RE: ACL design.

["Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>]

Good afternoon,

Thank you for all your answer. Every little bit helps a great deal.

> -----Original
Message------------------------------------------------------
> From: David Gillett
> Sent: Friday, May 04, 2007 11:55 AM
>
>  There is, I believe, an O'Reilly book dedicated to the subject.
>
>  I work with (extended) ACLs extensively, and there are a couple of
> basic things to keep in mind:
>
> 1.  Every packet starts at the top of the list and works its way down
> until it matches.  So the more packets you can match near the top of
> the list, the less having an ACL will impact your network performance.
> So, for instance, your "permit tcp any any established" line should
> be right near the top.  Try to put general rules near the top and more
> specific rules near the bottom.
>
> 2.  Every rule's processing includes matching, even if the match fails
> and the packet falls through to the next rule, so try to avoid
duplicating
> effort.  Filter out bad source addresses early (anti-spoofing) so you
can
> just use "any" as the source for the remaining rules.
>
> 3.  While it never makes sense to have a discontiguous subnet mask,
> sometimes you can save a rule or two by having a discontiguous wildcard
> mask in an ACL.  Get very comfortable with wildcard masks.
>
> 4.  There are some issues for which you NEED a stateful firewall, and
> ACLs just won't cut it.  Understand these issues, and don't try to
build
> baroque ACL structures to "work around" them.  Know the limitations of
> your tools.
>
> 5.  This is a reasonably good forum to ask for help with specifics;
there
> may be even better ones out there.
>
> David Gillett
> -----------------------------------------------------------------------
----

I am having a real tough time finding good reading material aside from
the manual.

Could you elaborate on the first sentence under your second point? I
disconnected on that one ;-)

> ----Original
Message-------------------------------------------------------
> From: Alex Nedelcu
> Sent: Wednesday, May 09, 2007 12:58 AM
>
> It's also important where you place your ACLS.
>
> If you have an advanced ACL that takes into consideration the source,
> destination, ports, TOS etc you should place it as close to the source
> of traffic as possible.
>
> If the ACL is based solely on source addresses they should be placed
> as close as possible to the destination.
>
> Another thing that you should take into consideration is to never
> apply ACLs in the core area of your network, in a hierarchical model
> network the traffic policies should be applied at the distribution
> layer. You should analyze carefully the design of your network and
> find the ideal places where you should implement filtering, if you
> choose badly you may get decreased perfomance.
> -----------------------------------------------------------------------
----

We have two sites with three Extreme Network Cores in each location.
Everything (except for DMZ's and other segmented areas) will be
directely attached to the cores. How can I keep the ACL's away from
them?

Nick

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.