NetBIOS blocking on T1s? 1

[pixboy]

We have a Cisco 7206 router with two T1s and two FastEthernet ports. I started thinking the other day that it might be worthwhile to block NetBIOS traffic from getting into or out of our network. It might help cut down on the number of attacks via ports 135, 137 and 139 (and 445, too) by blocking those ports. But I'm not sure if it's possible to block them only on the two T1 lines.

The intention is to allow traffic within our LAN (several subnets) to pass unimpeded while blocking traffic on those ports from going to or from our LAN via the T1 lines. We already have a Cisco Pix 520UR firewall. The blocking I want to do at the router is basically to safeguard a couple of Windows machines that are outside the firewall and can't be moved inside it for one reason or another. (The firewall blocks those ports already for those sitting behind it.)

A simple access list would presumably be this:

access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq 137
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq 135
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 139
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 permit ip any any

Would this be something I could then apply to my serial interfaces (the T1s) only? And would I apply them to the "master" serial interface (i.e. Serial3/0, Serial3/1) or the subinterfaces (i.e. Serial3/0.1, etc.)? And would I have to have more than one access list to apply it to both of those interfaces?

I've looked around and the idea of blocking these ports at a router is simple. However, the multiple subnets on our LAN and the two T1s seem to make it more complicated. I'd love to be able to do this at the router, rather than having to monkey around with individual servers. (Especially since adjusting the allowed/disallowed ports on one NIC does the same on all NICs in a Microsoft machine.)

Thanks!

 

[phoyle]

The access list looks good. It would be applied to the sub-interfaces and the same access-list would be applied using the "access-group 100 in/out"

int ser 3/0.1
access-group 101 in
int ser 3/1.1
access-group 101 in

The in ou out depends where the servers you are trying to protect are. In the are attached to a lan on the same router then use the "in". If they are on the remote side of the T1s then use the "out".

I hope this helps.

Paul Hoyle, CCNP/CCAI

 

[andf1]

I would consider a more substantial access-list to protect the hosts outside your firewall by allowing access to only the ports that need access. I would even consider an IOS that has the firewall feature set on the 7206 and deploy a CBAC.

andf1

 

[pixboy]

Paul:

Thanks for the reply. The servers are on the local LANs we have, so I guess they'd be on the "in" side. What if I wanted to try and prevent any machine on our LAN from attempting to connect to one of those ports on a machine that's down our T1s? In other words, blocking NetBIOS traffic from our LAN to a remote machine? Just a thought, in case something here gets infected.

At the last company I worked for, we got a T1 from AT&T and they blocked NetBIOS by default. It was only an issue because I was using NetBIOS to update a remote NT server I had. (Boy, the things I know now ...)

 

[phoyle]

Pixboy,

You can apply the access list in both directions:
int ser 3/0.1
access-group 101 in
access-group 101 out
int ser 3/1.1
access-group 101 in
access-group 101 out

Or you could apply the "in" on the other interfaces on the router (fa 0/0, etc).

Are you running cef? You want to be using a fast "route cache" to minimize the impact that the access-list has on the router. What NPE type do you have?

Hope you are having fun.


Paul Hoyle, CCNP/CCAI

 

[pixboy]

Paul:

I don't believe we're running CEF right now. We have only a few access lists right now. Two are used to provide what ends up being the default places where our 5 external Class C blocks go. (Our two T1s are load balanced and fault tolerant. Two of the IP blocks are on one T1 by default, and the other 3 are on the other T1 by default. However, if you lose one of the T1s, they all jump over to the other one.) The other access lists are for blocking access to outside IPs for one reason or another.

How can I tell what NPE type we have?

Yes, I am having fun! I love being able to experiment with this sort of stuff. There's just way too many features that we never use that'd make life easier/better on these devices, and I love uncovering them. I just wish I had a better way of testing things out before making changes to production routers. (In addition to the 7206, we have a 2610 that doesn't really get used anymore and a 2500-series router I mess around with periodically. The 2610 has 2 T1 cards in it, but I can't really test things the way I'd like to.)

 

[pixboy]

Paul:

Thanks for your insight. I finally had the chance to put the access-list in place, and it appears to work perfectly. I ran a ShieldsUp against an NT machine that's sitting outside our firewall, and it reported that 135, 137, 139 and 445 don't exist anymore. I've verified that I can still see port 135 open on the machine from within our LAN.

I initially had the access-list logging matches to my syslog, and I'm not surprised at the number of entries that popped up there. I see port scans all the time in the firewall's syslog.

The only thing I had to look up was to see the syntax for the access-group command. I needed "ip access-group 101 in" (and out) to make it work.

I'm kind of surprised that more ISPs don't do this. NetBIOS ports shouldn't be open to the Internet, but not everybody can afford a firewall. There's really no reason to route NetBIOS traffic around.

Again, thanks for your help!