Firewalls: Re: CISCO configuration

Firewalls
(January 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: CISCO configuration - help needed
From:	johns @ oxygen . house . gov (John Schnizlein)
Date:	Tue, 24 Jan 1995 09:08:39 -0500
To:	firewalls @ greatcircle . com, gaus @ znanost . mz . hr

> I have question about Cisco configuration (regarding last CERT advisory).
> I want to disable all false packet from Internet but I, obviusly, don't know
> how to do it right. I try with folowing access list:
> 
> access-list 111 deny   ip xxx.zzz.yyy.0 0.0.0.255 xxx.zzz.yyy.0 0.0.0.255 
> access-list 111 permit ip xxx.zzz.yyy.0 0.0.0.255 0.0.0.0 255.255.255.255 
> 
> int s 0
> ip access-g 111 in
> 
> but in that way I cut myself from the rest of the world. I try some more
> obscure lists but with same result. Can somenoe tell me where I am wrong.

The basic problem you ran into is the implied "deny everything" at the end
of all IP access-lists.

The easiest approach to blocking this IP source address spoof is to include
access-list 111 deny tcp YourNetNumber 0.0.0.255 0.0.0.0 255.255.255.255
in an access list that applies to packets coming in from the Internet.
(this assumes class-C YourNetNumber, if class-B the first mask is 0.0.255.255)

The implication that the access-group subcommand must be on the incoming
interface overstates the requirement for many sites. Even with older cisco SW,
the typical router screen, with only 2 interfaces, will work.
To block packets coming in from the Internet, the access-list applied to the
internal interface (in the default transmission direction) works well.
CERT assumed that the screening router has other internal interfaces.
As Brent has described before, these multiple interfaces complicate screening
horribly, and preclude the simple screen line described above.
(While it can be done, can you prove it correct to your boss?)

The reason I recommend _adding_ this line to your access-list is that there
should already be an access list that blocks packets to most service (<1024)
ports in your domain.  Where access is permitted, it should focus on IP
addresses under your control: destinations inside your domain.

The reason my access-list line specifies "tcp" rather than "ip" is that most
UDP is dangerous and unnecessary. Permit it only to properly configured
bastion hosts.

	--	John

Follow-Ups:

Re: CISCO configuration - help needed
From: "Alec H. Peterson" <chuckie @ panix . com>

Indexed By Date	Previous:	Re: Where to get CERT Advisory From: Frank Wortner <frank @ prodigy . com>
Indexed By Date	Next:	Re: NYT Article this morning From: bret @ real . com (Bret McDanel)
Indexed By Thread	Previous:	Re: CISCO configuration - help needed From: Paul Traina <pst @ cisco . com>
Indexed By Thread	Next:	Re: CISCO configuration - help needed From: "Alec H. Peterson" <chuckie @ panix . com>