Firewalls: Re: denying services at the router

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: denying services at the router
From:	C Matthew Curtin <cmcurtin @ research . megasoft . com>
Date:	Tue, 30 Jul 1996 07:07:03 -0400
To:	"william.wells" <william . wells @ damark . com>
Cc:	FIREWALLS <firewalls @ GreatCircle . COM>
In-reply-to:	<9607252303 . AA02946 @ damark . com>
References:	<9607252303 . AA02946 @ damark . com>
Reply-to:	cmcurtin @ research . megasoft . com

>>>>> "w^2" == william wells <william .
 wells @
 damark .
 com> writes:

w^2> Is there a recommended access control lists for an Internet
w^2> router?  I know this has been discussed before, but I don't
w^2> recall a summary list.  Is disabling ICMP and UDP a good idea
w^2> (especially if we use NTP?).

Typically, I like to deny the following on the access router
    * all UDP
    * packets claiming to originate from RFC 1918 addresses
    * packets claiming to originate from any of my own addresses
    * any TCP access to DMZ machines, except for services they need
      (i.e., mail relays in the DMZ need port 25 to be able to come
      in, web servers need port 80, maybe 443, maybe others to come
      in, etc.)

I don't particularly have a problem with NTP, but if you're not
specifically going to use it, don't allow it. Ditto for all other
services. Once you're done locking things down, you should be able to
tell someone exactly what services you are allowing on given machines:
it should be simple enough that it isn't necessary to have a long
cheat sheet to tell you what's going on out there.

Sometimes, things might have to be opened a bit (i.e., RealAudio uses
a couple of UDP ports for its data streams (version 2.0 can use TCP
data streams), so a few ports might need to be opened up if you're
going to allow that sort of thing), but typically, that's a pretty
good way to lock things down out there.

In addition, by then running TCP Wrappers (by Weitse Venema), and
watching for connections on service ports that you've denied at the
access router, you have a good alarm system. Any time you get a poke
from the outside against a machine in the DMZ where you haven't
allowed traffic through, then you know that something is screwy with
your router.

In addition to ACLs, it should be mentioned that you should not allow
any remote access to your router. Refuse any remote logins, so that it
is administered only by the physical console. Also, be sure to define
a loghost in your DMZ that can pick up the stuff that the router is
spewing. Might be some early warnings in there that someone is trying
to get in.

-- 
C Matthew Curtin        MEGASOFT, LLC        Director, Security Architecture
I speak only for myself.  Don't whine to anyone but me about anything I say.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet
cmcurtin @
 research .
 megasoft .
 com http://research.megasoft.com/people/cmcurtin/

References:

denying services at the router
From: "william.wells" <william . wells @ damark . com>

Indexed By Date	Previous:	Technical Dictionary From: "Moore, Mark" <Mark . Moore @ kp . ORG>
Indexed By Date	Next:	Re: Re[2]: Ascend pipeline products. From: C Matthew Curtin <cmcurtin @ research . megasoft . com>
Indexed By Thread	Previous:	denying services at the router From: "william.wells" <william . wells @ damark . com>
Indexed By Thread	Next:	Re: denying services at the router From: bobk @ manzanita (Bob Konigsberg)