For fun 😬 let's chat about network ACL's and a high level approach to securing your network. The purpose is to provide multiple levels of protection (i.e. defense in depth).
4 main ACL's to talk about:
✅Premise ACL's
✅Inter-zone ACL's
✅Intra-zone ACL's
✅Host-based ACL's
4 main ACL's to talk about:
✅Premise ACL's
✅Inter-zone ACL's
✅Intra-zone ACL's
✅Host-based ACL's
Let's start on the outside with Premise ACL's. These reside on your most outward facing network devices (probably a router or switch) where your Internet circuits are plugged into. These ACL’s would knock down a large amount of unwanted SPAM packets that flood the Internet.
I would implement both inbound and outbound rules. Only allow out traffic from your specific publicly routable IP space, block private IP space, implement Bogans lists, and also only allow known expected protocols that should be coming into your environment from the Internet.
These are very high level ACL's, so you don't need to care so much about specific source and destination IP's for allowed protocols. Conversely, that means blocking all other protocols (i.e. port scanning attempts). Cut the crap before it hits your firewall.
Next, Inter-Zone...
Next, Inter-Zone...
Inter-Zone reside on routing devices.
Ideally, if you are routing a lot of traffic through a firewall, this would be a perfect place to set up zone based rules between various security zones. The rules permit and deny communication between different subnets/VLANs/zones.
Ideally, if you are routing a lot of traffic through a firewall, this would be a perfect place to set up zone based rules between various security zones. The rules permit and deny communication between different subnets/VLANs/zones.
I like to make a security zone for every VLAN, but even at a minimum, break up your zones to external (untrusted) DMZ, servers, and workstations. I don't believe that is enough and you should have a security zone for each type of unique service.
jbcsec.com/network-securi…
jbcsec.com/network-securi…
Intra-zone ACL’s reside within a security zone/VLAN. Most organizations don’t look at protecting traffic within a security zone which can allow for lateral movement of a compromised machine. These types of ACL’s are normally attached to an individual VLAN via VLAN access maps.
I make these ACL’s as small as I can, so they would permit all expected host to host traffic within the VLAN, then block all other traffic that is sourced and destined to host within the VLAN, and lastly, allow all other traffic.
Since we are only concerned with traffic sourced and destined within the same VLAN, we are relying on the upstream Inter-Zone policies to actually protect the traffic destined from one VLAN to a different VLAN… defense in depth.
Lastly, host-based ACL’s are a last line of defense to provide a bit of redundancy in the event of a misconfiguration on the upstream network devices. I would also recommend adding in host-based ACL’s on all devices.
Normally, I would employ these in an inbound-only manner. This is because I’m only concerned with protecting against inbound communications, as I’m relying on the Intra and Inter Zone ACL’s to stop unwanted outbound traffic. These can be from IPTables or software firewalls.
If you read all this way, I'd love to hear your thoughts!
If you liked this, check out my YouTube channel : youtube.com/c/cyberinsight
Also, sign up for my blog and newsletter👍
mailchi.mp/e7b56addb7fc/c…
If you liked this, check out my YouTube channel : youtube.com/c/cyberinsight
Also, sign up for my blog and newsletter👍
mailchi.mp/e7b56addb7fc/c…
Tagging some folks who might enjoy this thread:
@ki_twyce_ @brianwhelton @bina_abdulrahim @NikkiMegaplaza @cachedchecks @AlmightyMek @nickrusso42518 @HugOfThunder @TayOnTech @varcharr
@ki_twyce_ @brianwhelton @bina_abdulrahim @NikkiMegaplaza @cachedchecks @AlmightyMek @nickrusso42518 @HugOfThunder @TayOnTech @varcharr
