the best approach from a security point of view is to look at it from the other side: you should deny everything except the ports and IP addresses you really need to permit. You can check with your business and users what applications (IP addresses and ports) they need, and permit these, and deny the rest. If you have no or only an incomplete idea of what is needed, you can deny everything, and log what has been blocked, by using e.g.
access-list 1 deny any any log
as the last entry in your access list. Then you can check the router log and explicitly select those applications and flows which are needed. Again, your focus should not be on what to deny, but on what to permit.
the minimum ports you need to have for Internet access are 80 (www), 443 (SSL), and 53 (domain, or dns, for name resolution). If you want to allow FTP access as well, you would also need to allow port 21.
In addition, you can configure ´ip verify unicast reverse-path´ on the interface connecting to the Internet, which basically is a security measure that checks the source IP address of packets received inbound on the interface to see if the interface is the interface that would normally be used by the router to route packets to the source IP.
So, putting this all together, your config would look like this:
ip verify unicast reverse-path
ip access-group 101 in
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq ftp
Depending on the IOS version you are running, you could also configure Network-based application recognition (NBAR), and block certain URLs. Check if your router supports this configuration (this is from CCO and blocks code red):
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...