Dell N2048 Switch and IP ACL - I just killed part of my network...
-
I didn't write ain't. iPhone changed isn't to ain't on me. I kid you not.
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
I didn't write ain't. iPhone changed isn't to ain't on me. I kid you not.
Sure, sure... Blame it on the phone.
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
I'd only kick myself for not putting this layer in place if the local server firewall had a hiccup and let something through which the second layer may have prevented.
This ain't good reasoning. You'd kick yourself if you didn't move to Nebraska before your home is hit with a meteor, too. But it is not rational to use "id be sorry if" reasoning. The Windows firewall doesn't hiccup, and even if it does there are loads of other layers of protection. This requires an active attack from the inside, listening services, a vulnerability and more all during the moments that a firewall hiccups. With this logic there is no end of things you would do.
"I'd be sorry" logic bypasses the risk calculation. Yes, you would be sorry. But what is the risk of that happening? Zero. That's the effective risk. So you won't be sorry.
But what you will certainly be sorry about is the wasted time, effort, complexity, risk, outages and ongoing maintenance headaches of a system that protects against nothing.
Yes, I see what you mean. I was being crass about the windows server. Perhaps for specific servers the ACL on the switch would be useful for an added layer, but will have a think. At least we figured out how the N2048 actually works now as the UI didn't make it obvious.
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
Yes, I see what you mean. I was being crass about the windows server. Perhaps for specific servers the ACL on the switch would be useful for an added layer, but will have a think.
It's certainly an extra layer. But a complicated one (not just today, this will be complicated to support for forever) but it is one that is fully redundant with a more power and flexible one that you should be trusting pretty strongly (or removing that vendor.) I'm pretty confident that the Windows firewall has never been breached, ever. Having the switch ACLs would add a risk that someone might not enable the Windows firewall, as well. But at a minimum, it will take you to triple firewalls and all kinds of network overhead for simple stuff.
To put it another way, hospitals, government or Wall St. banks would never consider this degree of network lockdown. Unless you have a need for security greatly exceeding things like the CIA or sovereign funds, don't do this
Also, anywhere that needs security even a fraction of this level can never run their own network but would have to move to Amazon (where they actually do this) and would not run Windows.
Otherwise, the level of effort here is disproportionate to the rest of the environment.