Saturday, January 27, 2018

Do you 'mirror' your ACLs?

I feel like this is probably a stupid question, but I'm keen to hear what others are doing. Let's keep it simple and say you have two VLANs, A and B. A web server on VLAN A should be able to make a TCP 1433 connection to an SQL Server on VLAN B. Again, keeping things simple, let's say you're using ACLs on the switch to enforce these rules.

Do you have an inbound ACL on VLAN A to only permit the web server to access the SQL server over TCP 1433? I'm guessing most would tick this one.

Do you then have an outbound ACL on VLAN A to only permit traffic from the SQL server with a source port of TCP 1433 to the IP of the Webserver? If you leave this one out the SQL Server (or anyone else) can send unsolicited traffic into VLAN A, though a TCP connection would never establish due to the first rule (unless of course it's sourced from the SQL server from TCP 1433). Do you care?

Do you have any rules on VLAN B, ie, an inbound rule to only permit the SQL server to send traffic to the web server over TCP 1433?

The 'most secure' method would be to have 4 ACLs (In/Out on VLAN A and B), but that becomes a management clusterfuck and you're probably more likely to get something wrong. The benefit though is if you do get something wrong, the worst case is that things don't work as the other ACLs will still cover you. Getting something wrong with the single ACL on VLAN A could mean you permit traffic you shouldn't.

What's the right balance?



No comments:

Post a Comment