Page 514 - StudyBook.pdf
P. 514
498 Chapter 8 • Infrastructure Security: System Hardening
need for the particular service connected to that port. Port vulnerabili-
ties are constantly updated by various vendors, and should be reviewed
and evaluated for risk at regular intervals to reduce potential problems.
ACLs
In network devices, an ACL performs a function much like those discussed in the
DAC’s section in Chapter 1. However, the functionality of an ACL is slightly dif-
ferent, and its capacity to control access is limited by the type of device and the
control software written to guide the device.Also,ACL’s are controlled by a device
operator or administrator, not by the “owner” of the resource. Following is a list of
the areas of ACLs that can be controlled:
■ Protocols allowed
■ Ports allowed
■ Source of connection
■ Destination of connection
■ Interface type for connection
ACLs are also used as a firewall rules method.A firewall router can be used
with an ACL to filter or block traffic on specific ports, for specific protocols, and
for source or destination network addresses. Packet filter tables are often derived
from the construction of the ACL for the firewall.
Finally,ACL configurations must be checked and verified to restrict access to
the configuration information itself.The number of individuals or services that
have permission to monitor or modify settings on network equipment, must be
limited to tighten the security of the device.ACLs should also be set to not allow
use of network services such as Telnet and File Transfer Protocol (FTP) for access if
alternatives are available, thus tightening the access level even more. Remember
from earlier chapters that both these protocols pass usernames and passwords in
cleartext.
Many of the rule sets being defined while using ACL functions are set to either
allow or deny a particular function, protocol, or access at an interface.As noted
above, a number of conditions can be controlled at the hardware device with the
ACL configurations.
www.syngress.com
