DHCP WAN vs. CBAC hardening

Unanswered Question

I'm setting up my router using the cisco cablemodem card. It was all working fine until I started hardening the router. In particular, I set up CBAC and set the incoming interface to deny all ip requests. Since cable provider uses DHCP to provision addresses, I'm suspecting that I'm blocking replies from the DHCP server. Any one run into something similar and have a secure solution?

Thanks,

Greg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Mon, 08/25/2008 - 13:05

Hello Greg,

DNS requests use UDP port 53

you may need to enable UDP protocol inspection

With UDP inspection configured, replies will only be permitted back in through the firewall if they are

received within a configurable time after the last request was sent out. (This time is configured with the

ip inspect udp idle-time command.)

But the DHCP request is generated on the wan interface itself not on the private interface (protected network) so you may need an inbound extended ACL with two statements to permit incoming DHCP traffic and deny everything else.

Temporary openings will be made by CBAC for return traffic to the protected network.

Hope to help

Giuseppe

Thanks Giuseppe, that's what I was suspecting. Since the packets are originating on the WAN side, I couldn't figure out how to have the rules be safe. The DHCP packets are broadcasts and without CBAC, it isn't clear how to relate what comes in to what went out. What are the two rules you had in mind?

Thanks,

Greg

Giuseppe Larosa Wed, 08/27/2008 - 08:48

Hello Greg,

I was thinking of an extended ACL to be applied inbound on the WAN interface made of three statements:

access-list 161 permit udp any any bootp

access-list 161 deny tcp any any

access-list 161 deny udp any any

I understand that is not the best from a security point of view but you need to get a public ip address on the WAN interface: without it your router is isolated.

I would try this to see if it allows to get an ip address and still protects the private network from TCP and UDP flows started from the outside world.

Hope to help

Giuseppe

Actions

This Discussion