Pix ACLs
in [Cisco]
|
From: Carsten Luegner on 18 Apr 2010 03:28 Hello, the pix/asa above 7.x can filter on egress and igress but what is the drawback with filtering just egress-only? (if you have more interfaces igress and egress filter is imho a pain) CL
From: Robert Bonomi on 19 Apr 2010 17:36 In article <slrnhsld42.3u2.cl4news(a)ubuntu.lan>, Carsten Luegner <cl4news(a)steyr-ssf.com> wrote: >Hello, > >the pix/asa above 7.x can filter on egress and igress > >but what is the drawback with filtering just egress-only? >(if you have more interfaces igress and egress filter is imho a pain) It all depends on _what_ you are trying to accomplish. Ingress filtering can protect the PIX/ASA as well as machines behind it. Ingress filtering lets you trivially filter on where packets come _from_. Egress filtering lets you trivially filter on where packets are going _to_. Ingress and egress filtering occur on opposite sides of the 'routing' decision, and it may be practical to make use of that difference to simply the actual filters. e.g. if you have 3 separate exit paths from the local network, and you have traffic that you do not want to -- under *any* conditions -- leave the local network, then this can be accomplished by =one= ingress filter on the PIX port connected to the LAN. OTOH, doing it with egress filters, _while_practical_, requires an egress filter on *each* exit path. And, to be 100% effective they _all_ have to be "exactly right". Getting _three_ things 'exactly right' -- and *keeping* them that way as the world changes out from under you -- *is* , obviously, harder, more difficult, and more time-consuming (both to 'do', and to 'verify' correctness) than is changing -one- (ingress) rule. I use ingress rules to filter stuff where the filter action does -not- depend on the routing action -- e.g. stuff that should 'never' go -- anywhere, and egress rules for stuff that is 'ok' some places, but NOT in ohers. YMMV -- and probably *WILL* -- depending on exactly _what_ filtering you are actually doing, and what the 'trust' relationship is between stuff on various interfaces of the PIX/ASA.
|
Pages: 1 Prev: c1811 isr dual nat Next: 4900 switch config via CNA (seriously) |