I don’t assume that, and that’s why I only consider IP based ACL’s as a “part of this balanced security solution” because while handy, modern attacks are smarter everyday and heuristics based NIP systems are essential.
In the military we called it the “swiss cheese model”, in ORM you use as many layers of security as you can to prevent a mishap. Controlling what subnets can access certain others keeps Becky from accounts payable from getting access into accounts receivable’s data and writing her own checks. Sure, a network admin/sysadmin could just change their IP, but Becky doesn’t have that access. I usually define network access by the subnet, if we aren’t comfortable with all devices in a LAN having access then it’s a pretty locked down solution, in which case we most likely have higher level requirements like application/port number or port security .1X.
I’m assuming your servers all reside in the same subnet? If not, changing the IP without changing the VLAN and/or trunking it to the access layer switch you’re attached to would only result in a loss of connection.
For your use case I’d just allow the whole LAN and define applications we are ok with having communications between the two subnets, and as always a well thought out DMZ goes a really long way.
Right but if you want to start doing application level blocking, then the proper tool for the job is a stateful firewall and even better, a RADIUS/Kerberos system that authenticates every connection between servers.
Basically I use ACLs to prevent spoofing attacks from originating out of my network, and also to lock down the management plane of my network devices to specific subnets. In all other cases a stateful firewall should be used exclusively.
In any other case ACLs provide the illusion of security and create a huge amount of operational friction especially in a dynamic environment.
I don’t assume that, and that’s why I only consider IP based ACL’s as a “part of this balanced security solution” because while handy, modern attacks are smarter everyday and heuristics based NIP systems are essential.
In the military we called it the “swiss cheese model”, in ORM you use as many layers of security as you can to prevent a mishap. Controlling what subnets can access certain others keeps Becky from accounts payable from getting access into accounts receivable’s data and writing her own checks. Sure, a network admin/sysadmin could just change their IP, but Becky doesn’t have that access. I usually define network access by the subnet, if we aren’t comfortable with all devices in a LAN having access then it’s a pretty locked down solution, in which case we most likely have higher level requirements like application/port number or port security .1X.
I’m assuming your servers all reside in the same subnet? If not, changing the IP without changing the VLAN and/or trunking it to the access layer switch you’re attached to would only result in a loss of connection.
For your use case I’d just allow the whole LAN and define applications we are ok with having communications between the two subnets, and as always a well thought out DMZ goes a really long way.
Right but if you want to start doing application level blocking, then the proper tool for the job is a stateful firewall and even better, a RADIUS/Kerberos system that authenticates every connection between servers.
Basically I use ACLs to prevent spoofing attacks from originating out of my network, and also to lock down the management plane of my network devices to specific subnets. In all other cases a stateful firewall should be used exclusively.
In any other case ACLs provide the illusion of security and create a huge amount of operational friction especially in a dynamic environment.
deleted by creator