ACL Compliance Director FAQ

Transcription

1 Abstract Cyber Operations, Inc., Cyber Operations, Inc. Copyright 2008 Cyber Operations, Inc. This document contains frequently asked questions about ACL Compliance Director with answers. Table of Contents... 1 What is an Access Control List (ACL)?... 1 Why would I need an Access Control List (ACL)?... 1 What separates ACL Compliance Director from other network policy products?... 2 What types of devices does ACL Compliance Director support?... 2 Does ACL Compliance Director encrypt the traffic that it sends to the devices?... 2 How many ACL entries can ACL Compliance Director handle?... 2 Can I import my existing access lists?... 3 Will there be support for a certain feature in the future?... 3 Do I have to have a TACACS+ server?... 3 How does synchronization (aka deployment) work or how does it communicate with the device?... 3 Does ACL Compliance Director support logging to syslog and/or external syslog servers?... 3 Does ACL Compliance Director support IPv6 access lists?... 3 Is ACL Compliance Director a server appliance or a software product?... 4 What operating system does ACL Compliance Director run on?... 4 What are the system requirements for ACL Compliance Director in terms of hardware?... 4 Do you support 64-bit Linux?... 4 Will comments I enter for ACL entries in ACL Compliance Director be put into the device?... 4 What happens if I change an ACL on the device manually?... 4 What is an Access Control List (ACL)? An access control list which is also sometimes called a filter, policy, or filter list is a list kept by network devices to control access to or from a number of network services and addresses. ACL's provide a straightforward way of granting or denying access to a particular network resource, controlling both inbound and outbound network traffic. Access-lists or equivalent policies can be implemented on routers and switches as well as firewalls. Why would I need an Access Control List (ACL)? Access control lists (ACL,s) allow system administrators to granularly control access to network services and sensitive information. This helps to protect businesses from malicious activity. Access control lists also allow companies to control access to their internal infrastructure from within the organization. For example, ACL's allow you to keep the sales department from accessing HR data and vice versa. An ACL can also be used as a response to an ongoing security threat. When malicious activity is detected from an address or group of addresses, traffic from those addresses can be temporarily or permanently blocked. 1

2 What separates ACL Compliance Director from other network policy products? ACL Compliance Director is a cross platform product, meaning it works with a variety of different vendors' devices so your company will not have to buy a management tool for each type of network device that you use. Your IT group will be able to use one tool to manage access control lists on all network devices support by ACL Compliance Director. ACL Compliance Director stores access lists in one central database accessed via web interface and tracks all changes device deployments with support for rolling back to any previous point in the modification history of an access list to quickly correct any problems from changes. ACL Compliance Director provides powerful tools for managing and troubleshooting large lists including hierarchal lists, searching list entries, testing against sample packet values, and tracking which devices need to by synchronized when changes are made to ACLs. What types of devices does ACL Compliance Director support? Currently ACL Compliance Director supports the following types of devices: 1. Cisco IOS routers and switches 2. Cisco ASA devices 3. Cisco PIX firewalls 4. Juniper JunOS routers 5. Juniper Netscreen Firewalls 6. Force10 routers 7. Aruba Mobility Controllers Support for specific devices can be added on request, or as a condition of a sale so please inquire if you need support for other network device types. Does ACL Compliance Director encrypt the traffic that it sends to the devices? If the devices that you are trying to connect to support SSH and SCP, then choosing the SSH option when you select the type of device in ACL Compliance Director will encrypt all network traffic. If you select to communicate with devices via Telnet or TFTP then the traffic will not be encrypted. How many ACL entries can ACL Compliance Director handle? ACL Compliance Director supports a virtually unlimited number of ACL entries. The number of entries a particular network device can support varies depending on the device and the amount of memory that the 2

3 device contains. If you find you are limited in the number of ACL entries than you can deploy, consider upgrading to a different model router or adding more memory to the router. Can I import my existing access lists? Direct import of ACL's from Cisco IOS, Cisco PIX, Cisco ASA, Juniper, Aruba, and Force10 FTOS configurations is supported. You can import either directly from a configured device or from a saved device configuration file. Will there be support for a certain feature in the future? New features are constantly being added to ACL Compliance Director. If there is a particular feature that you desire, contact us because there already may be support for that feature in the newest version. Customization for your organization is also an option, so please let us know what your needs are. Do I have to have a TACACS+ server? No, we support TACACS+, Radius, and LDAP for authorization as well as the option to authenticate based on local accounts on the server. How does synchronization (aka deployment) work or how does it communicate with the device? It depends on what the specific device supports. For Juniper JunOS routers, the updated portion of the configuration is sent to the device using Secure Copy(SCP), then an SSH connection is used to load the configuration changes. For Cisco routers and PIX firewalls, there are two basic options which can be used over either SSH or telnet. The preferred method uses TFTP via our own special server that only allows access during a deployment and only allows access to temporary paths which are based on a secure hash to make TFTP as secure as is possible; the TFTP connection is used to retrieve or update the configuration, while SSH or telnet is used to control the device and load the new configuration. Another option is to send all configuration changes over an SSH or telnet connection; this option is slower, but can be used workaround problems caused by firewalls and IP masquerading between the server and the device being controlled. Secure Copy (SCP) is also supported for versions of Cisco IOS that have that capability. Does ACL Compliance Director support logging to syslog and/or external syslog servers? Yes, ACL Compliance Director can log all of its system activity via syslog including to external syslog servers. Does ACL Compliance Director support IPv6 access lists? Yes, IPv6 access lists are supported for Cisco IOS as well as Juniper JunOS. 3

4 Is ACL Compliance Director a server appliance or a software product? Either, really, we can provide you with a preconfigured system to make installation and support simpler, or we can help you install the system on your server. What operating system does ACL Compliance Director run on? ACL Compliance Director runs on Linux, and our preconfigured systems use the RedHat Fedora 8 distribution, however the system is very portable and we can accommodate other types of Linux and Unix on request. Currently the officially supported Linux distributions are: 1. Fedora 2. RedHat Enterprise Linux 3. SuSE Linux What are the system requirements for ACL Compliance Director in terms of hardware? This depends somewhat on the number of network devices you are going to manage with ACL Compliance Director. For small to medium installations, meaning less than 100 devices, we recommend a minimum of 256 megabytes of RAM, and a Pentium 4 class or equivalent processor. Do you support 64-bit Linux? Yes, by request, our normal system is 32 bit for maximum compatibility. See the question "What operating system does ACL Compliance Director run on?" Will comments I enter for ACL entries in ACL Compliance Director be put into the device? The contents of the Description field in ACL Compliance Director will be added as a remark when working with Cisco IOS devices, but comments are not entered with other device types. What happens if I change an ACL on the device manually? If you bypass ACL Compliance Director to make the change then the system will not know about it, and the next time you synchronize the device from ACL Compliance Director the changes will be overridden. The idea is to enforce compliance with the system. If you want to automatically update access lists that are edited by hand or monitor changes to an accesslist on a device for any reason, then you can configure an 'Auto-List' which ACL compliance directory 4

5 will check for changes and import whenever it is modified. This gives you a revision history of the list and also allows you to monitor it for changes. 5