Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1185
Views
0
Helpful
4
Replies

Border Router ACL and Good Practices

mhcraig
Level 1
Level 1

‎01-23-2006 12:02 PM - edited ‎03-03-2019 11:32 AM

Admittedly my question is not only subjective but your answers may also differ based on your specific network's use... but here goes:

In the past our network has just relied on the IP Firewall Feature Set of Cisco IOS. We now have a PIX 515e pair that will providing us with security, located just behind the border routers. Now that we are going to be using the PIX pair I would imagine we can safely reduce the number of ACL entries on the routers.

Web hosting and server hosting is primarily what we do - primarily http, smtp, pop3, dns and a few others is pretty much all we need. Unfortunately our current ACL has some specific entries related to clients' servers, etc, that it isn't as easy as just allowing a handful or ports and deny everything else. I think we are probably going to need to deny a handful of protcols/ip-blocks and allow everything else in (and then let the PIX pair to their work.)

What services should I explicitly block by default? What net blocks such as 10.0.0.0, 172.16.0.0, 192.168.0.0 should I block? How about Unicast Reverse Path Forwarding (we will be running BGP so I guess I'll need loose mode)? Denying our own block(s) back in.... Any other "obvious" items I should address?

I'm so used to the main external interface on these routers having a heavy ACL applied to them that it is a strange concept opening them up. I could obviously just keep my existing ACL for a while but I'd rather let the PIXs do that work. Thanks for any advice,

Hutch

Labels:
0 Helpful
4 Replies 4

pkhatri
Level 11
Level 11

‎01-23-2006 02:05 PM

Hi Hutch,

A great starting point is the Secure IOS Template produced by the maintainers of the BOGONs list:

http://www.cymru.com/Documents/secure-ios-template.html

It has a number of IOS security features built in as well as ACLs that block bogons...

Hope that helps - pls rate the post if it does.

0 Helpful

mhcraig
Level 1
Level 1
In response to pkhatri

‎01-23-2006 05:00 PM

Thanks for the link - I felt a little foolish posting that (very subjective) question, but this is a great start for me. Exactly what I was looking for.

Thanks,

Hutch

0 Helpful

d1701
Level 1
Level 1
In response to pkhatri

‎02-14-2007 08:21 AM

Why would you route the bogons to null0 if you have them denied in a ACL already? Should you do both or one or the other? The only reason I can think of is to save on latency because the packet will not be handled by the ACL and would be routed to a black whole directly in with no way out. Could there be any issues with BGP?

Thanks,

Matthew

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni
In response to d1701

‎02-20-2007 07:30 AM

The ACL is for outside host while the Null is for inside host.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card