Implement Access Control Lists

Properly implemented access control lists (ACLs) on your routers provide packet-filtering capabilities without the stateful functionality of a full-featured firewall. Consequently, I think of ACLs on routers as being part of a firewall system, where the router is performing initial packet-filtering functionality in front of a firewall that is providing the full-bore stateful filtering or application proxy functionality. Implementing ACLs, including specific examples, will be covered in much more detail in Chapter 6. However, here are some types of access you should filter with your ACLs immediately:

• Block RFC1918 addresses at your perimeter, including the following:

  • 0.0.0.0/8

  • 10.0.0.0/8

  • 169.254.0.0/16

  • 172.16.0.0/20

  • 192.168.0.0/16

• Block bogon addresses. The term bogon refers to packets addressed to/from a bogus network. Bogons represent the addresses that have not been allocated by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs) to Internet service providers (ISPs) or organizations for use. A current list of bogon networks can be found at http://www.iana.org/assignments/ipv4-address-space. Any entry with the term reserved or unallocated should be blocked as a bogon. You will need to periodically update the bogons you are blocking because those addresses get assigned to legitimate ISPs and organizations for use.

• Implement spoof protection.

• Implement TCP SYN attack protection.

• Implement LAND attack protection.

• Implement Smurf attack protection.

• Implement ICMP filtering.

• Block multicast traffic if it is not needed.

• Implement ACLs to control Virtual Type Terminal (VTY) access (Telnet and SSH).

• Implement ACLs to control who can manage the router via SNMP.