Difference between revisions of "Writing Good ACLs"

From Digibase Knowledge Base
Jump to: navigation, search
(Created page with "ACLs (Access Control Lists) which often come in the form of firewalls, route filters, ban lists, blacklists, and so forth are an important part of ensuring a system is secure ...")
(No difference)

Revision as of 01:23, 3 January 2014

ACLs (Access Control Lists) which often come in the form of firewalls, route filters, ban lists, blacklists, and so forth are an important part of ensuring a system is secure and able to be legitimately used. This article is a list of things to do to ensure an ACL is well designed:

General

  1. Set rules with the expectation that the system will go down the list until one matches. Often times computers will process a list sequentially and branch off onto sublists recursively, designing your list with this in mind can ensure all desired rules are utilized
  2. Set rules from most broad to least. This will speed up processing as the system will be able to match rules faster.
  3. Merge similar rules into one whenever possible. This will reduce the resources required to process and store the ACL.

Firewalls

  1. Drop, don't deny or reject. Often times people will believe that setting up a firewall to reject a connection is more effective than dropping, this isn't the case and still elicits a response. Firewalls should create silence in response to undesiragble traffic.
  2. Default Drop Set up the firewall to drop all traffic by default first, then set exceptions to this default to accept.
  3. Test Rule Types If you are implementing a different kind of rule, ensure it operates correctly and in the manner you expect, don't implement one without testing.


Ban Lists

  1. '