INTERGRAPH CORPORATION
-----------------------------------------------------------------------------
NETWORK OPERATIONS CENTER
Folks:
I am looking for help with a 3COM Netbuilder setting up this type
of rule base.
Thanks...
All of these are possible configurations. The system I usually set up
basicly follows the first pattern: a filtering router between the
"internal" nets and the rest of the world that allows only certain
things (one of them being FTP) in certain directions (usually from the
inside to the outside).
If your router doesn't let you make filtering decisions based on
source port (only based on destination port), here are the rules you
need:
Rule SrcAddr DstAddr Protcl. DstPort Action
A intern extern TCP 21 permit # FTP command channel
B intern extern TCP 20 permit # FTP data channel
C extern intern TCP >1024 permit # return packets for both
D DEFAULT deny
Now, the problem here is that someone can attack anything you've got
that lives on TCP above port 1024 if they use port 20 or 21 on their end.
This means that you should explicitly deny access to TCP services that
live above port 1024 that you don't want the outside world to talk to.
What services might those be, you ask? Well, let's see... X lives at
port 6000 (actually, "6000 + <display>", so if you have multiple X displays
on your host, you might also be using port 6001, 6002, ...). Openwin pulls
a similar trick at port 2000 (I think). Third-party packages that include
server components are often configured to use ports above 1024 (databases
like Sybase, communications programs like IRC, etc.). And who knows what
your users might be running as a server above port 1024? The only good news
is that if you don't know, the bad guys might not either, though they could
always try every port above 1024 and see what the come up with.
Whether that's an "acceptable exposure" is up to you.
Don Jarmon ...uunet!ingr!noc!don (UUCP)
(205) 730-2010 FAX (205) 730-3805 don @
noc .
b10 .
ingr .
com (INTERNET)
* Intergraph Corporation, Mail Stop HQ1008, Huntsville, Ala, 35894-0001 *
References:
|
|
