Access-lists Security

[VanDykI]

Hi,

Please could someone offer some advice:

I have a 1721 with three interfaces; an ethernet (10.1.2.1); an adsl (with negotiated ip address - dynamic); and a serial (196.7.0.138).

Now, I want to use the ADSL interface for internet access for my company; i.e. traffic from the ethernet to the adsl; but I want to restrict people from accessing my ethernet interface from the adsl interface - do NOT allow traffic originating from ADSL to ethernet. How can I do this???

Ian Van Dyk

 

[gconnect]

although this is weak and you should use cbac, this will work

access-list 123 permit tcp any any established
access-list 123 permit udp any eq bootps any log-input
access-list 123 permit udp any eq domain any log-input
access-list 123 deny ip any any

int atm X/X
ip access-group 123 in

this is weak because it only protects against inbound pkts with the SYN bit set (someone trying to start a connection to the inside). **the 2nd line is so that you can get the dhcp address on the outside interface . the 3rd line is for dns responces from internal queries. see if you can get the isp's dhcp and dns srvr ip addresses, it'll make your setup alot more secure. you can also see them using

'show dhcp lease' after you acquire the address

see if you can find an IOS with the firewall/cbac feature set. it is alot more secure and flexible.

 

[gconnect]

i forgot to say that it is mainly weak because although port scans that attempt connections (using tcp SYNchronization pkts will fail), it may leave you setup vunerable to fin scans and possible spoofing. other stuff like ack trojans / tunneling may get through.

 

[VanDykI]

Thanks for that, will give it a try, however, should I put the inbound rule on the ATM interface as you suggest, or on the Dialer interface?

Ian

 

[gconnect]

on the dialer interface

 

[VanDykI]

Hi,

I just have noticed one problem now, with FTP traffic, the initial connection gets made on port 21, but then the connection dies from internal users to external ftp sites, does it have something to do with the permit tcp any any established rule?

Ian

 

[gconnect]

yeah, there is a general known problem with the ftp-data port (tcp 20). depending on the type of ftp server that you are accessing. the server (on the Internet) may need to establish (start) a connection to your end-user pc's. this is called "active-ftp"

the problem that you'll experience will be that you can connect to the ftp server (over tcp port 21, the control port) but you won't be able to list any directories or copy any files. you may need to open your acls to allow for anyone (any ftp server) to start a connection from src port 20 to any port greater the 1023.

access-list 123 permit tcp any eq 20 any gt 1023

..add this under the first entry --i.e.

access-list 124 permit tcp any any established
access-list 124 permit tcp any eq 20 any gt 1023
access-list 124 permit udp any eq bootps any log-input
access-list 124 permit udp any eq domain any log-input
access-list 124 deny ip any any

now if you are remotely administering this router
NOTE - SO YOU DON'T BREAK ANYTHING (LEARN FROM MY BAD EXPERIENCE)

make the acl in wordpad, word, or notepad, as ACL 124 or another new number
highlight and copy it
telnet into the router and paste the new acl in
then change the entry under the interface
------ip access-group 124 in

you may/will disrupt users connections momentarily