Cyber ACL FAQ

An access control list which is also sometimes called a filter, policy, or filter list is a list kept by network devices to control access to or from a number of network services and addresses. ACL's provide a straightforward way of granting or denying access to a particular network resource, controlling both inbound and outbound network traffic. Access-lists or equivalent policies can be implemented on routers and switches as well as firewalls.

Access control lists (ACLs) allow system administrators to granularly control access to network services and sensitive information. This helps to protect businesses from malicious activity. Access control lists also allow companies to control access to their internal infrastructure from within the organization. For example, ACL's allow you to keep the sales department from accessing HR data and vice versa. An ACL can also be used as a response to an ongoing security threat. When malicious activity is detected from an address or group of addresses, traffic from those addresses can be temporarily or permanently blocked.

Cyber ACL is a cross platform product, meaning it works with a variety of different vendors' devices so your company will not have to buy a management tool for each type of network device that you use. Your IT group will be able to use one tool to manage access control lists on all network devices support by Cyber ACL.

Cyber ACL stores access lists in one central database accessed via web interface and tracks all changes device deployments with support for rolling back to any previous point in the modification history of an access list to quickly correct any problems from changes.

Cyber ACL provides powerful tools for managing and troubleshooting large lists including hierarchal lists, searching list entries, testing against sample packet values, and tracking which devices need to by synchronized when changes are made to ACLs.

Currently Cyber ACL supports the following types of devices:

Support for specific devices can be added on request, or as a condition of a sale so please inquire if you need support for other network device types.

If the devices that you are trying to connect to support SSH and SCP, then choosing the SSH option when you select the type of device in Cyber ACL will encrypt all network traffic. If you select to communicate with devices via Telnet or TFTP then the traffic will not be encrypted.

Cyber ACL supports a virtually unlimited number of ACL entries. The number of entries a particular network device can support varies depending on the device and the amount of memory that the device contains. If you find you are limited in the number of ACL entries than you can deploy, consider upgrading to a different model router or adding more memory to the router.

Direct import of ACL's from Cisco IOS, Cisco PIX, Cisco ASA, Juniper, Aruba, and Force10 FTOS configurations is supported. You can import either directly from a configured device or from a saved device configuration file.

New features are constantly being added to Cyber ACL. If there is a particular feature that you desire, contact us because there already may be support for that feature in the newest version. Customization for your organization is also an option, so please let us know what your needs are.

No, we support TACACS+, Radius, and LDAP for authorization as well as the option to authenticate based on local accounts on the server.

It depends on what the specific device supports.

For Juniper JunOS routers, the updated portion of the configuration is sent to the device using Secure Copy(SCP), then an SSH connection is used to load the configuration changes.

For Cisco routers and PIX firewalls, there are two basic options which can be used over either SSH or telnet. The preferred method uses TFTP via our own special server that only allows access during a deployment and only allows access to temporary paths which are based on a secure hash to make TFTP as secure as is possible; the TFTP connection is used to retrieve or update the configuration, while SSH or telnet is used to control the device and load the new configuration. Another option is to send all configuration changes over an SSH or telnet connection; this option is slower, but can be used workaround problems caused by firewalls and IP masquerading between the server and the device being controlled.

Secure Copy (SCP) is also supported for versions of Cisco IOS that have that capability.

Yes, Cyber ACL can log all of its system activity via syslog including to external syslog servers.

Yes, IPv6 access lists are supported for Cisco IOS as well as Juniper JunOS.

Either, really, we can provide you with a preconfigured system to make installation and support simpler, or we can help you install the system on your server.

Cyber ACL runs on Red Hat Enterprise Linux and Solaris.

Currently the officially supported operating systems are:

This depends somewhat on the number of network devices you are going to manage with Cyber ACL. For small to medium installations, meaning less than 100 devices, we recommend a minimum of 256 megabytes of RAM, and a Pentium 4 class or equivalent processor.

Yes, we support 64 bit Linux and no longer support 32 bit. See the question "What operating system does Cyber ACL run on?"

The contents of the Description field in Cyber ACL will be added as a remark when working with Cisco IOS devices, but comments are not entered with other device types.

If you bypass Cyber ACL to make the change then the system will not know about it, and the next time you synchronize the device from Cyber ACL the changes will be overridden. The idea is to enforce compliance with the system.

If you want to automatically update access lists that are edited by hand or monitor changes to an access-list on a device for any reason, then you can configure an 'Auto-List' which Cyber ACL will check for changes and import whenever it is modified. This gives you a revision history of the list and also allows you to monitor it for changes.