Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: SUMMARY: Recommendations for Accesslists on Cisco?
From: Thomas Bleek <thbl4000 @ bronto . zrz . tu-berlin . d400 . de>
Date: Tue, 22 Nov 1994 13:03:24 +0100
To: firewalls @ greatcircle . com
Alternate-recipient: Allowed
X400-content-type: P2-1988 (22)
X400-mts-identifier: [/PRMD=TU-Berlin/ADMD=D400/C=DE/;<199411221203 . AA10686 @ bronto . zrz]
X400-originator: thbl4000 @ bronto . zrz . tu-berlin . d400 . de
X400-received: by mta d400relay in /PRMD=dfnrelay/ADMD=d400/C=de/; Relayed; Tue, 22 Nov 1994 13:09:31 +0100
X400-received: by mta TU-Berlin in /PRMD=TU-Berlin/ADMD=D400/C=DE/; Relayed; Tue, 22 Nov 1994 13:03:36 +0100
X400-received: by mta bronto.zrz.TU-Berlin.DE in /PRMD=TU-Berlin/ADMD=D400/C=DE/; Relayed; Tue, 22 Nov 1994 13:03:27 +0100
X400-received: by mta bronto.zrz.TU-Berlin.DE in /PRMD=TU-Berlin/ADMD=D400/C=DE/; Relayed; Tue, 22 Nov 1994 13:03:24 +0100
X400-recipients: non-disclosure:;

here is my summary about cisco-accesslists. The good news is, that
I was told about a big hole in my filterrules. Very bad was the idea
to let UDP-packets other than for the DNS-port 53
from the Internet to the inside. Some sugessted to also deny incoming
TCP and to use the established option but that is not working
with ftp. it turns out, that the external server opens the dataconnection
to the internal client (after the port-command from the client).
so there is no way other than modifying clients or to use the
PASV (which is not implemented on all servers).
It seems, that the only way to really improve security is to install
a firewall, a packetscreen won't help much.
Until we will have one would you give me hints, which
other ports than 2000 (openwin) and 6000 (X) are potential security holes?
Some answers did warn me, not to allow rsh/rlogin and also not to
use talk. The warning about talk was non-technical, some users are
likely to follow directions they get via talk, I'm sure we have also
such users here 8-).
The problem how to avoid break-ins into cisco:
nobody has heard of such break-ins, some told me to use the
encrypted option other are using access-lists for the vty-lines
or disable the lines and manage the cisco at the serial console.
one said, that it is possible to read the password in the cisco
and also suggested the encrypted option.
Thanks to all, who have responded:
(LaCoursiere J. D. (Jeff))" <z056716 @
 uprc .
(David B. Small)" <dbsmall @
 ttl .
 pactel .
(David Perlin)" <davep @
 cnr .
rrietz @
 sadis01 .
 kelly .
 af .
(Pamela Pledger)" <pamela @
 jupiter .
 Legato .
Original Question:
> Hello, firewall gurus!
> We want to start to improve security with some access-lists
> on our Router to the Internet. I have 2 Questions about that:
> 1.) Is there anything known about break-ins into Cisco-Routers ?
> 	(3rd Q: If so, are there suggestions to avoid break-ins?)
> 2.) We have set up permit-rules for:
> Outgoing TCP to ports 20 21 23 25 43 53 70 79 80 113 119     513 514
> 		and all ports > 1000 but not 2000 and 6000
> Outgoing UDP to ports                53 70    80         123         517 
> 		an all ports > 1000
> Outgoing ICMP
> All other outgoing traffic is denied.
> Incoming TCP to ports 20 21 23 25 53 80 113 119
>                 and all ports > 1000 but not 2000 and 6000
> Incoming UDP to ports             53 80         123 517
>                 an all ports > 1000
> Incoming ICMP
> All other incoming traffic is denied.
> The access to smtp nntp ntp and domain is restricted to the servers for
> these protocols.
> Are there any known problems with such a setup?
> ( the cisco speaks X.25 on the WAN-interface )
> The suggestions to allow access to ports > 1023 didn't work, because
> outgoing rlogin traffic has source-ports which decrease from 1023.
> It seems, that 1000 for the lower boundary will work for most cases.
> also I don't know how many ports above 6000 have to be denied for X-window
> grabbers. I was not able to find x-packets with ports other that 6000.
> May be that these are reserved for machines with more than one display? (4th Q)

Indexed By Date Previous: Re: Phone vs. Internet
From: jeromie @ mmp . com (jeromie)
Next: Help! uucp mail backup for failed firewall
From: Ken Hardy <ken @ bridge . com>
Indexed By Thread Previous: Re: Firewalls: Port remapper based on DNS
From: Darren Bolding <darren @ sccsi . com>
Next: Re: SUMMARY: Recommendations for Accesslists on Cisco?
From: Goran Svensson <goran @ btj . se>

Search Internet Search