Perimeter Router Access Lists

a) The deny ip any any at the end of your ACL list explicitly stated allows for the collection of stats
     on denied packets that are not availble with the implicit deny. i.e number of denied packets via
     the show access-list X command, also, the explicit deny also allows you to add the log-input as well
     which allows you to log the denied packets for analysis

b) Depends on what is behind the firewall and it's  configuration. Howevver, best security practices for
    edge filtering typically implement spoofing filters and route filters, the next layer does additional
    filtering. Security is a layered approach each layer and device has some form of security with an overall
    security goal in mind. "Defence in depth" S I guess what I am saying is that I would not be to granular
    with my edge filtering, deploy edge filters that filter rfc1918, spoofing, infrastructure filters (no packets should be able to connect to the infrastructure devices from the outside, if you need that then they should be very specific with secure protocols) and route filters.

c) I would not filter anything on the edge other that what was said in B,

d) See B

wow, only 125 pts!

harbor235 ;}

Thank you for your response, and sory for the delayed reply.

First answer i'm clear with and totally satisfied. However, for others you have been very generic; could you be please more precise. For i know what to implement at the edge routers, but i 'm little confused when it comes to writting the ACLs.

So, i would appreciate if you could provide assistance in this particular area. If you want, i can send u the configs of firewall and what ACLs..i 'm looking to implement.

Thank you,

It depends on your specific configuration, however, for example:
Your org uses the following IP block assignments, 198.135.0.0/24 (A real life cisco block, we are using it as an example IP block only), so on the edge device on the outside interface I can begin to craft an IP filter

access-list PERIMETER-FILTER deny host 0.0.0.0 any log-input
access-list PERIMETER-FILTER deny host 255.255.255.255 any log-input
access-list PERIMETER-FILTER deny ip 10.0.0.0 0.0.0.255 any log-input
access-list PERIMETER-FILTER deny ip 172.16.0.0 0.15.255.255 any log-input
access-list PERIMETER-FILTER deny ip 192.0.2.0 0.0.0.255 any log-input
access-list PERIMETER-FILTER deny ip 192.168.0.0 0.0.0.255 any log-input
access-list PERIMETER-FILTER deny ip 224.0.0.0 31.255.255.255 any log-input
access-list PERIMETER-FILTER deny ip any 127.0.0.0 0.255.255.255 any log-input
access-list PERIMETER-FILTER  deny ip 192.135.0.0 0.0.0.255 any log-input
access-list PERIMETER-FILTER permit ip any any

This is an example, not a complete list. This ACL does rfc1918 filtering, looback filtering, rfc2827 (spoof filtering), filters some special use addresses and multicast if you do not need it.

There are additional blocks such as Bogons that should be filtered , then there is your particular requirements. The goal here is not to turn your edge device into a Firewall filter but to allow only legitimate traffic. Other items to consider are the types of edge devices you are using, hopefully they are capable of perfroming this type of filtering in hardware.

This should get you started, apply the ACL on the inbound side of the outside interface, your fireall will augment your packet filtering and enforce stateful inspection, no need to duplicate the filters.


harbor235  ;}

I found this doc for you for more information;

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

I do not agree with all of it, I agree that most if not all should be filtered however, my belief is that the filtering should be distrbuted throughout the layers of the network (if present, mayhave collapsed architecture).

harbor235 ;}



 

Thank you again for your quick response. And iI really appreciate it.

However, i remember some one telling me when i tried implementing above deny filters, he said, when there is an implicit deny after you have permitted all legitimate traffic, why then use deny statements at all. Simply allow all authorized traffic and rest would be denied automantically by the implicit deny statement. Besides, how far practical can adding deny statements go, for along with bogons there ll be whole lot of global ip ranges that would need to be blocked, right ?

His logic made sense and from there on i was confused like. I'm little confused, whether, we need to only write permit ACLs and leave deny to implicit deny statement or write a combination of allow + deny and then rest on implicit deny to block rest of the traffic.

In the above example, you used permit ip any any. Will it not permit whole gamut of traffic which is un-authorized ? Plz clarify.

I'm attaching ACLs from our firewall so that you can pick few of them and teach me, how i can begin writting them, in our particular context, where i need to permit legitimate traffic and deny all (log them also), and the same time i should also be able to keep adding deny statements for those source traffic which we find as suspicious from out IPS devices.

If you could plz assit me to help understand writtingACLs on edge routers and everyhting abt them, i woul really appreciate the effort and would certainly increase the points.

Thank you.
Firewall-ACLs.xls

But, there are explicit denies before the permit any, not the same thing. ACLs are processed top down, so all the deny ACL lines are matched first before the permit thus filtering that type of traffic. And again, we can now log the attempts and pinpoint potential rogue sources. The method you are saying someone told you about would not allow you to see where the denied packets came from, they would be denied and never logged. We are deny first then permitting, do you see the difference?

You can do ACLs either way, however, my way allows you to log the sources for further action, i.e black hole or sink hole routing, IDS/IDP notification and filtering throughout the infrastructure.

It all comes down to a layered approach to security, the edge device is not meant to filter everything. It filters some of the traffic and allows the rest to be filtered (in your case a firewall) by other layers. (distribution and access layers) The filters I have detailed will filter some of the traffic, the traffic that is allowed through will be filtered by your firewall.

I did forget another ACL deny statement that should be there. Ideally, you should carve up your IP space so that you can do smart filtering. I would have a dedicated subnet for all infrastructure devices so that no one from the outside could connect to any infrastructure device. So in the case of the 192.135.0.0.24, perhaps a /26 would be used for pt-to-pt links, connector links, loopbacks, etc ... So we could add the following;

access-list PERIMETER-FILTER  deny ip any 192.135.0.0 0.0.0.63 any log-input

This would stop anyone from connecting to your edge router and your firewall from the outside. They access the devices via VPN or you allow ssh or some other secure protocol through via a specific host address, say 1.1.1.1

access-list PERIMETER-FILTER deny host 0.0.0.0 any log-input
access-list PERIMETER-FILTER deny host 255.255.255.255 any log-input
access-list PERIMETER-FILTER deny ip 10.0.0.0 0.0.0.255 any log-input
access-list PERIMETER-FILTER deny ip 172.16.0.0 0.15.255.255 any log-input
access-list PERIMETER-FILTER deny ip 192.0.2.0 0.0.0.255 any log-input
access-list PERIMETER-FILTER deny ip 192.168.0.0 0.0.0.255 any log-input
access-list PERIMETER-FILTER deny ip 224.0.0.0 31.255.255.255 any log-input
access-list PERIMETER-FILTER deny ip any 127.0.0.0 0.255.255.255 any log-input
access-list PERIMETER-FILTER  deny ip 192.135.0.0 0.0.0.255 any log-input
access-list PERIMETER-FILTER  permit ip host 1.1.1.1 192.135.0.0 0.0.0.63 any log-input
access-list PERIMETER-FILTER  deny ip 192.135.0.0 0.0.0.63 any log-input
access-list PERIMETER-FILTER permit ip any any

Do you see how that works?

Again, this is an example, security is/can be very complex, you have to consider your topology as well as your requirements. This is a legitimate ACL for an edge device, I would still add route filters and Bogon filters.

Your list is very specific, my question to you would be, you have a firewall behind the edge router so why are you trying to filter everything at the edge? My point of view is that every device is part of the overall security policy, distributing the workload allows you to conserve resources throughout your infrastructure  allowing for better performance and security

harbor235 ;}

GR8!!!
I wish i knew your real name to thank you, as that would have been more personal, unlike now. And thank you again, for your prompt and patient response.

From what you have clarified and the way it is written, i really feel better interms of my understanding about writting perimeter ACLs now. Your write up has been full of insight and value addition and i can see it coming out straight from sheer experience. Thanks again !!

I had one more question - what are these bogons and why it dosent contain all the ranges and only few and what is the logic behind their update.

Plz clarify and am increasing the points as promised.

Thank you.

A bogon is a prefix that should never appear in the internet routing table and they should never appear as a source address in any packets routed to your edge device. They are used as source address to perfrom DOS/DDOS attacks with or some try to use them in other illegal ways.

An example are the test ranges of prefixes that are recognized by ARIN (www.arin.net) the american registry of Internet numbers, this group assigns all IP blocks for the americas. There are also other IP ranges that have not been allocated yet and should not be used. There is this great site for the complete list of Bogon routes, they will also notify you when the list changes. I guess it all depends on your level of commitment to security, some use them some do not and then they wonder how their site went down.

http://www.team-cymru.org/Services/Bogons/    (for the list look at the Bogon reference on teh page)

They also have some ingress packet filtering references, great website for security

harbor235 ;}  (check out my profile, I am a Routing & switching and security professional)

I'm clear with most of my initial doubts. One last question.

The filtering that we discussed thus far was for Internet facing edge routers. What about WAN edge routers ? Are there any publicised filters for such router too ?

Thank you.

Unless you have a private WAN (leased lines or MPLS) an internet edge device or a WAN device is  the same thing. If you have a MPLS or private network it is still important to filter at your edge with teh same type of filters. Leaking of routes and traffic occur, its up to you to perfrom your dule dilegence to ensure a secure site.

harbor235 ;}

I have gathered the bogons list and got the below ACLs to roll out on edge router. Can you review these and let me know, if the order is fine and that this will work.

IF i have to rollout the same ACLs on the WAN edge router using IPLC, with 10.0.0.0 and 192.168.0.0 removed from the list (as we are using them), will it work ?

access-list Perimeter-Filter deny ip 1.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 2.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 5.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 7.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 23.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 27.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 31.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 36.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 37.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 39.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 41.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 42.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 49.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 50.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 58.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 59.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 60.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 70.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 84.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 86.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 87.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 88.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 89.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 90.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 91.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 92.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 93.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 94.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 95.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 96.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 97.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 98.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 99.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip Perimeter-Filter.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 101.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 102.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 103.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 104.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 105.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 106.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 107.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 108.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 109.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 110.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 111.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 112.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 113.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 114.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 115.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 116.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 117.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 118.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 119.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 120.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 121.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 122.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 123.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 124.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 125.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 126.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 197.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 201.0.0.0 0.255.255.255 any log-input

access-list Perimeter-Filter deny ip 10.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 172.16.0.0 0.15.255.255 any log-input
access-list Perimeter-Filter deny ip 192.168.0.0 0.0.255.255 any log-input
access-list Perimeter-Filter deny ip host 255.255.255.255 any log-input
access-list Perimeter-Filter deny ip 224.0.0.0 31.255.255.255 any log-input
access-list Perimeter-Filter deny ip 240.0.0.0 15.255.255.255 any log-input
access-list Perimeter-Filter deny ip 0.0.0.0 0.255.255.255 any log-input
access-list Perimeter-Filter deny ip 169.254.0.0 0.0.255.255 any log-input
access-list Perimeter-Filter deny ip 192.0.2.0 0.0.0.255 any log-input
access-list Perimeter-Filter deny ip 127.0.0.0 0.255.255.255 any log-input

access-list Perimeter-Filter deny ip 172.20.0.0 0.0.255.255 any log-input
access-list Perimeter-Filter deny ip 172.19.0.0 0.0.255.255 any log-input
access-list Perimeter-Filter deny ip 203.36.134.226 63.255.255.255 any log-input

access-list Perimeter-Filter permit tcp host 204.x.x.173 host 204.x.x.174 eq 179
access-list Perimeter-Filter permit tcp host 204.x.x173 host 204.x.x.174 eq 179

access-list Perimeter-Filter permit ip any any

interface fast ethernet 0/0
ip access-group Perimeter-Filter in

Thanks :)

I assume you are removing the 10. and 182. because you are using them, yes it will still work. Again, these are just filters.

If you are using certain 10.x.x.x and 192.x.x.x's then allow them and deny the rest

harbor235 ;}

Is there anything.else...you meant needs to be added..when you said these are just filters ?

Can some thing more be added to this...to make it even more effective ?

Thanks:)

This is a good start, this should be reevaluated periodically, learning from events that happen and staying plugged into the online security community, the website I provided you is very good for that.


harbor235 ;}

Thank you for you patience and support thus far. I really appreciate.

I have posted another question on VPN, but no one seems to ve replied to that question so far. I dont know why, though, the question is also not tough one.

I dont know if this is appropriate to ask, but can i ask you as the expert to take up another question of mine, as i would feel comfortable with you having travelled so far.

Plz let me know.

Thanks:)

Yes, we are done here. I will award you the point also. But can you tell me how do i give u the link to my new question.

Thanks:)

I have sent you the link to my new question. And i'm awarding points to you for this question as said.

Thank you for all your support for this question. I'm looking forward to your reply to my next question for which i ve sent you the link.

Thanks:)

Let me know, if you have got the points correctly. I see that 250 points ve been awared but i wanted to give 250 + 125 =375...

Plz let me know.

Last question, rolling out the above ACLs..will not stop or affect those traffic at the router that is already allowed by upstream firewall..right

Thanks:)

Right, it only filters what hits on the interface where the ACL is applied , nothing more

harbor235 ;}