Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Cisco ACL Question

From: Douglas Gullett <dougg03 () comcast net>
Date: Wed, 11 Jun 2003 23:26:40 -0400
It seems that you are on the right track in being interested in security.
It is hard though, to make recommendations about security without knowing
the full picture.  I certainly hope that you have a firewall behind that
router that does Statefull inspection!!  There are many ways to bypass ACLs,
and other things that ACLs just don't do.  That is not to say that ACLs are
a bad thing!  I believe that ACLs on a perimeter router in conjunction with
a proxy/statefull firewall is like locking your door and then setting the
alarm system too...its a good thing.

Here is a link from Cisco's Web site that has information about improving
security:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080
120f48.shtml

You can also find some really detailed information on securing your Cisco
routers at the following NSA link.

http://www.nsa.gov/snac/cisco

Though some of it is OVERKILL!  :-)  You also have to know on your own
whether or not a service is needed for your network, because their documents
are no help in that regard.

I would also recommend that you do not allow anyone to telnet to that device
at all, and only allow SSH connections from the inside of your network.
This can be accomplished using the Cisco IPSEC version of IOS (12.2 and
earlier (if you want stable GD code)...I have heard that SSH and Secure Copy
are mainline in 12.3.1).

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuratio
n_guide_chapter09186a00800ca7d5.html  (configuring ssh)



Hope that was food for thought and helped a little bit.


Doug Gullett, CCNP, CCDP, Security+



-----Original Message-----
From: noconflic [mailto:nocon () texas-shooters com]
Sent: Tuesday, June 10, 2003 6:49 PM
To: security-basics () securityfocus com
Subject: Cisco ACL Question


Hello,

   I have a question about the following inbound Cisco ACL entry...

      access-list 100 permit udp any X.X.X.0 0.0.0.255 gt 1023

 From what i understand so far is that this entry is required for normal
outbound ftp,tftp,dns, and traceroute traffic. It has been suggested that
one should specificly add deny rules for common UDP ports above that range.
My question, I am looking for suggestions to make that more restrictive ?
What problems would there be with other hosts on the LAN if the entry was
removed ?

Thanks,

-CH

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: