Security Basics mailing list archives
RE: Cisco ACL Question
From: Douglas Gullett <dougg03 () comcast net>
Date: Wed, 11 Jun 2003 23:26:40 -0400
It seems that you are on the right track in being interested in security. It is hard though, to make recommendations about security without knowing the full picture. I certainly hope that you have a firewall behind that router that does Statefull inspection!! There are many ways to bypass ACLs, and other things that ACLs just don't do. That is not to say that ACLs are a bad thing! I believe that ACLs on a perimeter router in conjunction with a proxy/statefull firewall is like locking your door and then setting the alarm system too...its a good thing. Here is a link from Cisco's Web site that has information about improving security: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080 120f48.shtml You can also find some really detailed information on securing your Cisco routers at the following NSA link. http://www.nsa.gov/snac/cisco Though some of it is OVERKILL! :-) You also have to know on your own whether or not a service is needed for your network, because their documents are no help in that regard. I would also recommend that you do not allow anyone to telnet to that device at all, and only allow SSH connections from the inside of your network. This can be accomplished using the Cisco IPSEC version of IOS (12.2 and earlier (if you want stable GD code)...I have heard that SSH and Secure Copy are mainline in 12.3.1). http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuratio n_guide_chapter09186a00800ca7d5.html (configuring ssh) Hope that was food for thought and helped a little bit. Doug Gullett, CCNP, CCDP, Security+ -----Original Message----- From: noconflic [mailto:nocon () texas-shooters com] Sent: Tuesday, June 10, 2003 6:49 PM To: security-basics () securityfocus com Subject: Cisco ACL Question Hello, I have a question about the following inbound Cisco ACL entry... access-list 100 permit udp any X.X.X.0 0.0.0.255 gt 1023 From what i understand so far is that this entry is required for normal outbound ftp,tftp,dns, and traceroute traffic. It has been suggested that one should specificly add deny rules for common UDP ports above that range. My question, I am looking for suggestions to make that more restrictive ? What problems would there be with other hosts on the LAN if the entry was removed ? Thanks, -CH --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Cisco ACL Question noconflic (Jun 11)
- RE: Cisco ACL Question Edmund Yiu (Jun 11)
- RE: Cisco ACL Question David Gillett (Jun 11)
- RE: Cisco ACL Question Douglas Gullett (Jun 12)
- Re: Cisco ACL Question noconflic (Jun 12)
- <Possible follow-ups>
- RE: Cisco ACL Question Mann, Bobby (Jun 11)