I'm in the middle of rewriting our firewall's external ACL to get rid of legacy crap, eliminate IP any rules, etc. I basically have the opportunity to burn the whole thing down and rebuild it from scratch the "right" way so I want to make sure I do it in a way that is scalable and easy to manage.
This ACL controls external access to ~150 servers in our DMZ through an ASA firewall. The vast majority of these are web servers, ftp servers, and email servers for various business units. We don't foresee significant expansion here, but nothing is impossible. The way my boss and I see it, there are two ways to go about this:
-
Have a few object groups that serve as a "catch-most" group, such as a group for web servers, one for ftp servers, etc. This will allow us to consolidate most of our servers into ~5 lines, and then another ~40 lines for all of the other one-off ports that need to be open.
-
Have each server in its own object group with its own line. This will obviously be much longer, but it seems like it would be easier to make changes such as adding ports, decommissioning servers, etc. when we know there is only one place to look.
So my question is - what would you do? I can see pros and cons for both approaches, and I really think consistency is important so we need to pick one and stick with it. My boss is leaning toward approach 1, but he's made it clear he can be convinced either way.
No comments:
Post a Comment