this post was submitted on 05 Oct 2023
586 points (99.0% liked)

Linux

48035 readers
713 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] c0mbatbag3l 4 points 1 year ago (1 children)

I've been a network engineer for five years at three companies and not a one has used switch or router based ACL's. It's all in the FW appliance.

[–] [email protected] 0 points 1 year ago (1 children)

Network ACLs are my bane. Someone long ago decided we needed to "isolate" the network, so they put ACLs everywhere and so now 50% of my teams time is spend fucking with ACLs :/ It's awful.

[–] c0mbatbag3l 3 points 1 year ago (1 children)

Yeah don't get me wrong it's an excellent part of network security but if it's not defined primarily on one device it's a hassle.

[–] [email protected] -5 points 1 year ago (1 children)

Only if you assume IP Addresses act as authentication for what that host is. But since they don't, I see ACLs as a security blanket.
I can change the IP of a server I control and bypass any ACL easily. If I have control of my network as well, then no ACL you apply can stop any of my servers from hitting whatever server you have allowed any of my servers to hit. So why not just allow my entire network block?

[–] c0mbatbag3l 3 points 1 year ago (1 children)

I don't assume that, and that's why I only consider IP based ACL's as a "part of this balanced security solution" because while handy, modern attacks are smarter everyday and heuristics based NIP systems are essential.

In the military we called it the "swiss cheese model", in ORM you use as many layers of security as you can to prevent a mishap. Controlling what subnets can access certain others keeps Becky from accounts payable from getting access into accounts receivable's data and writing her own checks. Sure, a network admin/sysadmin could just change their IP, but Becky doesn't have that access. I usually define network access by the subnet, if we aren't comfortable with all devices in a LAN having access then it's a pretty locked down solution, in which case we most likely have higher level requirements like application/port number or port security .1X.

I'm assuming your servers all reside in the same subnet? If not, changing the IP without changing the VLAN and/or trunking it to the access layer switch you're attached to would only result in a loss of connection.

For your use case I'd just allow the whole LAN and define applications we are ok with having communications between the two subnets, and as always a well thought out DMZ goes a really long way.

[–] [email protected] -1 points 1 year ago (1 children)

Right but if you want to start doing application level blocking, then the proper tool for the job is a stateful firewall and even better, a RADIUS/Kerberos system that authenticates every connection between servers.

Basically I use ACLs to prevent spoofing attacks from originating out of my network, and also to lock down the management plane of my network devices to specific subnets. In all other cases a stateful firewall should be used exclusively.

In any other case ACLs provide the illusion of security and create a huge amount of operational friction especially in a dynamic environment.