Firewalls: RE: Access List Review

Firewalls
(April 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Access List Review
From:	Matthew Markopoulos <matthewm @ tei . or . th>
Organization:	Thailand Environment Institute
Date:	Thu, 25 Apr 1996 13:47:17 GMT
To:	firewalls @ greatcircle . com
In-reply-to:	<199604250507 . AAA13509 @ hephaestus . icorp . net>
Reply-to:	matthewm @ tei . or . th

On 25-Apr-96 Eric Wieling wrote:
>>We have applied the following access list to our Cisco 2501.  The
>Cisco is our router to the Internet.  
>
>This is an inbound filter.
>
>I understand that this is a liberal filter, however we have other
>protections such as another router between this one and sensitive
>networks and run pieces of the fwtk, tcp_wrappers, tcpsuck and
>udpsuck and stuff like that on all of the machines that are
>accessable from the Internet.  I like the additional logging that
>this stuff provides.  That said the part of our network that this
>list protects is "outside the firewall" so to speak.
>
>! Prevent IP spoofing
>access-list 100 deny   ip 127.0.0.0  0.255.255.255 any log
>access-list 100 deny   ip 198.105.96.0  0.0.7.255 any log
>! Prevent access to unprotected services
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq netbios-ns log
>access-list 100 deny   tcp any 198.105.96.0  0.0.7.255 eq 139 log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq snmp log        
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq snmptrap log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq syslog log
>access-list 100 deny   tcp any 198.105.96.0  0.0.7.255 eq 515 log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq 1645 log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq 1646 log
>access-list 100 deny   tcp any 198.105.96.0  0.0.7.255 eq 8080 log
>! Allow everything else.
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq snmptrap log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq syslog log
>access-list 100 deny   tcp any 198.105.96.0  0.0.7.255 eq 515 log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq 1645 log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq 1646 log
>access-list 100 deny   tcp any 198.105.96.0  0.0.7.255 eq 8080 log
>! Allow everything else.
>access-list 100 permit ip any any
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq syslog log
>access-list 100 deny   tcp any 198.105.96.0  0.0.7.255 eq 515 log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq 1645 log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq 1646 log
>access-list 100 deny   tcp any 198.105.96.0  0.0.7.255 eq 8080 log
>! Allow everything else.
>access-list 100 permit ip any any
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq syslog log
>access-list 100 deny   tcp any 198.105.96.0  0.0.7.255 eq 515 log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq 1645 log
>access-list 100 deny   udp any 198.105.96.0  0.0.7.255 eq 1646 log
>access-list 100 deny   tcp any 198.105.96.0  0.0.7.255 eq 8080 log
>! Allow everything else.
>access-list 100 permit ip any any
>access-list 100 permit udp any any
>access-list 100 permit icmp any any
>
>-- 
>Eric Wieling
>Network Operations Center
>Inter Commerce Corporation
>Technical Support: 504-525-1868
>Administrative: 504-585-7303


Er, do you really think it's wise to provide all this information? I thought
one of the main principles of security was not to _advertise_ the measures
being taken.

-M.
---
Matthew Markopoulos
Thailand Environment Institute (TEI)

References:

Access List Review
From: Eric Wieling <ewieling @ hephaestus . icorp . net>

Indexed By Date	Previous:	Re: Access List Review From: Blast <blast @ worldbit . com>
Indexed By Date	Next:	Protection against Mail-Bombing ? From: Bernd . Lehle @ RUS . Uni-Stuttgart . DE (Bernd Lehle)
Indexed By Thread	Previous:	Re: Access List Review From: Blast <blast @ worldbit . com>
Indexed By Thread	Next:	Re: Access List Review From: amolitor @ anubis . network . com (Andrew Molitor)