• PowerCrazy@lemmy.ml
    link
    fedilink
    arrow-up
    6
    arrow-down
    6
    ·
    1 year ago

    Network ACLs are my bane. Someone long ago decided we needed to “isolate” the network, so they put ACLs everywhere and so now 50% of my teams time is spend fucking with ACLs :/ It’s awful.

    • R0cket_M00se@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Yeah don’t get me wrong it’s an excellent part of network security but if it’s not defined primarily on one device it’s a hassle.

      • PowerCrazy@lemmy.ml
        link
        fedilink
        arrow-up
        1
        arrow-down
        6
        ·
        1 year ago

        Only if you assume IP Addresses act as authentication for what that host is. But since they don’t, I see ACLs as a security blanket.
        I can change the IP of a server I control and bypass any ACL easily. If I have control of my network as well, then no ACL you apply can stop any of my servers from hitting whatever server you have allowed any of my servers to hit. So why not just allow my entire network block?

        • R0cket_M00se@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          1 year ago

          I don’t assume that, and that’s why I only consider IP based ACL’s as a “part of this balanced security solution” because while handy, modern attacks are smarter everyday and heuristics based NIP systems are essential.

          In the military we called it the “swiss cheese model”, in ORM you use as many layers of security as you can to prevent a mishap. Controlling what subnets can access certain others keeps Becky from accounts payable from getting access into accounts receivable’s data and writing her own checks. Sure, a network admin/sysadmin could just change their IP, but Becky doesn’t have that access. I usually define network access by the subnet, if we aren’t comfortable with all devices in a LAN having access then it’s a pretty locked down solution, in which case we most likely have higher level requirements like application/port number or port security .1X.

          I’m assuming your servers all reside in the same subnet? If not, changing the IP without changing the VLAN and/or trunking it to the access layer switch you’re attached to would only result in a loss of connection.

          For your use case I’d just allow the whole LAN and define applications we are ok with having communications between the two subnets, and as always a well thought out DMZ goes a really long way.

          • PowerCrazy@lemmy.ml
            link
            fedilink
            arrow-up
            5
            arrow-down
            6
            ·
            1 year ago

            Right but if you want to start doing application level blocking, then the proper tool for the job is a stateful firewall and even better, a RADIUS/Kerberos system that authenticates every connection between servers.

            Basically I use ACLs to prevent spoofing attacks from originating out of my network, and also to lock down the management plane of my network devices to specific subnets. In all other cases a stateful firewall should be used exclusively.

            In any other case ACLs provide the illusion of security and create a huge amount of operational friction especially in a dynamic environment.