RE: Cisco ACL Question

Wed, 11 Jun 2003 14:15:42 -0700 

Hi,

Using just ACL filtering alone is not the way to implement good security. It
won't work with applications that negotiate ports dynamically without
opening all the ports.  If this is your perimeter router, you will need to
have a firewall behind it to provide necessary protection. Or use the CBAC
feature of the IOS firewall feature set which provide stateful inspection
and protocol fixup. Port are open dynamically thus you do not need to
permanently open a wide range of ports using ACL.

Edmund

-----Original Message-----
From: noconflic [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, 11 June 2003 6:49 AM
To: [EMAIL PROTECTED]
Subject: Cisco ACL Question


Hello, 

   I have a question about the following inbound Cisco ACL entry...

      access-list 100 permit udp any X.X.X.0 0.0.0.255 gt 1023

 From what i understand so far is that this entry is required for normal 
outbound ftp,tftp,dns, and traceroute traffic. It has been suggested that 
one should specificly add deny rules for common UDP ports above that range. 
My question, I am looking for suggestions to make that more restrictive ? 
What problems would there be with other hosts on the LAN if the entry was 
removed ?

Thanks, 

-CH 

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant, while
InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Reply via email to