lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.50.0508301703200.7900-100000@kegger.national-security.net>
Date: Wed Aug 31 01:38:43 2005
From: fd at ew.nsci.us (fd@...nsci.us)
Subject: RE: Example firewall script

On Tue, 30 Aug 2005, Rachael Treu Gomes wrote:
> > There are also issues of what KIND of ACL to 
> > use and where  to place them; Inbound or Outbound.
> > 
> > In terms of the original question, the only 
> > difference between a "good" line item or a 
> > "bad" line item is whether or not the syntax 
> > is correct.
> 
> Nicely put.
> > 
> > The only difference between a "good" ACL 
> > and a "bad" ACL is  whether or not it's 
> > structure is properly designed and whether
> > or not it's placed in the proper location.
> 
> Again, nicely put.  I might also suggest adding the 
> idea that ACL logic and format follow with the same 
> requirements for placement, and that overarching 
> rules/guidelines regarding their structure and flow be 
> evaluated on a case-by-case basis.  It is incomplete
> and rife with exception, unfortunately, to decree that
> all ACLs and firewall feature sets be constructed in a 
> particular manner without taking into account the
> particulars surrounding their respective deployments.

Can anyone suggest a book which discusses ACL theories in different points
of view and practical (?existing) applications?  I would love to see
documentation which addresses security and manageability as it relating to
things like minimal ACL-line duplication and ingress+egress filtering
techniques.  Even in Cisco and 5xx-level networking courses, these issues
are barely touched on.  For traffic policies, much has been learned from
this list and from practical experience.

-Eric


-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ