Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
Take any, and I mean ANY security certification exam that covers this and try saying that ACL's are designed as a level of security, and see how you do. ACL's are NOT meant to be security, and they are not security. I know it sounds counterintuitive, but that's how it works.
Oh yes they are. They are used to create a packet filtering FIREWALL to allow or deny traffic to and from a source and destination. If that isn't security, then I don't know what is. Anyway, this is way off topic....
Just for you, Curtosy of Steve Gibson's website.. See I KNEW you couldn't resist the bait. Just the BASICS, and just for you.
BTW Access Control List isn't Method of security. Dude! get real!
A NAT Router's Inherent Security
Although NAT routers are not generally purchased for their security benefits, all NAT routers inherently function as very effective hardware firewalls (with a few caveats examined below). As a hardware firewall they prevent "unsolicited", unexpected, unwanted, and potentially annoying or dangerous traffic from the public Internet from passing through the router and entering the user's private LAN network. [/SIZE]
The reason they do this is very simple: With multiple "internal" computers on the LAN behind the router, the router must know which internal computer should receive each incoming packet of data. Since ALL incoming packets of data have the same IP address (the single IP address of the router), the only way the router knows which computer should receive the incoming packet is if one of the internal computers on the private LAN FIRST sent data packets out to the source of the returning packets.
How is this done?
Since the NAT router links the internal private network to the Internet, it sees everything sent out to the Internet by the computers on the LAN. It memorizes each outgoing packet's destination IP and port number in an internal "connections" table and assigns the packet its own IP and one of its own ports for accepting the return traffic. Finally, it records this information, along with the IP address of the internal machine on the LAN that sent the outgoing packet, in a "current connections" table.
When any incoming packets arrive at the router from the Internet, the router scans its "current connections" table to see whether this data is expected by looking for the remote IP and port number in the current connections table. If a match is found, the table entry also tells the router which computer in the private LAN is expecting to receive the incoming traffic from that remote address. So the router re-addresses (translates) the packet to that internal machine and sends it into the LAN.
And here's the really good part:
If the arriving packet does not exactly match traffic that is currently expected by the router, the router figures that it's just unwanted "Internet noise" and discards the unsolicited packet of data.
With a NAT router protecting your connection to the Internet — even if you only have one computer on the LAN behind the router — none of the Internet scanning and worms and hackers and other annoying and malicious Internet nonsense can get to your computer or computers.
If the NAT router isn't already expecting the incoming data, because one of the machines on the LAN asked for it from the Internet, the router silently discards it and your private network is never bothered.
So now that we have the basics . . .
Do you ever stop to think about what you're replying to before you do it? As I said, NAT provides a certain level of protection, but it is NOT considered a layer of security by any standard. This is actually a question on the CISSP exam, and if you answer that it is security, guess what? You got the question wrong. Just because something offers a form of protection does not mean it's security. Just like with the other clown (and apparently you) who is trying to claim that ACL's are security. Cisco goes out of their way to tell you that ACL's are NOT security. Stop and ponder for a moment why the largest network device manufacturer on the face of the planet would tell you something like that, seeing as how ACL's are a central feature of their devices. Here's a hint: They do that because people like you would otherwise just create a bunch of ACL's and figure that your security model is done, when the reality is that you have only implemented some protection, not actual security.
Take any, and I mean ANY security certification exam that covers this and try saying that ACL's are designed as a level of security, and see how you do. ACL's are NOT meant to be security, and they are not security. I know it sounds counterintuitive, but that's how it works.
Cisco seems to disagree with you and oh my.. Those exams are BASED on Cisco!
Quote:
Why You Should Configure Access Lists
There are many reasons to configure access lists—for example, you can use access lists to restrict contents of routing updates, or to provide traffic flow control. But one of the most important reasons to configure access lists is to provide security for your network; this is the reason focused on in this chapter. You should use access lists to provide a basic level of security for accessing your network. If you do not configure access lists on your router, all packets passing through the router could be allowed onto all parts of your network.
For example, access lists can allow one host to access a part of your network, and prevent another host from accessing the same area. In Figure 6, Host A is allowed to access the Human Resources network and Host B is prevented from accessing the Human Resources network.
Oh yes they are. They are used to create a packet filtering FIREWALL to allow or deny traffic to and from a source and destination. If that isn't security, then I don't know what is. Anyway, this is way off topic....
From 'Network Security Hacks' by Andrew Lockhart:
"While ACL's do not inherently add "more security" to a system, they do reduce the complexity of managing permissions"
It's on page 5 of chapter 1, just so you're aware. (Edit: I should also point out that this book deals with more than simply Cisco network devices so the statements tend to be blanket, but they still apply)
So who am I gonna believe? The world's largest network hardware maker, the members of the ISC2 consortium, CCIE authors, and every real security professional I've ever met....or two guys on the internet talking about things they don't know? Hmmm, decsions, decisions...
I know this will make your brain hurt, but read the rest of the whitepaper (supposing that's the full whitepaper and not one of those abbreviated section cut-outs). It will go on to tell you that it's a component to providing some security. Key word: Component. ACL's on their own will provide no real security.
But I doubt you'd be able to make it through the entire thing without falling asleep.
"While ACL's do not inherently add "more security" to a system, they do reduce the complexity of managing permissions"
It's on page 5 of chapter 1, just so you're aware.
So who am I gonna believe? The world's largest network hardware maker, the members of the ISC2 consortium, CCIE authors, and every real security professional I've ever met....or two guys on the internet talking about things they don't know? Hmmm, decsions, decisions...
you are talking about ACL's on a SERVER or WORKSTATION, not on a ROUTER! Besides, I provided documentation from CISCO that says the opposite of what you are saying. I do this stuff for a living, so I'm not talking about things I do not know. Once you get it straight in your head that we are talking about ACL's on network infrastructure and not servers or workstations then we may agree.
You all realize that because we have exposed this dishonesty, he's gonna try harder to prove himself right.. That's the way of storytellers.
Why on earth would it matter either way? What is anyone losing? Is there something a little extra in your paycheck at the end of the week for rep points on CD?
Wikileak mirror sites- people either support them or they don't. When it all comes down to dust lets hope people had the right reasons. I think they do.
I find it more than a little preposterous that those of you against wikileaks, making accusations that assange is a rapist, ought to be executed, espionage, blackmailing US gov't--- really? Our own government is breaking the law breaking into private servers. Our own government gave itself permission to point numerous false allegations against someone it didn't like. Citizens of an <allegedly> free country, 'champions' of freedom as many self describe, are begging for a fascist dictatorship to soothe their worried minds with a pocket full of platitudes. They are an embarrassment to our heritage. Again, how can any citizen in good conscience defend authority engaged in crime, and join in attack the release of truthful unadulterated reporting? Why are you doing this? Why can't you handle the truth?
There isn't much in the content of wikileaks that disturbs me about how my government is working. Much of it is actually understandable and as far as I'm concerned this random surprise audit is not the disaster they're making it out to be. What disturbs me are the laws they're all too willing to break in response to wikileaks. Nobody needs to know everything all the time. Americans do tend to trust their government a great deal, but blind trust, particularly sustained for long periods is extremely unhealthy for all parties concerned. What is being done in the name of the war on terrorism is experienced by the general population as a war on citizenship and that is an administrative failure ongoing with GOP and DNC, conservative and liberal alike.
I know this will make your brain hurt, but read the rest of the whitepaper (supposing that's the full whitepaper and not one of those abbreviated section cut-outs). It will go on to tell you that it's a component to providing some security. Key word: Component. ACL's on their own will provide no real security.
But I doubt you'd be able to make it through the entire thing without falling asleep.
They indeed provide a layer of REAL security. What is real to you? A Linux box with some IP filtering on it? What constitutes real in your mind? If you want to kno what I consider real security I would be talking about Juniper appliances. You can't get any better than that, but what is you defense beyond the firewall? Once packets get into your network, what layer of security do you have from there? ACL's most likely?
you are talking about ACL's on a SERVER or WORKSTATION, not on a ROUTER! Besides, I provided documentation from CISCO that says the opposite of what you are saying. I do this stuff for a living, so I'm not talking about things I do not know. Once you get it straight in your head that we are talking about ACL's on network infrastructure and not servers or workstations then we may agree.
An access control list is an access control list regardless of where it's at. Like I said, finish reading your whitepaper on security. Sorry, but anybody who tries to claim that ACL's create a "firewall" is nuts. If that were the case, Cisco wouldn't be selling ASA's like candy, everybody would just harden their router with ACL's and call it good.
Why on earth would it matter either way? What is anyone losing? Is there something a little extra in your paycheck at the end of the week for rep points on CD?
Wikileak mirror sites- people either support them or they don't. When it all comes down to dust lets hope people had the right reasons. I think they do.
I find it more than a little preposterous that those of you against wikileaks, making accusations that assange is a rapist, ought to be executed, espionage, blackmailing US gov't--- really? Our own government is breaking the law breaking into private servers. Our own government gave itself permission to point numerous false allegations against someone it didn't like. Citizens of an <allegedly> free country, 'champions' of freedom as many self describe, are begging for a fascist dictatorship to soothe their worried minds with a pocket full of platitudes. They are an embarrassment to our heritage. Again, how can any citizen in good conscience defend authority engaged in crime, and join in attack the release of truthful unadulterated reporting? Why are you doing this? Why can't you handle the truth?
There isn't much in the content of wikileaks that disturbs me about how my government is working. Much of it is actually understandable and as far as I'm concerned this random surprise audit is not the disaster they're making it out to be. What disturbs me are the laws they're all too willing to break in response to wikileaks. Nobody needs to know everything all the time. Americans do tend to trust their government a great deal, but blind trust, particularly sustained for long periods is extremely unhealthy for all parties concerned. What is being done in the name of the war on terrorism is experienced by the general population as a war on citizenship and that is an administrative failure ongoing with GOP and DNC, conservative and liberal alike.
You go on to harp about illegalities, but you fail to mention the illegality of having those documents in Wikileak's possession. They are willingly and knowingly possessing stolen federal property. What about that illegality?
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
