Options
Access List Matrix
Hi,
I just wondered if anyone here has had to design an access list matrix. We have just recently had an infosec visit and we have had some recommendations that we need to conform to, to be infosec compliant. One of them is that all access lists need to appear as non meaningful. I.E the below meaningful names would need to change so that they were not meaningful as show in the further example below
Before
access-list outside_access_in line 18 remark to communicate with Cisco Call Manager on TCP 2748access-list outside_access_in line19 extended permit tcp object-group Call_Managers object-
group PCI_Voice_Servers eq ctiqbe
After
access-list outside_access_in line 18 remark Abc123
2748access-list outside_access_in line19 extended permit tcp object-group Abc124 eq ctiqbe
Matrix Key
Abc123 = communicate with Cisco Call Manager on TCP
Abc124 = Call_Managers object- PCI_Voice_Servers
Personally I think this is going to involve a lot of work and make it slightly more difficult to look at an issue quickly. We will have to consult the matrix key to look up exactly what the access list is permitting or denying etc. I’m just getting into security so perhaps this is quite a standard requirement so just wondered if you guys had any ideas on the design of the matrix. I’m trying to think of ways that it is less meaningful for someone logging on and looking at the access list first time but trying to keep it slightly meaningful for us. I thought of using certain letters and numbers for mail systems like MS123 and things like that. Does anyone have any experience or ideas in this?
I
I just wondered if anyone here has had to design an access list matrix. We have just recently had an infosec visit and we have had some recommendations that we need to conform to, to be infosec compliant. One of them is that all access lists need to appear as non meaningful. I.E the below meaningful names would need to change so that they were not meaningful as show in the further example below
Before
access-list outside_access_in line 18 remark to communicate with Cisco Call Manager on TCP 2748access-list outside_access_in line19 extended permit tcp object-group Call_Managers object-
group PCI_Voice_Servers eq ctiqbe
After
access-list outside_access_in line 18 remark Abc123
2748access-list outside_access_in line19 extended permit tcp object-group Abc124 eq ctiqbe
Matrix Key
Abc123 = communicate with Cisco Call Manager on TCP
Abc124 = Call_Managers object- PCI_Voice_Servers
Personally I think this is going to involve a lot of work and make it slightly more difficult to look at an issue quickly. We will have to consult the matrix key to look up exactly what the access list is permitting or denying etc. I’m just getting into security so perhaps this is quite a standard requirement so just wondered if you guys had any ideas on the design of the matrix. I’m trying to think of ways that it is less meaningful for someone logging on and looking at the access list first time but trying to keep it slightly meaningful for us. I thought of using certain letters and numbers for mail systems like MS123 and things like that. Does anyone have any experience or ideas in this?
I
Comments
-
Options
networker050184
Mod Posts: 11,962 Mod
Sounds retarded to me. I've never heard of a place doing anything like that. If they are in your device or have your config to look at the remarks you are pretty much done for anyway.An expert is a man who has made all the mistakes which can be made. -
Options
cjthedj45
Member Posts: 331 ■■■□□□□□□□
If they are in your device or have your config to look at the remarks you are pretty much done for anyway.[/QUOTE]
Ah! good its not just me thinking that then. This was the point I made to our senior network engineer. If somebody has got as far as logging on to your switch, firewall or router then they have already compromised security and they can give create new their own access lists etc. I would still like to hear from anyone who has had to do anything like this and how they went about it. Thats if their is anyone Lol! -
Options
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
Right, the only real (extremely minor) benefit would be if you have people logging on to do some menial management/maintenance tasks and you want to obfuscate the information for them.
I would personally never recommend this. This significantly increases the difficulty and complexity of properly configuring the device, and I think there is a greater risk of a compromise stemming from misconfiguring the device than anything that would happen if someone saw your remarks. This is really bad advice IMHO.
What was his justification? That it would be an information disclosure that identifies other devices and configurations on your network?
Also, what are you trying to be compliant with? Make them provide the regulations that require/recommend this.
Anyway, if I had to manage that, I'd just write a script that would mangle or swap the meaningful names with garbage. I'd make any changes to the legible config, mangle it, and then upload it. I wouldn't try to maintain a spreadsheet or anything like that. -
Optionscjthedj45
Member Posts: 331 ■■■□□□□□□□
Right, the only real (extremely minor) benefit would be if you have people logging on to do some menial management/maintenance tasks and you want to obfuscate the information for them.
I would personally never recommend this. This significantly increases the difficulty and complexity of properly configuring the device, and I think there is a greater risk of a compromise stemming from misconfiguring the device than anything that would happen if someone saw your remarks. This is really bad advice IMHO.
What was his justification? That it would be an information disclosure that identifies other devices and configurations on your network?
Also, what are you trying to be compliant with? Make them provide the regulations that require/recommend this.
Anyway, if I had to manage that, I'd just write a script that would mangle or swap the meaningful names with garbage. I'd make any changes to the legible config, mangle it, and then upload it. I wouldn't try to maintain a spreadsheet or anything like that.
Hi Dynamik,
As we are a credit card company we have audit every year to ensure that we are keeping data secure and protected. We have always passed these tests but they have made some recommendations based on infosec policies apparently. They do not want us to give too much information away so if someone was to compromise a device then they would not be able to see where our secured zones are and what access lists are being applied. We also need to remove and descriptions from ports that give to much information away. I totally agree with you this is going to be a headache and make our jobs as administrators more difficult. I’m not too good a scripting and would have no idea how to mangle the config using a script. From the response I have had it would seem that this is not the norm so I’m going to try and fight my corner and see if we can come to a compromise. I will let you know how I get on thanks for your response mate.