Use the access control list to protect your network

Learn how to use the access control list on internal servers and clients to protect your network from various attacks.

Most security management programs can use firewalls well, filter routers and other defense tools to protect their networks from attacks by external hackers. However, the biggest enemy of your network is internal attacks. The internal access control list (ACLs) helps protect your network security from internal hazards.

The internal ACLs of your vrouters and vswitches can provide you with another tool in the security components. By limiting the transmission type in your network, you can improve performance and reduce your weaknesses to prevent internal attacks, Trojans, and worms from spreading. When you develop an internal ACLs, remember this basic rule: the client sends an ACLs and the server listens.

Server listener
Unless you create a script to run on the server, you use the server to control other servers or connections, such as a server terminal or printer server. The server does not establish a connection. They have service requirements from the client machine.

Therefore, when developing ACLs, you must first determine what each server is doing and which customer needs to access the information. For example, if you are running an internal non-SSL network service, you can place the access list at the port to access your network service, only port 80 of TCP can be accessed. However, if the server is a range controller DC, you need to allow a series of ports to access the server, so that you can perform customer identification and login services.

In particular, in Windows nt dc, you need to allow:

NetBIOS Name: UDP port 137
NetBIOS network login and browsing: UDP port 138
NetBIOS Session: TCP port 139
Remote program Call (RPC): TCP port 135

Or, for Windows 2000 DC, you need to allow:

Kerberos authentication: UDP/TCP port 88
RCP: TCP port 135
Lightweight Directory Access Protocol (LDAP): UDP and TCP port 389
Microsoft path service: TCP port 445
LDAP Global Directory: TCP port 3268 (if DC maintains the permission to operate the global directory)

The server list then depends on the server type and function the server list continues, depending on The type and function of the server.

Client sending
As I mentioned earlier, the client "talk" or establish a connection. To increase internal security, you need to filter the external connections of the client. Although it is not easy to try to filter customers' connections, once you know which port your server is listening to, you can know which port your customer is trying to connect.

Developing an access list for a customer connection is determined by understanding what services your customer needs. For example, if you do not want a client to remotely log on, you can do so by not allowing it to access TCP port 23.

Last thought
You may think that these types of ACLs are too difficult to manage. But before you leave this decision, run the NMAP or another port scanner and record the connection between the client and the server. This provides you with a working baseline, so that you can create your own internal ACL on this baseline and increase the possibility of your success.

A Trojan horse and a worm need a port to communicate. Strictly control ports and protocols in your internal network, and you can reduce the chance of their reproduction, so pay special attention to the open ports of your servers and customers. It takes a long time to control your network security, from the beginning of the network connection to the end of the customer's connection.(