GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: PPTP VPN with ACL posted 01/26/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Raymond, Chuck,

Thanks for your replies.

Basically I don't have a problem with blocking access 
from outside network to our and/or customer servers on 
inside and dmz.

This is blocked by PIX with ACL applied to outside interface.
Can be blocked on routers, L3 switches, etc. but my problem
is more general in nature.

How to be able to control with some granularity access given
to inside and DMZs to VPDN clients.

Lets assume that CEO has super-duper notebook with Micro$hrot
SQL server. He is browsing Internet all day with his wireless
DSL access point. He is obviously infected by now.

Now he wants to access internal Exchange server, so he launch
VPN client connection.

And immediately, he is infecting all servers on inside network.

I want to avoid this hypothetical scenario, and apply some 
granular ACL on all VPN connections.

Przemek

On Sat, 2003-01-25 at 22:08, Raymond Jett (rajett) wrote:
> There are other things that you can do to keep the worm away...
> 
> 1) Unplug the internal network from the Internet
> 
> 
> 2) Block traffic destined to UDP port 1434 on screening routers/switches or
> devices near server clusters...........
> 
> 
> VACL config on 5500/6500 -  this drops the CPU load on the
>   MSFC as well.
> 
> 
> set security acl ip WORM deny udp any eq 1433 any
> set security acl ip WORM deny udp any any eq 1433
> set security acl ip WORM deny udp any any eq 1434
> set security acl ip WORM deny udp any eq 1434 any
> set security acl ip WORM permit any
> commit security acl WORM
> set security acl map WORM 
> 
> 
> ****
> 
> 
> ACL for IOS
> 
> 
> access-list 115 deny udp any any eq 1433 log
> access-list 115 deny udp any any eq 1434 log
> access-list 115 permit ip any any
> 
> 
> int 
> ip access-group 115 in
> ip access-group 115 out
> 
> 
> ****
> 3) Go to Microsoft and obtain Service Pack 3 for SQL server, apply it and
> restart the server
> 
> 
> http://www.microsoft.com/sql/downloads/2000/sp3.asp?SD=GN&LN=en-us&gssnb=1
> 
> 
> 4) Purchase and install lots of Cisco H-IDS product to prevent things like
> this from happening again :-)
> 
> 5) Custom signature on your Cisco IDS box
> 
> This is an early stab at one... Keep your eye on cisco.com to see what is
> posted out there for it.
> 
> Tune Signature Parameters  :  CSIDS Signature Wizard 
> ___________________________________________________________________________ 
> 
>  Current Signature: Engine STRING.UDP SIGID 24701 
>            SigName: SQL Slammer 
> ___________________________________________________________________________ 
> 
>   0 - Edit ALL Parameters 
>   1 - AlarmInterval        = 
>   2 - AlarmThrottle        = FireAll 
>   3 - ChokeThreshold       = 
>   4 - Direction            = ToService 
>   5 - FlipAddr             = 
>   6 - LimitSummary         = 
>   7 - MaxInspectLength     = 360 
>   8 - MinHits              = 
>   9 - MinMatchLength       = 
>  10 * RegexString          = \x04\x01\x01\x01\x01\x01.*[.][Dd][Ll][Ll] 
>  11 - ResetAfterIdle       = 15 
>  12 * ServicePorts         = 1434 
>  13 - SigComment           = 
>  14 - SigName              = SQL Slammer 
>  15 - SigStringInfo        = 
>  16 - ThrottleInterval     = 15 
>  17 - WantFrag             = 
> 
> Raymond
> 
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Chuck Church
> Sent: Saturday, January 25, 2003 8:59 PM
> To: Przemyslaw Karwasiecki; security@groupstudy.com
> Subject: Re: PPTP VPN with ACL
> 
> 
> Przemek,
> 
>     I don't know anything about this virus, but if you're trying to keep
> your VPN clients away from the SQL server, why not put some bogus host
> routes or arp entries on the SQL server?  Make it so that it can't reach the
> VPN clients.  Or else maybe an ACL on inside interface blocking UDP from the
> server to the VPN clients.  Use your imagination.  Does your SQL vendor have
> a fix?
> 
> Chuck Church
> CCIE #8776, MCNE, MCSE
> 
> 
> ----- Original Message -----
> From: "Przemyslaw Karwasiecki" <karwas@bellsouth.net>
> To: <security@groupstudy.com>
> Sent: Saturday, January 25, 2003 9:18 PM
> Subject: PPTP VPN with ACL
> 
> 
> > Hello,
> >
> > I am desperately looking for help with PPTP VPN config.
> >
> > With all this W32.SQL worm in the wild, I have just realized, that if 
> > any windows machine initiating PPTP VPN connection to our PIX is 
> > infected, it will infect any machines on our inside network.
> >
> > So I had to shut down VPN, and I am under pressure to re-enable it, 
> > but I don't know how to apply ACL to connections initiated via PPTP 
> > VPN.
> >
> > I am using ip local pool vpn_clients x.x.x.64-x.x.x.127,
> > and x.x.x.0/24 is actually the same network as on inside interface.
> >
> > Basically, what I am trying to accomplish is to build ACL like this
> >
> > access-list vpn_acl deny udp x.x.x.64 255.255.255.192 any eq 1434 
> > access-list vpn_acl permit ip any any
> >
> > and somehow apply it to all PPTP connections,
> > like with this imaginary command:
> >
> > access-group vpn_acl in vpdn group 1
> >
> > Is it wishful thinking, or I can do it somehow?
> >
> > Thanks,
> >
> > Przemek