views guys
All Courses

From novice to tech pro — start learning today.