Dell N2048 Switch and IP ACL - I just killed part of my network...

EddieJennings

@Jimmy9008 Why not turn on logging, and see if that shows you what's matching the rule.

Jimmy9008

@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 Why not turn on logging, and see if that shows you what's matching the rule.

Logging is enabled now. But, no logs are being generated showing the dropped traffic.

dafyre

@Jimmy9008 Is the traffic still being dropped?

Jimmy9008

@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 Is the traffic still being dropped?

Yep. Sadly. Should be a simple rule. Think host has to be fqdn?

dafyre

You should have both source AND destination set to host.

dafyre

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 Is the traffic still being dropped?

Yep. Sadly. Should be a simple rule. Think host has to be fqdn?

I doubt it. At this level, things only care about ip addresses most likely.

Jimmy9008

@dafyre

@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

You should have both source AND destination set to host.

They are. Both source and destination are set to host.

EddieJennings

Did you turn on logging? Did it show anything? Sometimes how something is logged can give a clue as to how it's matching a rule.

dafyre

And it's still blocking traffic to the entire subnet?

Try removing and re-adding the rule to the interface?

Jimmy9008

... I've at least got it working. Its just, not ideal, I will contact Dell as it doesn't sound correct.

So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.

You have to specifically add a rule to allow something through. I have added IP for another machine on the LAN 2.x to be allowed to 2.41, and that one machine can contact 2.41.

The server 2.117 cannot, which is correct. But I cant imagine adding everything that needs access is manageable or maintainable...

Dashrender

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

... I've at least got it working. Its just, not ideal, I will contact Dell as it doesn't sound correct.

So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.

You have to specifically add a rule to allow something through. I have added IP for another machine on the LAN 2.x to be allowed to 2.41, and that one machine can contact 2.41.

The server 2.117 cannot, which is correct. But I cant imagine adding everything that needs access is manageable or maintainable...

Interesting, that sounds like a good basis for security. Modern firewalls do that to. Drop all that isn't expressly allowed.
Of course you can often change that.

It's the blacklist vs whitelist approach.

EddieJennings

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

... I've at least got it working. Its just, not ideal, I will contact Dell as it doesn't sound correct.

So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.

You have to specifically add a rule to allow something through. I have added IP for another machine on the LAN 2.x to be allowed to 2.41, and that one machine can contact 2.41.

The server 2.117 cannot, which is correct. But I cant imagine adding everything that needs access is manageable or maintainable...

Yeah. I feel like a fool for forgetting about the implicit deny.
If you wanted to allow the traffic except for the host in your rule, you'd have an allow all at the very end of the ACL.

scottalanmiller

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.

Seems like that should happen. If you apply an ACL and it doesn't do that, what good is the ACL?

scottalanmiller

What's the reason for adding firewalling in the middle of your network? Hostile hosts?

Jimmy9008

@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.

Seems like that should happen. If you apply an ACL and it doesn't do that, what good is the ACL?

Agree. It works.

Jimmy9008

@scottalanmiller

@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

What's the reason for adding firewalling in the middle of your network? Hostile hosts?

To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.

scottalanmiller

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@scottalanmiller

@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

What's the reason for adding firewalling in the middle of your network? Hostile hosts?

To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.

True, but since you always lock it down in that way on the devices own firewall, is a second copy of that with all of the management complexity that comes with it actually worth anything? There is a point where over the top security becomes self defeating and in this case it is completely redundant but adding a complex and difficult to control copy of something really simple and effective.

Jimmy9008

@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@scottalanmiller

@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

What's the reason for adding firewalling in the middle of your network? Hostile hosts?

To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.

True, but since you always lock it down in that way on the devices own firewall, is a second copy of that with all of the management complexity that comes with it actually worth anything? There is a point where over the top security becomes self defeating and in this case it is completely redundant but adding a complex and difficult to control copy of something really simple and effective.

These are Windows Server VMs.

I'd rather stop any risk if I can before hitting the local windows firewall, with this additional layer for example, rather than only relying on the Microsoft one which will probably screw you over at the worst time.

How often do Microsoft updates cause issues, very... One of those issues affecting the firewall somehow, on a bad day, boom - something through. Probably wont happen, but Microsoft screw up a lot, so why not try to block that traffic before giving them a chance to mess up your day.

I'd only kick myself for not putting this layer in place if the local server firewall had a hiccup and let something through which the second layer may have prevented.

I've been thinking about it and think it will actually be simple to put in place now I know the particulars of the N2048.

scottalanmiller

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@scottalanmiller

@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

What's the reason for adding firewalling in the middle of your network? Hostile hosts?

To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.

True, but since you always lock it down in that way on the devices own firewall, is a second copy of that with all of the management complexity that comes with it actually worth anything? There is a point where over the top security becomes self defeating and in this case it is completely redundant but adding a complex and difficult to control copy of something really simple and effective.

These are Windows Server VMs.

I'd rather stop any risk if I can before hitting the local windows firewall, with this additional layer for example, rather than only relying on the Microsoft one which will probably screw you over at the worst time.

How often do Microsoft updates cause issues, very... One of those issues affecting the firewall somehow, on a bad day, boom - something through. Probably wont happen, but Microsoft screw up a lot, so why not try to block that traffic before giving them a chance to mess up your day.

I'd only kick myself for not putting this layer in place if the local server firewall had a hiccup and let something through which the second layer may have prevented.

I've been thinking about it and think it will actually be simple to put in place now I know the particulars of the N2048.

Windows firewalls are rock solid. You can't justify running Windows at all if this is how you feel about them. This is not a reasonable place to be. The Windows firewall is no risk here. There are a million things you could do to improve security. But this is just busy work.

scottalanmiller

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

I'd only kick myself for not putting this layer in place if the local server firewall had a hiccup and let something through which the second layer may have prevented.

This ain't good reasoning. You'd kick yourself if you didn't move to Nebraska before your home is hit with a meteor, too. But it is not rational to use "id be sorry if" reasoning. The Windows firewall doesn't hiccup, and even if it does there are loads of other layers of protection. This requires an active attack from the inside, listening services, a vulnerability and more all during the moments that a firewall hiccups. With this logic there is no end of things you would do.

"I'd be sorry" logic bypasses the risk calculation. Yes, you would be sorry. But what is the risk of that happening? Zero. That's the effective risk. So you won't be sorry.

But what you will certainly be sorry about is the wasted time, effort, complexity, risk, outages and ongoing maintenance headaches of a system that protects against nothing.