internet router access-list

Unanswered Question
Dec 26th, 2005
User Badges:

Dear All,


we have a WAN network .. now each branch office is directly connected to Local ISP , from a new 3com router.. can any body pls tell me..


wht are the minimum access-lists needed to block possible things on the router.



thanks in advance.


Regards

Nataraj

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
arvindchari Mon, 12/26/2005 - 23:01
User Badges:
  • Bronze, 100 points or more

Hi Nataraj


This is highly subjective and varies from site to site. You will need to determine why exactly your offices are connected i.e. file sharing or remote access to an sql server etc etc.


Determine the ports and protocols that are in use by those specific applications. Use extended access lists to particularly permit only those ip subnets and ports.


New applications will require you to modify the access list periodically.


This would provide the basic security you require.


Hope it works out!


example access list to permit http traffic

access-list 101 ip permit any any eq 80

this creates an access list named 101 which permits the ip protocol from any ip to any ip where the port number equals 80 (http).


Dont foget that there is an implicit deny at the end of each list! :)


Good luck!



balajitvk Mon, 12/26/2005 - 23:08
User Badges:
  • Silver, 250 points or more

Minimum access-list to protect a network depends upon your needs, which services you want to allow and block. But we can use this to protect from general virus attacks upto certail level.


ip access-list extended VIRUS_TRAFFIC_TO_DROP_etth

deny 53 any any

deny 55 any any

deny 77 any any

deny tcp any any eq ident

deny tcp any any eq 135

deny tcp any any range 137 139

deny tcp any any eq 445

deny tcp any any eq 1023

deny tcp any any eq 1025

deny tcp any any eq 1214

deny tcp any any eq 1433

deny tcp any any eq 1434

deny tcp any any eq 3127

deny tcp any any eq 1981

deny tcp any any eq 2745

deny tcp any any range 3127 3199

deny tcp any any eq 4444

deny tcp any any eq 4899

deny tcp any any eq 5000

deny tcp any any eq 5554

deny tcp any any eq 6129

deny tcp any any eq 9898

deny tcp any any eq 9996

deny udp any any eq 135

deny udp any any range netbios-ns netbios-ss

deny udp any any eq 445

deny udp any any eq 1023

deny udp any any eq 1433

deny udp any any eq 1434

deny udp any any range 3127 3199

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any source-quench

permit icmp any any time-exceeded

permit udp any eq bootpc any eq bootps

permit ip any any



if u r using this, ensure it don't affects any of your intented services.

tcordier Tue, 12/27/2005 - 05:36
User Badges:
  • Bronze, 100 points or more

Hi Nataraj,


the best approach from a security point of view is to look at it from the other side: you should deny everything except the ports and IP addresses you really need to permit. You can check with your business and users what applications (IP addresses and ports) they need, and permit these, and deny the rest. If you have no or only an incomplete idea of what is needed, you can deny everything, and log what has been blocked, by using e.g.


access-list 1 deny any any log


as the last entry in your access list. Then you can check the router log and explicitly select those applications and flows which are needed. Again, your focus should not be on what to deny, but on what to permit.


HTH, Thomas

nataraj_v Tue, 12/27/2005 - 21:07
User Badges:

Dear All,


thank you very much for ur replies.


Now ill elobarte bit more my setup.


we have a wan network. now each location contains 2 routers. one router is connected to WAN and other is connected for internet ( local ISP) . already wan router configuered.


in this internet router .. only internet traffic goes nothing else. now pls guide me further.


as one of u suggested to block well known virus ports.in the same way i want to put anti spoofing rules also.


waiting for your replies.



Thanks in advance



Regards

nataraj

Georg Pauwen Tue, 12/27/2005 - 23:02
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello Nataraj,


the minimum ports you need to have for Internet access are 80 (www), 443 (SSL), and 53 (domain, or dns, for name resolution). If you want to allow FTP access as well, you would also need to allow port 21.

In addition, you can configure ´ip verify unicast reverse-path´ on the interface connecting to the Internet, which basically is a security measure that checks the source IP address of packets received inbound on the interface to see if the interface is the interface that would normally be used by the router to route packets to the source IP.

So, putting this all together, your config would look like this:


ip cef

!

interface Serial0/0

ip verify unicast reverse-path

ip access-group 101 in

!

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit udp any any eq domain

access-list 101 permit tcp any any eq ftp


Depending on the IOS version you are running, you could also configure Network-based application recognition (NBAR), and block certain URLs. Check if your router supports this configuration (this is from CCO and blocks code red):


Router(config)#class-map match-any http-hacks

Router(config-cmap)#match protocol http url "*.ida*"

Router(config-cmap)#match protocol http url "*cmd.exe*"

Router(config-cmap)#match protocol http url "*root.exe*"

Router(config-cmap)#match protocol http url "*readme.eml*"


Router(config)#policy-map mark-inbound-http-hacks

Router(config-pmap)#class http-hacks

Router(config-pmap-c)#set ip dscp 1


Router(config)#interface serial 0/0

Router(config-if)#service-policy input mark-inbound-http-hacks


Router(config)#access-list 101 deny ip any any dscp 1


So, including the code red block, your config would look like this:


ip cef

!

interface Serial0/0

ip verify unicast reverse-path

ip access-group 101 in

service-policy input mark-inbound-http-hacks

!

class-map match-any http-hacks

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*readme.eml*"

!

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

!

access-list 101 deny ip any any dscp 1

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit udp any any eq domain

access-list 101 permit tcp any any eq ftp


I hope this doesn´t get too messy, but give it a try.


Regards,


GP

nataraj_v Thu, 12/29/2005 - 00:52
User Badges:

thanks GP , along with this , if i want to implement anti spoofin rules .. wht are the access-lists for them..


im sorry , actually im a firewall admin and ids engineer.. didnt worked much on routers.. thts y im asking..


thanks in advance



regards

nataraj

Georg Pauwen Thu, 12/29/2005 - 05:36
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello Nataraj,


for anti-spoofing, you would deny what are called private space addresses, in addition to the Microsoft Loopback address space of 169.254.0.0/16.

You can add this to your access list, the access list would then look like this:


access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 169.254.0.0 0.0.255.255 any

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit udp any any eq domain

access-list 101 permit tcp any any eq ftp


HTH,


GP

Actions

This Discussion