|
Question : Restricting outbound traffic with an inside acl
|
|
Greetings!
Part technical, part "poll"....do a lot of folks restrict users' outbound traffic? I seem to be hearing of more companies doing this. I know it varies depending on requirements, but what would a typical inside ACL look like with tighter restrictions...allowing just web, ftp, etc. What other types of services would you typically open? Today, we only block a handful of ports. Our current ACL is shown below.
Thanks for the insight!
access-list InsideACL extended permit icmp any any echo
access-list InsideACL extended permit icmp any any echo-reply
access-list InsideACL extended deny tcp any any object-group BlockedTCPportsOutbound
access-list InsideACL extended deny udp any any object-group BlockedUDPportsOutbound
access-list InsideACL extended permit tcp any any
access-list InsideACL extended permit udp any any
|
Answer : Restricting outbound traffic with an inside acl
|
|
Yes, Alot of people are restricting more and more these days. You have spyware bandwidth to worry about, not to mention with ipods and everything else out there alot of people want to use the company bandwith instead of there connection at home.
so for example I only allow http and www traffic out on one ip address so I can log and monitor it.
access-list outside1 permit tcp any host 100.100.100.1 eq www
access-list outside1 permit tcp any host 100.100.100.2 eq https
access-list outside1 permit tcp any host 100.100.100.2 eq ftp
on the inside of the company I run a proxy to restricted speeds.
|
|
|
|
|
