inside interface access list on firewall
Posted on 2011-05-05
This is not a problem, i after peoples expert opinion. I've been installing the odd firewall (mainly ASA's) over the years and i have never put an inbound access-list on the inside (trusted) interface, i have always relied on having inbound access-lists on the outside and DMZ interfaces for protection and the only reason i could see for one on the inside interface would be to control what your users can access in the outside world.
I have just started at a new company and am expected to take over looking after numerous existing customers with existing network setups and i have noticed that the previous engineer who i'm replacing and who installed them all always put an inbound access-list on the inside interface on every firewall he installed, this makes administration alot more involved as you must take into account permitting traffic out from your LAN as well as in from the outside world.
I'm tempted to remove these access-lists but i'm thinking maybe it is me who has been doing things wrong over the years.
So my question is... Is this good security practice or is it unnessasary overkill?