Dell N2048 Switch and IP ACL - I just killed part of my network...
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
... I've at least got it working. Its just, not ideal, I will contact Dell as it doesn't sound correct.
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
You have to specifically add a rule to allow something through. I have added IP for another machine on the LAN 2.x to be allowed to 2.41, and that one machine can contact 2.41.
The server 2.117 cannot, which is correct. But I cant imagine adding everything that needs access is manageable or maintainable...
Interesting, that sounds like a good basis for security. Modern firewalls do that to. Drop all that isn't expressly allowed.
Of course you can often change that.It's the blacklist vs whitelist approach.
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
... I've at least got it working. Its just, not ideal, I will contact Dell as it doesn't sound correct.
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
You have to specifically add a rule to allow something through. I have added IP for another machine on the LAN 2.x to be allowed to 2.41, and that one machine can contact 2.41.
The server 2.117 cannot, which is correct. But I cant imagine adding everything that needs access is manageable or maintainable...
Yeah. I feel like a fool for forgetting about the implicit deny.
If you wanted to allow the traffic except for the host in your rule, you'd have an allow all at the very end of the ACL. -
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
Seems like that should happen. If you apply an ACL and it doesn't do that, what good is the ACL?
-
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
Seems like that should happen. If you apply an ACL and it doesn't do that, what good is the ACL?
Agree. It works.
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.
True, but since you always lock it down in that way on the devices own firewall, is a second copy of that with all of the management complexity that comes with it actually worth anything? There is a point where over the top security becomes self defeating and in this case it is completely redundant but adding a complex and difficult to control copy of something really simple and effective.
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.
True, but since you always lock it down in that way on the devices own firewall, is a second copy of that with all of the management complexity that comes with it actually worth anything? There is a point where over the top security becomes self defeating and in this case it is completely redundant but adding a complex and difficult to control copy of something really simple and effective.
These are Windows Server VMs.
I'd rather stop any risk if I can before hitting the local windows firewall, with this additional layer for example, rather than only relying on the Microsoft one which will probably screw you over at the worst time.
How often do Microsoft updates cause issues, very... One of those issues affecting the firewall somehow, on a bad day, boom - something through. Probably wont happen, but Microsoft screw up a lot, so why not try to block that traffic before giving them a chance to mess up your day.
I'd only kick myself for not putting this layer in place if the local server firewall had a hiccup and let something through which the second layer may have prevented.
I've been thinking about it and think it will actually be simple to put in place now I know the particulars of the N2048.
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.
True, but since you always lock it down in that way on the devices own firewall, is a second copy of that with all of the management complexity that comes with it actually worth anything? There is a point where over the top security becomes self defeating and in this case it is completely redundant but adding a complex and difficult to control copy of something really simple and effective.
These are Windows Server VMs.
I'd rather stop any risk if I can before hitting the local windows firewall, with this additional layer for example, rather than only relying on the Microsoft one which will probably screw you over at the worst time.
How often do Microsoft updates cause issues, very... One of those issues affecting the firewall somehow, on a bad day, boom - something through. Probably wont happen, but Microsoft screw up a lot, so why not try to block that traffic before giving them a chance to mess up your day.
I'd only kick myself for not putting this layer in place if the local server firewall had a hiccup and let something through which the second layer may have prevented.
I've been thinking about it and think it will actually be simple to put in place now I know the particulars of the N2048.
Windows firewalls are rock solid. You can't justify running Windows at all if this is how you feel about them. This is not a reasonable place to be. The Windows firewall is no risk here. There are a million things you could do to improve security. But this is just busy work.
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
I'd only kick myself for not putting this layer in place if the local server firewall had a hiccup and let something through which the second layer may have prevented.
This ain't good reasoning. You'd kick yourself if you didn't move to Nebraska before your home is hit with a meteor, too. But it is not rational to use "id be sorry if" reasoning. The Windows firewall doesn't hiccup, and even if it does there are loads of other layers of protection. This requires an active attack from the inside, listening services, a vulnerability and more all during the moments that a firewall hiccups. With this logic there is no end of things you would do.
"I'd be sorry" logic bypasses the risk calculation. Yes, you would be sorry. But what is the risk of that happening? Zero. That's the effective risk. So you won't be sorry.
But what you will certainly be sorry about is the wasted time, effort, complexity, risk, outages and ongoing maintenance headaches of a system that protects against nothing.
-
I didn't write ain't. iPhone changed isn't to ain't on me. I kid you not.
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
I didn't write ain't. iPhone changed isn't to ain't on me. I kid you not.
Sure, sure... Blame it on the phone.
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
I'd only kick myself for not putting this layer in place if the local server firewall had a hiccup and let something through which the second layer may have prevented.
This ain't good reasoning. You'd kick yourself if you didn't move to Nebraska before your home is hit with a meteor, too. But it is not rational to use "id be sorry if" reasoning. The Windows firewall doesn't hiccup, and even if it does there are loads of other layers of protection. This requires an active attack from the inside, listening services, a vulnerability and more all during the moments that a firewall hiccups. With this logic there is no end of things you would do.
"I'd be sorry" logic bypasses the risk calculation. Yes, you would be sorry. But what is the risk of that happening? Zero. That's the effective risk. So you won't be sorry.
But what you will certainly be sorry about is the wasted time, effort, complexity, risk, outages and ongoing maintenance headaches of a system that protects against nothing.
Yes, I see what you mean. I was being crass about the windows server. Perhaps for specific servers the ACL on the switch would be useful for an added layer, but will have a think. At least we figured out how the N2048 actually works now as the UI didn't make it obvious.
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
Yes, I see what you mean. I was being crass about the windows server. Perhaps for specific servers the ACL on the switch would be useful for an added layer, but will have a think.
It's certainly an extra layer. But a complicated one (not just today, this will be complicated to support for forever) but it is one that is fully redundant with a more power and flexible one that you should be trusting pretty strongly (or removing that vendor.) I'm pretty confident that the Windows firewall has never been breached, ever. Having the switch ACLs would add a risk that someone might not enable the Windows firewall, as well. But at a minimum, it will take you to triple firewalls and all kinds of network overhead for simple stuff.
To put it another way, hospitals, government or Wall St. banks would never consider this degree of network lockdown. Unless you have a need for security greatly exceeding things like the CIA or sovereign funds, don't do this
Also, anywhere that needs security even a fraction of this level can never run their own network but would have to move to Amazon (where they actually do this) and would not run Windows.
Otherwise, the level of effort here is disproportionate to the rest of the environment.