RV042 - How to close all ports and leave some specific open

lucianoareal · ‎04-19-2012

Hello everybody,

Here is the scenario of my network:

- A company with 20 branches in Rio de Janeiro area. The main servers are in a datacenter located in downtown.

Each branch has a RV042 router with firmware version 1.3.12.19-tm (Feb 13 2009 13:03:21) installed.

All users in this network have a proxy configuration pointing to proxy.[blah].com.br port 3128.

The HTTP/HTTPS traffic should go through proxy only.

The network settings for every RV042 are similar:

RV042 LAN IP = 172.16.***.1 /24.

RV042 WAN IP = 192.***.***.*** /30.

Network Setting Status

LAN IP: 172.16.***.1 /24

WAN1 IP: 192.168.***.*** /30

WAN2 IP: Not used

Mode: Router

DNS(WAN1): 208.67.220.220 / 208.67.222.222 [OpenDNS Service]

DNS(WAN2): Not used

Firewall Setting Status

SPI (Stateful Packet Inspection): On

DoS (Denial of Service): On

Block WAN Request: On

Firewall -> Access Rules Section: Please see below

The problem:

- Some "smart" users were caught using Ultrasurf application, which changes the proxy settings to go through port 9666 or even 443.

In other machines, we've found some black proxies [for example: 212.46.27.142 port 8080].

My objective:

- To close all ports in Firewall -> Access Rules section and grant permission only to some selected and specified ports.

- To redirect all HTTP/HTTPS connections to go to proxy's IP address only.

Gentlemen, could you please tell me which Access Rules can I set in these RV042s in order to block and prevent these users to continue abusing this network? Is there anything else am I missing?

P.S.: The users who were caught using Ultrasurf were fired. ;-)

I gladly appreciate your comments.

Thanks in advance,

Luciano

rmanthey · ‎04-19-2012

hello Luciano,

You might want to try Deny all traffic out, except for the PC's you need to use RDP, and then only allow 80, and 443 to the proxy.[blah].com.br port 3128. This way all web traffic would have to pass through that proxy, otherwise it would be denied.

Or setup an internal proxy and send all traffic to it. Then only let its IP be the only one out to the internet.

Hope that helps.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

lucianoareal · ‎04-19-2012

Hello Randy,

Thanks for your answer. But let me tell you better. In this scenario, all machines in LAN can use RDP and VNC normally.

I want to block everything else, just to avoid users to try using other ports.

You might want to try Deny all traffic out, except for the PC's you need  to use RDP, and then only allow 80, and 443 to the proxy.[blah].com.br  port 3128. This way all web traffic would have to pass through that  proxy, otherwise it would be denied.

In this network, we use VNC to provide remote IT support to users in these branches.

They use RDP to access some servers in the datacenter.

I think that the rule below line 6 is letting users go and traverse the proxy.

Priority Policy Name Enable Action Service Source Iface Source Destination Time Day

* Allow All Traffic [1] LAN Any Any Always

How can I modify this access rule? It seems it cannot be altered.

Thanks in advance,

Luciano

rmanthey · ‎04-19-2012

Luciano,

You are correct this is a built in rule, you could modify your ACL for port 80, to be Deny LAN WAN any any after line 6 and block all other traffic, but some smart users might utilize ports 3389, 5800, and 5900 to bypass that rule. The best way to secure is to only allow to spacific IP's for 3389, 5800, and 5900.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security