VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us
Research
 

Firewall Testing

About VESARiA

   

3.6 What are some reasonable filtering rules for a Cisco?

  The example in figure 4 shows one possible configuration for using the Cisco as filtering router. It is a sample that shows the implementation of as specific policy. Your policy will undoubtedly vary.


  
Figure 4: Packet Filtering Router
\begin{figure} \begin{center} \includegraphics {firewalls-faq4} \end{center}\end{figure}

In this example, a company has Class C network address 195.55.55.0. Company network is connected to Internet via IP Service Provider. Company policy is to allow everybody access to Internet services, so all outgoing connections are accepted. All incoming connections go through ``mailhost''. Mail and DNS are only incoming services.

3.6.1 Implementation

  • Allow all outgoing TCP-connections
  • Allow incoming SMTP and DNS to mailhost
  • Allow incoming FTP data connections to high TCP port (>1024)
  • Try to protect services that live on high port numbers

Only incoming packets from Internet are checked in this configuration. Rules are tested in order and stop when the first match is found. There is an implicit deny rule at the end of an access list that denies everything. This IP access list assumes that you are running Cisco IOS v. 10.3 or later. 

no ip source-route
! 
interface ethernet 0 
ip address 195.55.55.1 
no ip directed-broadcast
! 
interface serial 0 
no ip directed-broadcast
ip access-group 101 in 
! 
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any 0.0.0.255 255.255.255.0
access-list 101 deny ip any 0.0.0.0 255.255.255.0
!
access-list 101 deny ip 195.55.55.0 0.0.0.255 
access-list 101 permit tcp any any established 
! 
access-list 101 permit tcp any host 195.55.55.10 eq smtp 
access-list 101 permit tcp any host 195.55.55.10 eq dns 
access-list 101 permit udp any host 192.55.55.10 eq dns 
! 
access-list 101 deny tcp any any range 6000 6003 
access-list 101 deny tcp any any range 2000 2003 
access-list 101 deny tcp any any eq 2049 
access-list 101 deny udp any any eq 2049 
! 
access-list 101 permit tcp any 20 any gt 1024 
! 
access-list 101 permit icmp any any 
! 
snmp-server community FOOBAR RO 2 
line vty 0 4 
access-class 2 in 
access-list 2 permit 195.55.55.0 0.0.0.255

3.6.2 Explanations

  • Drop all source-routed packets. Source routing can be used for address spoofing.
  • Drop directed broadcasts, which are used in smurf attacks.
  • If an incoming packet claims to be from a local net, loopback network, or private network, drop it.
  • All packets which are part of already established TCP-connections can pass through without further checking.
  • All connections to low port numbers are blocked except SMTP and DNS.
  • Block all services that listen for TCP connections on high port numbers. X-windows (port 6000+), OpenWindows (port 2000+) are a few candidates. NFS (port 2049) runs usually over UDP, but it can be run over TCP, so you should block it.
  • Incoming connections from port 20 into high port numbers are supposed to be FTP data connections.
  • Access-list 2 limits access to router itself (telnet & SNMP)
  • All UDP traffic is blocked to protect RPC services

3.6.3 Shortcomings

  • You cannot enforce strong access policies with router access lists. Users can easily install backdoors to their systems to get over ``no incoming telnet'' or ``no X'' rules. Also crackers install telnet backdoors on systems where they break in.
  • You can never be sure what services you have listening for connections on high port numbers.
  • Checking the source port on incoming FTP data connections is a weak security method. It also breaks access to some FTP sites. It makes use of the service more difficult for users without preventing bad guys from scanning your systems.

Use at least Cisco version 9.21 so you can filter incoming packets and check for address spoofing. It's still better to use 10.3, where you get some extra features (like filtering on source port) and some improvements on filter syntax.

You have still a few ways to make your setup stronger. Block all incoming TCP-connections and tell users to use passive-FTP clients. You can also block outgoing ICMP echo-reply and destination-unreachable messages to hide your network and to prevent use of network scanners. Cisco.com use to have an archive of examples for building firewalls using Cisco routers, but it doesn't seem to be online anymore. There are some notes on Cisco access control lists, at least, at ftp://ftp.cisco.com/pub/mibs/app_notes/access-lists .

Vesaria

3640 Fords Lane, Suite D
Baltimore, MD 21215
443 - 501 - 4044



Firewall FAQ
Table of Contents

Previous Section: What are some reasonable filtering rules for a kernel-based packet screen?

Next Section: What are the critical resources in a firewall?

Find out more about VESARiA Firewall Testing.

 
© 2000 - 2008 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact Call Us at   443 - 501 - 4044