ACL for ISP use, protecting network and customers

Unanswered Question
Jul 6th, 2009
User Badges:

Hi


I have a small ISP network.


Lately I have had some problems with clients having viruses and worms.

This causes a lot of "problem" traffic on the networks.


What I do is log the traffic with Wireshark, and inform the clients witch seems infected.


But maybe I should do more.

All clients have official IPs.

In the ACLs protecting them there is not much, only port 135-139 and 445 (windows file sharing) are filtered.


What more should be filtered in ACLs for this kind of use do you think?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (6 ratings)
Loading.
Collin Clark Mon, 07/06/2009 - 05:39
User Badges:
  • Purple, 4500 points or more

I don't think an ISP should block any ports. If you're having problems with your customers using too much bandwidth you could either police/rate limit or use a scavenger class.


http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoSDesign.html#wp998954


If you really want to use an ACL, here is a good starting point.


https://packetpros.com/cisco_kb/DIACAP_ACL.html


Hope that helps.

Danilo Dy Mon, 07/06/2009 - 06:07
User Badges:
  • Blue, 1500 points or more

For an ISP, it is NOT advisable to filter ports in the Core Routers and Distribution Switches.


Your customers should have the following in place;

- Firewall connecting their network to your infra. Required

- AntiVirus in their system (All Windows Systems). Recommended


If you want to protect your customers against Virus/Trojans, you can implement an appliance type AntiVirus that you can position between your customers connection to your infra. You can charge them extra :)


Following are providers of AntiVirus Appliance;

- FortiGate

- McAfee

- Symantec

perpaal Tue, 07/07/2009 - 01:08
User Badges:

You are right, all should be open.


But lately I get what seems like broadcast storms spreading through the VLANs.


See attached PNG screens from Wireshark.


The network is segmented in subnets with 25bit mask.


A Cisco 3560 is uses as core router, the rest of the network is L2, segmented in VLANs.


The (mostly) UDP and ICMP packets like in the screen shots is being broadcast.

They can originate for external IP or internal IP on another VLAN, and still being broadcast all over.


Is there an error in my network configuration witch makes the network vulnerable to this kind of traffic?


The traffic appears suddenly, and lasts for 20sek to 5min. About 2 to 5 times a day. But it makes big problems.


I`m pretty certain the traffic originates from virus infected hosts.


Any good solutions?



Attachment: 
Danilo Dy Tue, 07/07/2009 - 01:18
User Badges:
  • Blue, 1500 points or more

I agree with you. Filtering it with ACL in the interface should be a workaround for a while and plan for a permanent solution.


Because doing it manually is unproductive. This will keep coming back even if the customer hosts are cleaned.


I recommend to do the following;

1. [SHORT TERM WORKAROUND] Filter them with ACL in the interface.

2. Ask the customers to cleanup their hosts and install AntiVirus. Which should be done in the first place specially if using Windows. You can try this free online virus scanner if your customers can't afford to purchase AntiVirus http://housecall.trendmicro.com and http://www.safer-networking.org/en/spybotsd/index.html

3. Plan for installing a firewall per segment or to serve multiple segments to save cost.

perpaal Tue, 07/07/2009 - 05:12
User Badges:

I have noticed that all the packages that flood our network have a multicast mac address, 01:00:5e:xx:xx:xx


This is referred to as Internet reserved by IANA, Internet Multicast.


Is this something that should be able to pass through my network, or should I filter it out?

Collin Clark Tue, 07/07/2009 - 05:20
User Badges:
  • Purple, 4500 points or more

If your clients are using it, then you should allow it. Personally I would err to the side of allowing everything. You could block it and see who screams, but as a customer I would not be too happy about that.

Collin Clark Tue, 07/07/2009 - 05:24
User Badges:
  • Purple, 4500 points or more

We provide data center facilities for other companies. One of things I proposed was that we offer a 'secure' connection to customers. Basically there is a firewall in place that we manage. We work with the customer to allow the ports needed and block everything else. This is good for clients that don't have the knowledge or the resources to own and manage security devices. Plus it puts extra revenue into your business.

perpaal Tue, 07/07/2009 - 06:21
User Badges:

What would be the best way to filter multicast like this?


Use a mac ACL and vlan access-map?

huangedmc Tue, 07/07/2009 - 21:11
User Badges:

Since you're the ISP, you should have the ability to shape or police the link at the edge, so that an infected client site doesn't affect you much. (think someone may have already suggested it)


Another thing you can do is implement private vlan's to isolate customers from each other.


perpaal Tue, 07/07/2009 - 22:52
User Badges:

Each client is rate limited.


Trouble is the multicast packets create what is similar to a broadcast storm on the network.


Doing some lab tests last night I found that the interface command "switchport block unicast" and "switchport block multicast" filters out these packets.


So I might not need to implement ACLs for this purpose.


Will be implementing this in a couple of production 3560G48 switches today, and see how it runs.


Thank you all for helping me out with tips, regards.

Mohamed Sobair Wed, 07/08/2009 - 07:37
User Badges:
  • Gold, 750 points or more

Hi,


The advisable approach to protect your Network and the customer Network is to deploy Intrusion prevention sytem. On the other hand you would definetely have Firewall to protect your own Services.


This plus having each customer with his own Firwall as well.


Implementing Intrusion prevention System allows you to have the following:


1- Protocol Validation.

2- Firewall rules.

3- Validate Application Signatures.



HTH

Mohamed

Actions

This Discussion