![]() ![]() Review/audit your firewall configuration. Your local site policy should help provide a baseline of permitted and denied services. Review your local security policy / service policy. The development of this list of required protocols can be a daunting task, but there are several techniques that can be used, as needed, in order to help identify required traffic. ![]() Similarly, internal connections to the Internet require that the ACL permit return established TCP traffic – traffic that has the acknowledgment (ACK) bit set. For instance, if the DMZ segment provides connectivity for a publicly accessible web server, TCP from the Internet to the DMZ server address(es) on port 80 is required. Although every site has specific requirements, certain protocols and applications are widely used and are most often permitted. The first step in the development of a transit ACL is to determine the protocols required within your networks. On most platforms, such statements maintain a count of the number of denied packets that can be displayed using the show access-list command. Note: Although all ACLs contain an implicit deny statement, Cisco recommends use of an explicit deny statement, for example, deny ip any any. Special-use address and anti-spoofing entries that deny illegitimate sources and packets with source addresses that belong within your network from entering the network from an external source In general, a transit ACL is composed of four sections. All nonauthorized traffic should be dropped on the ingress interfaces. The ACLs allow only specifically permitted traffic to the DMZ and allow return traffic for internal users accessing the Internet. The edge routers should be configured to provide a first level of security through the use of inbound ACLs. ![]() The internal network should never be accessed directly by the Internet, but traffic sourced from the internal network must be able to reach Internet sites. The DMZ contains public-facing services such as DNS and web this is the only network accessible directly from the public Internet. Behind these two routers, a pair of firewalls (Cisco PIXes in this example) provides stateful inspection capabilities and access to both the internal network and the demilitarized zone (DMZ). Two edge routers, IR1 and IR2, provide direct connectivity to the Internet. This example depicts a typical enterprise Internet connectivity design. This document focuses on an enterprise deployment model. In certain service provider deployments, this form of edge or transit traffic filtering can also be used effectively to limit the flow of transit traffic to and from customers to specific permitted protocols only. In most edge network environments, such as a typical enterprise network Internet point of presence, ingress filtering should be used to drop unauthorized traffic at the edge of the network. Transit access control lists (ACLs) are used to increase network security by explicitly permitting only required traffic into your network or networks. This document presents guidelines and recommended deployment techniques for filtering transit and edge traffic at your network ingress points. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |