Questions

Frequently Asked Questions

What is an Access Control List (ACL)?

An access control list, also sometimes called a filter, is a list kept by network devices to control access to or from a number of network services. ACL's provide a straightforward way granting or denying access to a particular network resource, controlling both inbound and outbound network traffic, just as a firewall does. Both individual servers and routers can have access lists.

Why would I need an Access Control List (ACL)?

Access control lists (ACL,s) allow system administrators to granularly control access to network services and sensitive information. This helps to protect businesses from malicious activity. Access control lists also allow companies to control access to their internal infrastructure from within the organization. For example, ACL,s allow you to keep the sales department from accessing HR data and vice versa.

What separates ACL Compliance Director from other network policy products?

ACL Compliance Director is a cross platform utility, meaning it works with a variety of different vendors, devices so your company will not have to buy a management tool for each type of network device that you use. Your IT group will be able to use one tool to manage access control lists on all network devices support by ACL Compliance Director.

ACL Compliance Director stores access lists in one central database accessed via web interface and tracks all changes device deployments with support for rolling back to any previous point in the modification history of an access list to quickly correct any problems from changes.

ACL Compliance Director provides powerful tools for managing and troubleshooting large lists including hierarchal lists, searching list entries, testing against sample packet values, and tracking which devices need to by synchronized when changes are made to ACLs.

Does ACL Compliance Director encrypt the traffic that it sends to the devices?

If the devices that you are trying to connect to support SSH and SCP, then choosing the SSH option when you select the type of device in ACL Compliance Director will encrypt all network traffic. If you select to communicate with devices via Telnet or TFTP then the traffic will not be encrypted.

How many ACL entries can ACL Compliance Director handle?

ACL Compliance Director supports a virtually unlimited number of ACL entries. The number of entries a particular network device can support varies depending on the device and the amount of memory that the device contains. If you find you are limited in the number of ACL entries than you can deploy, consider upgrading to a different model router or adding more memory to the router.

Can I import my existing access lists?

Direct import of ACL's from Cisco IOS configurations is supported. Importing from Juniper configurations is not yet supported.

Will there be support for a certain feature in the future?

New features are constantly being added to ACL Compliance Director. If there is a particular feature that you desire, contact us because there already may be support for that feature in the newest version. Customization for your organization is also an option, so please let us know what your needs are.

Do I have to have a TACACS+ server?

No, we support TACACS+, Radius, and LDAP for authorization as well as the option to authenticate based on local accounts on the server.

How does synchronization (aka deployment) work or how does it communicate with the device?

It depends on what the specific device supports.

For Juniper JunOS routers, the updated portion of the configuration is sent to the device using Secure Copy(SCP), then an SSH connection is used to load the configuration changes.

For Cisco routers and PIX firewalls, there are two basic options which can be used over either SSH or telnet. The preferred method uses TFTP via our own special server that only allows access during a deployment and only allows access to temporary paths which are based on a secure hash to make TFTP as secure as is possible; the TFTP connection is used to retrieve or update the configuration, while SSH or telnet is used to control the device and load the new configuration. Another option is to send all configuration changes over an SSH or telnet connection; this option is slower, but can be used workaround problems caused by firewalls and IP masquerading between the server and the device being controlled.

Secure Copy (SCP) is also supported for versions of Cisco IOS that have that capability.

Does ACL Compliance Director support logging to syslog / extern syslog?

Yes, ACL Compliance Director can log all its system activity via syslog.

Does ACL Compliance Director support IPv6 access lists?

Yes, IPv6 access lists are supported for Cisco IOS as well as Juniper JunOS.

Is ACL Compliance Director a server appliance or a software product?

Either, really, we can provide you with a preconfigured system to make installation and support simpler, or we can help you install the system on your server.

What operating system does ACL Compliance Director run on?

ACL Compliance Director runs on Linux, and our preconfigured systems use the RedHat Fedora 8 distribution, however the system is very portable and we can accommodate other types of Linux and Unix on request.

Do you support 64-bit Linux?

Yes, by request, our normal system is 32 bit for maximum compatibility. See the question "What operating system does ACL Compliance Director run on?"

Will comments I enter for ACL entries in ACL Compliance Director be put into the device?

The contents of the Description field in ACL Compliance Director will be added as a remark when working with Cisco IOS devices, but comments are not entered with other device types.

What happens if I change an ACL on the device manually?

If you bypass ACL Compliance Director to make the change then the system will not know about it, and the next time you synchronize the device from ACL Compliance Director the changes will be overridden. The idea is to enforce compliance with the system.