Firewall Manager v2 is a tool within the MyRackspace Portal that allows you to manage your Cisco firewall.
This article describes the access-list rule feature of Firewall Manager v2.
To learn more about the tool, see Firewall Manager v2.
Access control lists (ACLs), or access-lists, enable Cisco firewalls to filter traffic. The security of your Rackspace environment begins at your Cisco firewall. Misconfigurations in network access policies on your firewall can lead to unwanted network exposure and potential compromise.
The access-lists control the traffic that attempts to enter the internal networks from an external, unsecured network. If access-lists are not used, the Cisco firewall's default security policy of security-levels is active, which does not provide the highest level of network security.
An access control entry (ACE) is an individual entry in an ACL. ACEs are referred to as rules in Firewall Manager v2. The Cisco firewall allows you to configure only one access-list per interface per direction. This access-list can contain as many ACEs, or rules, as necessary.
For more information about how to view, modify, add, and delete access-lists, see the following articles:
- View an access-list rules
- Add an access-list rule
- Modify an access-list's execution order
- Delete an access-list rule
To remain secure and follow compliance requirements, use the following best practices and recommendations:
Be as specific as possible when setting up ACLs. Minimize the size of the source and destination traffic in your access-list rules when possible.
Do not define the destination as any (your entire Rackspace environment) when only one destination server needs to be accessed.
Do not allow traffic from any source to any destination of the IP, TCP, or UDP protocols. Allowing traffic to these destinations effectively turns your security platform into a router because it will not block any packets from reaching any destination in your environment over those protocols.
Do not allow all traffic to a destination or group of destinations. (Do not use permit ip any [host] or permit ip any [object-group]).
Do not open the following ports globally: 22 - SSH, 1433 - Microsoft SQL, 3306 - MySQL, and 3389 - RDP.
Updated 6 months ago