inside interface access list on firewall

Posted on 2011-05-05
Last Modified: 2012-05-11
This is not a problem, i after peoples expert opinion. I've been installing the odd firewall (mainly ASA's) over the years and i have never put an inbound access-list on the inside (trusted) interface, i have always relied on having inbound access-lists on the outside and DMZ interfaces for protection and the only reason i could see for one on the inside interface would be to control what your users can access in the outside world.
I have just started at a new company and am expected to take over looking after numerous existing customers with existing network setups and i have noticed that the previous engineer who i'm replacing and who installed them all always put an inbound access-list on the inside interface on every firewall he installed, this makes administration alot more involved as you must take into account permitting traffic out from your LAN as well as in from the outside world.
I'm tempted to remove these access-lists but i'm thinking maybe it is me who has been doing things wrong over the years.
So my question is... Is this good security practice or is it unnessasary overkill?
Question by:nappyshock
    LVL 35

    Expert Comment

    by:Ernie Beek
    Imho it depends on the company policy. If there is no policy on what user/machines may connect to, I normally don't apply outgoing access-lists (because of the overhead in management as you said). There can be times you do want such an access list. For example: disallowing everyone to be able to send mail out, except for the mail server.
    So for me, normally I don't apply those lists but it completely depends on the individual situation and/or policies.
    LVL 8

    Expert Comment

    In my opinion it is good security practice to apply the extra access list.  The prinicple of least privilege applies, if all outbound traffic is not required then don't permit it.

    Take a example in a small business with an on site email server, such as Microsoft Small Business Server.  In most cases only this machine will need outbound access on tcp port 25 for smtp.  Therefore you should define an access-list which prevents all other machines sending out traffic on tcp port 25.  Then if a desktop pc gets infected with a mass mailing virus it cannot access the internet to transmit the messages and you have limited the impact it will have on the network.  There are countless other examples.


    Author Comment

    Hmmmm, one opinion for and one against, that doesn't help me much!

    On our companies inhouse firewall (fairly big company), by far the biggest and most complex access-list is the inside in access-list, it is pages long.
    Perhaps a compromise is called for, how about an access-list that ends in a permit all, but only denies specified traffic such as Saineolai suggests ie smtp. This would make it alot more managable.
    LVL 35

    Accepted Solution

    Well I'm not against, I only think you have to assess each situation separately.
    On paper it is a good security practice to use inside access lists, IRL it doesn't always apply.

    You could first have a look at the current access list and see if it can be cleaned up and/or 'compressed' by combining multpile lines to one. The lists have a tendency to grow because lines are being added but not cleaned up when no longer needed.

    Your compromise is also a good idea, as long as you take great care in setting that up (but of course you know that :)
    LVL 8

    Assisted Solution

    I also agree that you have to assess each situation separately.  For example a guest internet access facility may not require an outbound ACL, although opinions vary on that too.

    However for a reasonably sized corporate network, you will most likely want some control on outbound traffic.  While the outbound list may get long if you explicitly permit traffic at least you will know what is going out.  If you explicit block some stuff and then permit everything else then you lose that knowledge.  

    You could ask yourself is it easier to define what I want to allow, than what I want to block?  In a corporate enviroment you may have a list of the applications that users are allowed to use.  You also have a good starting point in that the ACLs are there and working.  I would strongly advocate keeping them, especially if you are not coming under pressure from users or management to remove them.

    Author Comment

    Thanks for your views guys

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now