Security Basics mailing list archives

Re: Cisco ACL Question

From: noconflic <nocon () texas-shooters com>
Date: Thu, 12 Jun 2003 10:18:24 -0500

[nocon () texas-shooters com] Tue, Jun 10, 2003 at 05:48:40PM -0500 wrote:

Hello, 

   I have a question about the following inbound Cisco ACL entry...

      access-list 100 permit udp any X.X.X.0 0.0.0.255 gt 1023

 From what i understand so far is that this entry is required for normal 
outbound ftp,tftp,dns, and traceroute traffic. It has been suggested that 
one should specificly add deny rules for common UDP ports above that range. 
My question, I am looking for suggestions to make that more restrictive ? 
What problems would there be with other hosts on the LAN if the entry was 
removed ?


  Thanks to all that replied. Got lots of good information. What i can up with 
is 'permit udp any eq 53 any gt 1023'. DNS is working fine as well as other 
services. I know that that rule can still be bypassed by an attacker simply 
by setting the source port to 53 to make a udp connection to ports > 1023, 
however it does tighten 'permit udp any X.X.X.0 0.0.0.255 gt 1023' up a tad. 
The only possible issue that i could see with the new entry is some windows 
based nameservers will not always use a source port of 53. I'll deal with those 
as they come in. The way we are set up, i don't expect any serious repercautions. 
(http://support.microsoft.com/?kbid=260186) but, as they say "never say never". 

 At any rate, A good firewall is a must. :)

Agian, Thanks to All

-CH

  

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

Cisco ACL Question noconflic (Jun 11)
- RE: Cisco ACL Question Edmund Yiu (Jun 11)
- RE: Cisco ACL Question David Gillett (Jun 11)
- RE: Cisco ACL Question Douglas Gullett (Jun 12)
- Re: Cisco ACL Question noconflic (Jun 12)
- <Possible follow-ups>
- RE: Cisco ACL Question Mann, Bobby (Jun 11)