Hello Group, I'm currently trying to refine security for my Internet routers by developing my ingress ACL. My routers aren't ISP routers, they are more of a gateway/border router for your standard enterprise which connects to the ISP. I know that the ISP may use some filtering on their end, but doing ingress filtering again on your router is always a good idea. Reading through MCSN and SAFE whitepapers, they pretty much suggest filtering for RFC1918 and RFC2827, which I don't think is enough for a production router.
Also, you guys might suggest to use a firewall. The point of the gateway/border router is to function as the router that connects to the Internet before the firewall, so it is used in tandem with the firewall. Any sort of ACL to only permit certain ports for accessing backend servers should only be added on the firewall. Here are a couple of links I've been referring to for developing my ACL: http://www.cymru.com/Documents/icmp-messages.html http://www.cymru.com/Documents/secure-ios-template.html If you look at the ACL that the link above had, it is huge, does anyone think it is relevant for my requirements? What about the null0 routes, I would imagine that it's only useful for the ISP routers since they are routing ISP traffic and need to black-hole those routes. Here is the current ACL I'm using access-list 150 remark Inbound Packet Filter from Internet access-list 150 remark ---- Limit ICMP messages access-list 150 deny icmp any any log-input fragments access-list 150 permit icmp any any echo access-list 150 permit icmp any any echo-reply access-list 150 permit icmp any any packet-too-big access-list 150 permit icmp any any source-quench access-list 150 permit icmp any any time-exceeded access-list 150 deny icmp any any log-input access-list 150 remark ---- Deny invalid IP sources access-list 150 deny ip 0.0.0.0 0.255.255.255 any log-input access-list 150 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 150 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 150 deny ip 169.254.0.0 0.0.255.255 any log-input access-list 150 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 150 deny ip 192.168.0.0 0.0.255.255 any log-input access-list 150 deny ip 192.0.2.0 0.0.0.255 any log-input access-list 150 deny ip 224.0.0.0 15.255.255.255 any log-input access-list 150 deny ip 240.0.0.0 7.255.255.255 any log-input access-list 150 deny ip 248.0.0.0 7.255.255.255 any log-input access-list 150 deny ip host 255.255.255.255 any log-input access-list 150 remark ---- Permit all other traffic access-list 150 permit ip any any A couple of things I can think of in improving my ACL is firstly by logging all the ICMP traffic that I'm denying. Currently, I'm denying all other ICMP traffic that doesn't match the traffic I permitted, and logging it. In my production routers, I'm seeing my logs haved logged quite a few ICMP denies, I think it would be a good idea to log all the different ICMP message types that has been denied just to see what is being sent to my network that is being denied. eg. access-list 199 permit icmp any any host-redirect Secondly, maybe increasing the number of non-valid ip address ranges coming in, and using Turbo ACL. Has anyone had experience with Turbo ACL? What about egress ACL, should I consider an egress ACL? Maybe just to permit traffic from my network to go out the network, just in case someone within tries to spoof traffic? I'm trying to keep the ACL as generic as possible, so I can use it for all different routers that connects to the Internet, and add any changes as needed to tailor for each different network. Thanks in advance for your suggestions. Regards, Albert Lu Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63118&t=63118 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
