I have been working at a healthcare managed services provider for a few months. We provide solutions and services to thousands of clients worldwide. In the team I work on, we have around 600 clients. They host in our data centers, but they still have devices on their own sites which need to connect back to our data center.
I was shocked to learn that we still use access control lists to define access rules for individual hosts. We use Cisco Security Manager and each firewall/router has hundreds of lines in their ACLs. What’s worse is that most of those lines are overlapping or redundant rules, and over the years apparently there has been no consistent policy in creating or managing changes done to these lists. New clients are provisioned with a default policy but then there are site specific additions and that’s where it gets extremely bloated.
Today I got a request from one of our clients to double-check access for about 15 servers and I can’t believe I have to sort through lines of individual hosts to double-check that they’re all there. And there are many redundant rules, rules with overlapping protocols, etc.
I’m relatively new to networking, but what kinds of solutions exist to replace ACLs? Especially in a service provider environment like ours. I’m not sure if it’s incompetence or what but again I can’t believe it was allowed to get this bad. Also should I feel compelled to try and fix this for each client or would it just be a wasted effort? I have read about using groups and subnets instead of individual hosts, but there are both in our ACLs and they’re still overlapping in a lot of policies. It’s just a nightmare.
No comments:
Post a Comment