Security

Reply
Highlighted

Outbound router ACL on grid member interfaces

[ Edited ]
Adviser
Posts: 60
4623     0

I have one grid member that is opened to the world so I am going to set up an outbound router ACL for the MGMT, LAN1 and LAN2 ports.

 

I've researched this and come up with the port list below.  Am I missing anything?

 

 

Allow from "grid master" UDP 2114      Auth needed to join grid
Allow from "grid master" UDP 1194      VPN for grid communications
Allow from any TCP 53                     DNS grid master and DNS clients
Allow from any UDP 53                     DNS grid master and DNS clients
Allow from "internal network" TCP 22   SSH access to grid member
Allow from any UDP 123                    Allow any NTP clients

 

Logging:  Since this is an outbound ACL (from the router interface perspective), I shouldn't have to do anything since we're using UDP 514 for this particular member. 

 

Reporting: Grid members talk to reporting appliance on TCP 9997 so I will need to allow return traffic.

Re: Outbound router ACL on grid member interfaces

Adviser
Posts: 121
4624     0

Hi,

 

All internal comunication should be via MGMT port (Grid, Syslog, Reporting).

LAN1,LAN2 only for DNS. I'm not sure if you really need to open NTP to the world. 

 

BR,

Vadim

Re: Outbound router ACL on grid member interfaces

HNiroomand
Techie
Posts: 4
4624     0

Hello, 

I am trying to secure our Infoblox environment also.  I am wondering if these settnigs worked for you.  My questions are on your TCP/UDP 53 and NTP 123.  

My understanding is the response for DNS goes on 53 and can come back on any randum port.  I may be wrong, so blocing others except 53 worked for you?  

Opening NTP 123 to any(world) doesn't cause issue ?  I am planning to block NTP to world.  Am I wrong on this?

Thanks

 

Re: Outbound router ACL on grid member interfaces

[ Edited ]
zoziano
Techie
Posts: 8
4624     0

need to understand where do we put Inbound and in which scenerios we put the access-lists in outbound. Is there any specific guidlines...... CCleaner CCleaner Happy Wheels VLC

 

Re: Outbound router ACL on grid member interfaces

sophiawilson
Techie
Posts: 1
4624     0

I have also faced similar issue, in searching for solution I have found this blog Photoshop Scratch Disk Full, here you find all the answer of your queries. I would say must read this blog.

Showing results for 
Search instead for 
Do you mean 

Recommended for You