ACL for ISP use, protecting network and customers

Unanswered Question
Jul 6th, 2009

Hi

I have a small ISP network.

Lately I have had some problems with clients having viruses and worms.

This causes a lot of "problem" traffic on the networks.

What I do is log the traffic with Wireshark, and inform the clients witch seems infected.

But maybe I should do more.

All clients have official IPs.

In the ACLs protecting them there is not much, only port 135-139 and 445 (windows file sharing) are filtered.

What more should be filtered in ACLs for this kind of use do you think?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (6 ratings)
Loading.
Collin Clark Mon, 07/06/2009 - 05:39

I don't think an ISP should block any ports. If you're having problems with your customers using too much bandwidth you could either police/rate limit or use a scavenger class.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoSDesign.html#wp998954

If you really want to use an ACL, here is a good starting point.

https://packetpros.com/cisco_kb/DIACAP_ACL.html

Hope that helps.

Danilo Dy Mon, 07/06/2009 - 06:07

For an ISP, it is NOT advisable to filter ports in the Core Routers and Distribution Switches.

Your customers should have the following in place;

- Firewall connecting their network to your infra. Required

- AntiVirus in their system (All Windows Systems). Recommended

If you want to protect your customers against Virus/Trojans, you can implement an appliance type AntiVirus that you can position between your customers connection to your infra. You can charge them extra :)

Following are providers of AntiVirus Appliance;

- FortiGate

- McAfee

- Symantec

perpaal Tue, 07/07/2009 - 01:08

You are right, all should be open.

But lately I get what seems like broadcast storms spreading through the VLANs.

See attached PNG screens from Wireshark.

The network is segmented in subnets with 25bit mask.

A Cisco 3560 is uses as core router, the rest of the network is L2, segmented in VLANs.

The (mostly) UDP and ICMP packets like in the screen shots is being broadcast.

They can originate for external IP or internal IP on another VLAN, and still being broadcast all over.

Is there an error in my network configuration witch makes the network vulnerable to this kind of traffic?

The traffic appears suddenly, and lasts for 20sek to 5min. About 2 to 5 times a day. But it makes big problems.

I`m pretty certain the traffic originates from virus infected hosts.

Any good solutions?

Attachment: 
Danilo Dy Tue, 07/07/2009 - 01:18

I agree with you. Filtering it with ACL in the interface should be a workaround for a while and plan for a permanent solution.

Because doing it manually is unproductive. This will keep coming back even if the customer hosts are cleaned.

I recommend to do the following;

1. [SHORT TERM WORKAROUND] Filter them with ACL in the interface.

2. Ask the customers to cleanup their hosts and install AntiVirus. Which should be done in the first place specially if using Windows. You can try this free online virus scanner if your customers can't afford to purchase AntiVirus http://housecall.trendmicro.com and http://www.safer-networking.org/en/spybotsd/index.html

3. Plan for installing a firewall per segment or to serve multiple segments to save cost.

perpaal Tue, 07/07/2009 - 05:12

I have noticed that all the packages that flood our network have a multicast mac address, 01:00:5e:xx:xx:xx

This is referred to as Internet reserved by IANA, Internet Multicast.

Is this something that should be able to pass through my network, or should I filter it out?

Collin Clark Tue, 07/07/2009 - 05:20

If your clients are using it, then you should allow it. Personally I would err to the side of allowing everything. You could block it and see who screams, but as a customer I would not be too happy about that.

Collin Clark Tue, 07/07/2009 - 05:24

We provide data center facilities for other companies. One of things I proposed was that we offer a 'secure' connection to customers. Basically there is a firewall in place that we manage. We work with the customer to allow the ports needed and block everything else. This is good for clients that don't have the knowledge or the resources to own and manage security devices. Plus it puts extra revenue into your business.

perpaal Tue, 07/07/2009 - 06:21

What would be the best way to filter multicast like this?

Use a mac ACL and vlan access-map?

huangedmc Tue, 07/07/2009 - 21:11

Since you're the ISP, you should have the ability to shape or police the link at the edge, so that an infected client site doesn't affect you much. (think someone may have already suggested it)

Another thing you can do is implement private vlan's to isolate customers from each other.

perpaal Tue, 07/07/2009 - 22:52

Each client is rate limited.

Trouble is the multicast packets create what is similar to a broadcast storm on the network.

Doing some lab tests last night I found that the interface command "switchport block unicast" and "switchport block multicast" filters out these packets.

So I might not need to implement ACLs for this purpose.

Will be implementing this in a couple of production 3560G48 switches today, and see how it runs.

Thank you all for helping me out with tips, regards.

Mohamed Sobair Wed, 07/08/2009 - 07:37

Hi,

The advisable approach to protect your Network and the customer Network is to deploy Intrusion prevention sytem. On the other hand you would definetely have Firewall to protect your own Services.

This plus having each customer with his own Firwall as well.

Implementing Intrusion prevention System allows you to have the following:

1- Protocol Validation.

2- Firewall rules.

3- Validate Application Signatures.

HTH

Mohamed

Actions

This Discussion