During a recent IT audit, we got dinged for "too much" open access to the servers. To address the auditor's concern and satisfy management, we are working on addressing what the auditor's brought up. Since we are mostly a Cisco shop, there are two schools of thought on how to come up with a good resolution -- using ACLs or adding an interior PIX to the network. Do you have any suggestions?-- Via the Internet.
Both of the potential solutions you mention will work.
An advantage of ACLs is you could do it right now without incurring any additional costs or having to make server configuration changes. You can use either a basic or extended ACL. A basic ACL would probably keep the auditors happy, but might not be scaleable enough. Extended ACLs offer more granularity, although they also take more planning to ensure you are not locking things down too tight or leaving too much open. Checking ACLs will also need to be added to the troubleshooting checklist for network issues to minimise time spent spinning your wheels when nothing else seems to be the source or cause of the problem.
If you do go with ACLs, you'll need to consider where to place it. You can either put it on the VLAN the servers are on or on the individual port a server connects to. By using a VLAN-based ACL, you have one ACL to maintain. This also means that you will have a very large ACL to work with. By going to a port-based ACL, each ACL will be smaller - but you'll have more of them. The biggest problem that you will have with ACLs is that with current versions of IOS, you cant edit ACLs. Your only choice is to remove the ACL and then upload the newer version of the ACL.
The other option is to buy a hardware-based firewall. While this may mean changing the IP address of the servers going behind the firewall (on the public side of the firewall they will still be known by their "old" IP addresses), there are benefits worth looking at. Some of the newer ASA appliances from Cisco let you add an intrusion-prevention system (IPS) module to supplement the control limits you can have with the access rules in the firewall. Here can you edit the rules without ripping and replacing like you have to do with the ACLs. By adding an IPS to the mix, you address the auditors' concerns today and add another layer that will be there the next time you are looked at with a microscope.