>>>>> "w^2" == william wells <william .
w^2> Is there a recommended access control lists for an Internet
w^2> router? I know this has been discussed before, but I don't
w^2> recall a summary list. Is disabling ICMP and UDP a good idea
w^2> (especially if we use NTP?).
Typically, I like to deny the following on the access router
* all UDP
* packets claiming to originate from RFC 1918 addresses
* packets claiming to originate from any of my own addresses
* any TCP access to DMZ machines, except for services they need
(i.e., mail relays in the DMZ need port 25 to be able to come
in, web servers need port 80, maybe 443, maybe others to come
I don't particularly have a problem with NTP, but if you're not
specifically going to use it, don't allow it. Ditto for all other
services. Once you're done locking things down, you should be able to
tell someone exactly what services you are allowing on given machines:
it should be simple enough that it isn't necessary to have a long
cheat sheet to tell you what's going on out there.
Sometimes, things might have to be opened a bit (i.e., RealAudio uses
a couple of UDP ports for its data streams (version 2.0 can use TCP
data streams), so a few ports might need to be opened up if you're
going to allow that sort of thing), but typically, that's a pretty
good way to lock things down out there.
In addition, by then running TCP Wrappers (by Weitse Venema), and
watching for connections on service ports that you've denied at the
access router, you have a good alarm system. Any time you get a poke
from the outside against a machine in the DMZ where you haven't
allowed traffic through, then you know that something is screwy with
In addition to ACLs, it should be mentioned that you should not allow
any remote access to your router. Refuse any remote logins, so that it
is administered only by the physical console. Also, be sure to define
a loghost in your DMZ that can pick up the stuff that the router is
spewing. Might be some early warnings in there that someone is trying
to get in.
C Matthew Curtin MEGASOFT, LLC Director, Security Architecture
I speak only for myself. Don't whine to anyone but me about anything I say.
Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet