Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SQL slammer - Why it's a good idea for access-lists on your INSIDE int

Status
Not open for further replies.
tbissett

tbissett

IS-IT--Management
Mar 25, 2002
191
0
0
US
There have been a lot of great tips from this forum, so I figured I would offer this as well:

Saturday's SQL slammer worm is a perfect example of why everyone should ignore Cisco's default "allow everything out" policy and apply an access-list to your INSIDE interface.

Not only would this conform better to firewall best practices (that which is not expressly permitted is denied), but also helps to impede the propagation of worms like this.

You might be very surprised at just how much traffic is trying to go from the inside out. We have always had access-lists on our inside interfaces of our PIXES. We have caught a number of trojans, spyware, and other unwanted goodies just by watching the logs for what gets denied trying to leave our firewalls.

OK. I'm off my soap box now :)
 
I would strongly aggree. The fact that Cisco doesn't even mention it in the PIX manual also disturbs me.
 
Damn straight, I agree. I have always done this as well; you never know what kinds of trojans and viruses poeple are bringing into the office.
 

Totally agree. What ports do you guys restrict ?
 
I only allow the following:

For all computers
80/tcp
110/tcp
443/tcp

For my email servers I allow

25/tcp

For my DNS servers
53/udp
53/tcp
 
How does your access-list look?

How do you deny everything else?

cheers
Ian.
 
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
!Only needed if you want to FTP
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
!Can restrict this to only your internal DNS for better security
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq pop3
access-list 101 permit udp any any eq ntp
!Clients can synchronize their clock w/ time servers
access-list 101 permit tcp any any eq https
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq smtp
!xxx.xxx.xxx.xxx is my email server
access-list 101 deny ip any any
access-group 101 in interface inside
 
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
139
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
119
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
169
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
52
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top