Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] RE: Example firewall script
From: J.A. Terranson (measlmfn.org)
Date: Sat Aug 27 2005 - 11:53:14 CDT
On Sat, 27 Aug 2005, ericschermac.com wrote:
> Actually, that's not true.
> I would agree that as a general rule of thumb
> you should have a deny statement at the end
> of every ACL. In fact, Cisco places an implicit
> DENY ANY ANY at the end of their ACL's
As does Juniper, as does.....
> However, Access Control Lists are not firewalls.
> Yes, we use them as firewalls, but that's not what
> they are.
> ACL's ARE TRAFFIC SHAPING DEVICES.
Uh... No. Traffic shaping may make use of ACLs, but ACL != Shaping.
> As traffic shaping devices, they can be used for
> security, but they are also used for management
> purposes. For instance; many Autonomous Systems
> are multi-homed.
Bzzzt. *All* "Autonomous Systems" are multihomed. Thats the definition
> There are decisions to be made
> about how traffic will flow in and out of the AS.
> You also have to decide if you wish to be a
> transit AS or not.
> ACLs are the tool that you use to control your
Again, wrong. ACLS are involved, but what you are talking about are
called ROUTING DECISIONS, and ACLS != Routing Decisions.
> While an ACL being used as a security device
> should have a deny statement at the end, proper
> construction of the ACL is more about following
> the proper construction rules.
> This is actually a huge subject, far too big
> for an individual e-mail to a list.
Finally, a correct statement. But, while it was correct, it was also
"This is actually a huge subject, far too big for an individual e-mail to
a list, and doubly so when I have yet to learn enough about it to expound
upon the topic rationally."
> But there are some basic rules to keep in mind:
> ACL's analyze traffic from top to bottom, so
> keep your most specific entries at the top,
This is true for *most* ACL implementations, but NOT for all. Again, you
are trying to paint the entire world with your only available [Cisco]
brush, and it is making you look like a self-important fool.
> This subject REALLY calls for a book, not
> an e-mail response.
I can probably find a few good ones to recommend - if you will promise to
read them prior to spewing more of this. ;-)
> I've said very little in this post
And still managed to screw up most of what you said.
> and look at all the room it took up.
That's expected: hot gas expands.
I like the idea of belief in drug-prohibition as a religion in that it is
a strongly held belief based on grossly insufficient evidence and
bolstered by faith born of intuitions flowing from the very beliefs they
are intended to support.
don zweig, M.D.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/