GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Ingress ACL for internet routers [7:63118] posted 02/16/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Hello Group,

I'm currently trying to refine security for my Internet routers by
developing my ingress ACL. My routers aren't ISP routers, they are more of a
gateway/border router for your standard enterprise which connects to the
ISP. I know that the ISP may use some filtering on their end, but doing
ingress filtering again on your router is always a good idea. Reading
through MCSN and SAFE whitepapers, they pretty much suggest filtering for
RFC1918 and RFC2827, which I don't think is enough for a production router.

Also, you guys might suggest to use a firewall. The point of the
gateway/border router is to function as the router that connects to the
Internet before the firewall, so it is used in tandem with the firewall. Any
sort of ACL to only permit certain ports for accessing backend servers
should only be added on the firewall.

Here are a couple of links I've been referring to for developing my ACL:

http://www.cymru.com/Documents/icmp-messages.html

http://www.cymru.com/Documents/secure-ios-template.html

If you look at the ACL that the link above had, it is huge, does anyone
think it is relevant for my requirements? What about the null0 routes, I
would imagine that it's only useful for the ISP routers since they are
routing ISP traffic and need to black-hole those routes.

Here is the current ACL I'm using

access-list 150 remark Inbound Packet Filter from Internet
access-list 150 remark ---- Limit ICMP messages
access-list 150 deny   icmp any any log-input fragments
access-list 150 permit icmp any any echo
access-list 150 permit icmp any any echo-reply
access-list 150 permit icmp any any packet-too-big
access-list 150 permit icmp any any source-quench
access-list 150 permit icmp any any time-exceeded
access-list 150 deny   icmp any any log-input
access-list 150 remark ---- Deny invalid IP sources
access-list 150 deny   ip 0.0.0.0 0.255.255.255 any log-input
access-list 150 deny   ip 10.0.0.0 0.255.255.255 any log-input
access-list 150 deny   ip 127.0.0.0 0.255.255.255 any log-input
access-list 150 deny   ip 169.254.0.0 0.0.255.255 any log-input
access-list 150 deny   ip 172.16.0.0 0.15.255.255 any log-input
access-list 150 deny   ip 192.168.0.0 0.0.255.255 any log-input
access-list 150 deny   ip 192.0.2.0 0.0.0.255 any log-input
access-list 150 deny   ip 224.0.0.0 15.255.255.255 any log-input
access-list 150 deny   ip 240.0.0.0 7.255.255.255 any log-input
access-list 150 deny   ip 248.0.0.0 7.255.255.255 any log-input
access-list 150 deny   ip host 255.255.255.255 any log-input
access-list 150 remark ---- Permit all other traffic
access-list 150 permit ip any any

A couple of things I can think of in improving my ACL is firstly by logging
all the ICMP traffic that I'm denying. Currently, I'm denying all other ICMP
traffic that doesn't match the traffic I permitted, and logging it. In my
production routers, I'm seeing my logs haved logged quite a few ICMP denies,
I think it would be a good idea to log all the different ICMP message types
that has been denied just to see what is being sent to my network that is
being denied. eg. access-list 199 permit icmp any any host-redirect

Secondly, maybe increasing the number of non-valid ip address ranges coming
in, and using Turbo ACL. Has anyone had experience with Turbo ACL?

What about egress ACL, should I consider an egress ACL? Maybe just to permit
traffic from my network to go out the network, just in case someone within
tries to spoof traffic?

I'm trying to keep the ACL as generic as possible, so I can use it for all
different routers that connects to the Internet, and add any changes as
needed to tailor for each different network.

Thanks in advance for your suggestions.

Regards,

Albert Lu




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63118&t=63118
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx