Re: screen and choke network config

["Kevin Johnson" <kev_johnson101 () hotmail com>]

besides Ron´s list are you disabling noxious services (http 
server,finger,cdp(if its a cisco router),...) on your router?
are you implementing any policy against rfc1918 ('anti-spoofing)?,
what of DoS attacks policies(smurf,land,syn,...,
logging these during an attack could impact performance, so tweeking will 
become necessary in 'hard times').
anyway, just want to thank Ron for the great 'intel'.



> On Tue, 28 May 2002, Dave Piscitello wrote:
>
> > I have just upgraded from a lame DSL bridged configuration to
> > a routed configuration.
> >
> > I have an access router that can packet filter.
> >
> > Behind this I have a public IP subnet on which I run between
> > 4-6 firewalls and VPN appliances.
> >
> > I'd like to process all syslog messages from the access router
> > and firewalls at a server behind one of the firewalls, and so would
> > open 514 inbound on the firewall (for a list of FWs), and block
> > 514 inbound on the access router. This is done and is working
> > nicely.
> >
> > I realized looking through my logs that I can save duplicate log
> > entries if I packet filter annoying inbound TCP/UDP/ICMP types
> > at the access router. Since all the firewalls will have a default
> > deny all inbound policy (except the one firewall that allows http),
> > I'd set the access router in an inverse manner
> > to "allow anything but stuff I don't want duplicate log entries for".
> >
> > I wonder what beyond the following list you might add. These
> > are the ports I most frequently see in my last 3 months' logs...
> >
> >
> > 23 telnet
> > 69 tftp
> > 79 finger
> > 111 sunrpc
> > 137, 138, 139 msft noiseBOIS
> > 161, 162 snmp, trap
> > 194 irc
> > 512-514 remote exec, login, shell
>
>
> depending upon the OS's you are running, port 111 might not be ehough to
> block.  I have a linux system, that after a number of reboots I have been
> able to glean these related ports, tcp/udp require some blocking:
>
> rpc1="111 635 680 683 684 686 687 698 699"
> rpc2="700 701 702 703 704 886 887 889 2049"
>
>
> additionally, I block these specifics, due to a number of other OS's
> including windows or various versions inside:
>
> nbios="135:139"
>
> winfr="1080 1090 1433 1900 5000"
>
>
> Of course, due to other problems and to track scans I also block these:
>
> lownast="7 19 59 79 107 177 161 162 445 515"
>
> hinast="12345 12346 16660 18753 20034 20433 24452 27347 31337"
>
> tellog="23 513 514"
>
> ftpc="21"
> ftpd="20"
>
> xwin="6000:6010"
>
>
> ssh is only allowed now inside from specific hosts, and adds a tad bit of
> control over those allowed to connect to machines behind the perimiter.
>
> I have additional specific blocks placed for certain machines for specific
> services I only allow to the insie network too..  But, always for full
> safe measures I block the tcp as well as the udp counter parts of ports,
> unless there's a specific reason not to.
>
>
> Hope this helps,
>
> Thanks,
>
> Ron DuFresne
>
>
> >
> > I still want to see how my doorknob's being rattled, I just
> > want to minimize the number of times I see any individual "rattle".
> >
> > David M. Piscitello
> > Core Competence, Inc. &
> > 3 Myrtle Bank Lane
> > Hilton Head, SC 29926
> > dave () corecom com
> > 843.689.5595
> > www.corecom.com
> > hhi.corecom.com/~yodave/


_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards