Complete Access List for a Screened Subnet Network That Allows Public Server Internet Access

Complete Access List for a Screened Subnet Network That Allows Public Server Internet Access

The following is an access list that takes the preceding section's access lists and incorporates inbound access to a screened subnet containing web, mail, and DNS servers. This example would most likely be used for a lower-risk, lower-budget network that needs to use its router as its sole security device. By using an additional interface to serve as a "screened subnet," we allow increased protection while implementing publicly accessible services. All public access servers are assumed to be properly hardened , and because of their volatile nature, any available defense- in-depth measures should be implemented.

In this initial section, we disable unneeded global services. These commands must be configured in global configuration mode:

no service finger
no ip source-route
no service tcp-small-servers
no service udp-small-servers

Next are all the commands to be applied directly to the external serial interface, including the access- group commands that apply the inbound and outbound filters to it. The serial 0 interface is the one that connects the router to the Internet. We also stop all services to be disabled at the interface configuration level.

interface serial 0
 ip access-group filterin in
 ip access-group filterout out

 no snmp
 no ip direct-broadcast
 no ip redirects
 no ip unreachables
 no cdp enable

Next is the filterin access list, which includes antispoofing commands. This list is followed by ingress lines that allow any web, SMTP, or DNS inbound traffic to the server that handles such a request. It next allows ICMP packet-too-big packets, followed by an evaluate packets line that reflexively examines any remaining inbound traffic to see if it matches any of the currently temporarily formed reflexive access lists that filterout created . This is followed by a statement to log all denied inbound packets.

ip access-list extended filterin
deny ip 190.190.190.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip host 0.0.0.0 any
permit tcp any host 200.200.200.2 eq 80
permit tcp any host 200.200.200.3 eq 25
permit tcp any host 200.200.200.4 eq 53
permit udp any host 200.200.200.4 eq 53
permit icmp any any packet-too-big
evaluate packets
deny ip any any log-input

Filterout is next, and it starts by allowing response traffic back from the web, mail, and DNS servers. Notice the est (established) keyword at the end of these lists. This confirms that only replies are leaving the servers, behaving like an egress list for our screened subnet. Following that is the reflexive access lines that permit outbound traffic and create the reflexive lists that allow inbound traffic. To grant other services outbound access, you would need to add a reflexive access list here. Filterout is ended with an ICMP filter allowing packet-too-big messages to go through.

ip access-list extended filterout
permit tcp host 200.200.200.2 eq 80 any gt 1023 est
permit tcp host 200.200.200.3 eq 25 any gt 1023 est
permit udp host 200.200.200.4 eq 53 any gt 1023
permit tcp any any eq 21 reflect packets
permit tcp any any eq 22 reflect packets
permit tcp any any eq 23 reflect packets
permit tcp any any eq 25 reflect packets
permit tcp any any eq 53 reflect packets
permit tcp any any eq 80 reflect packets
permit tcp any any eq 110 reflect packets
permit tcp any any eq 119 reflect packets
permit tcp any any eq 143 reflect packets
permit tcp any any eq 443 reflect packets
permit udp any any eq 53 reflect packets
permit icmp any any packet-too-big

Progressing to interface ethernet 0 , no outbound list is applied; therefore, any traffic that matches the private network's address range is passed on.

interface ethernet 0
 ip access-group filterin1 in

Filterin1 is applied inbound to the ethernet 0 interface. Filterin1 contains an egress filter, only allowing traffic that is addressed from the private network's address range to be forwarded to the serial interface. It also contains a deny statement, logging all nonstandard egress traffic.

ip access-list extended filterin1
permit ip 190.190.190.0 0.0.0.255 any
deny ip any any log-input

Ethernet 1 contains filterout2 and filterin2 .

Filterout2 permits network traffic in from the Internet to be forwarded to the web server if it's HTTP traffic, to the mail server if it's SMTP traffic, and to the external DNS server if it's DNS traffic. Notice that these first three lines serve as a basic ingress filter. Filterout2 also permits ICMP packet-too-big messages to pass and supports logging of undesirables through its last statement.

interface ethernet 1
ip access-group filterout2 out
ip access-group filterin2 in

ip access-list extended filterout2
permit tcp any gt 1023 host 200.200.200.2 eq 80
permit tcp any gt 1023 host 200.200.200.3 eq 25
permit tcp any host 200.200.200.4 eq 53
permit udp any host 200.200.200.4 eq 53
permit icmp any 200.200.200.0 0.0.0.255 packet-too-big
deny ip any any log-input

Filterin2 allows reply traffic from each of the three public servers out to the serial interface. This serves as a basic egress filter. Packet-too-big messages are also forwarded. The deny any 190.190.190.0 line disables communications between the screened subnet and your private network. This is necessary because the outbound traffic on ethernet 0 is open to the screened subnet. The next lines allow SMTP and DNS traffic from their particular servers to the Internet. Serial 1 's filterout then passes this traffic through its reflexive access lists so that it will have the same level of protection as the private network's outbound traffic. If any other outbound traffic is desired from the screened subnet, this is where additional filters are added. These additional filters are added after the deny statement that prevents everything except reply traffic from entering the private segment, but before the last statement that logs undesirables. DNS support for the private segment would most likely be handled internally (split DNS) or by an outside party. No DNS zone transfers would take place between the private and screened subnets.

ip access-list extended filterin2
permit tcp host 200.200.200.2 eq 80 any gt 1023 est
permit tcp host 200.200.200.3 eq 25 any gt 1023 est
permit udp host 200.200.200.4 eq 53 any gt 1023
permit icmp 200.200.200.0 0.0.0.255 any packet-too-big
deny ip any 190.190.190.0 0.0.0.255
permit tcp host 200.200.200.4 any eq 53
permit udp host 200.200.200.4 any eq 53
permit tcp host 200.200.200.3 any eq 25
deny ip any any log-input

In the preceding example, the following information is assumed:

• This list is a template with suggestions; it shouldn't be considered a full solution for any particular network.

• The screened subnet's network number is 200.200.200.0.

• The internal private network number is 190.190.190.0.

• The screened subnet's web server's address is 200.200.200.2.

• The screened subnet's SMTP mail server's address is 200.200.200.3.

• The screened subnet's DNS server's address is 200.200.200.4.

• No other hosts are on the screened subnet.

• We have three router interfaces: a serial 0 interface that connects us to the Internet, an ethernet 0 interface that connects us to our private network, and an ethernet 1 interface that connects us to our screened subnet.

• We want to limit the outbound traffic (and return traffic) to the services that are listed in filterout .

• We want to limit our ICMP message interactions to make packet-too-big statements the only type we allow outnone is allowed back in. ( Ping and traceroute are disallowed internally.)

• Any use of FTP outbound requires a PASV (or passive) FTP client and server support for the same.

• The listing format used for the access list information is for easier reading.

Listing A.2 shows the complete router access list.

Listing A.2. The Router Access List for a Screened Subnet Network That Allows Public Server Internet Access

no service finger
no ip source-route
no service tcp-small-servers
no service udp-small-servers

interface serial 0
ip access-group filterin in
ip access-group filterout out

no snmp
no ip direct-broadcast
no ip redirects
no ip unreachables
no cdp enable

ip access-list extended filterin
deny ip 190.190.190.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip host 0.0.0.0 any
permit tcp any host 200.200.200.2 eq 80
permit tcp any host 200.200.200.3 eq 25
permit udp any host 200.200.200.4 eq 53
permit icmp any any packet-too-big
evaluate packets
deny ip any any log-input

ip access-list extended filterout
permit tcp host 200.200.200.2 eq 80 any gt 1023 est
permit tcp host 200.200.200.3 eq 25 any gt 1023 est
permit udp host 200.200.200.4 eq 53 any gt 1023
permit tcp any any eq 21 reflect packets
permit tcp any any eq 22 reflect packets
permit tcp any any eq 23 reflect packets
permit tcp any any eq 25 reflect packets
permit tcp any any eq 53 reflect packets
permit tcp any any eq 80 reflect packets
permit tcp any any eq 110 reflect packets
permit tcp any any eq 119 reflect packets
permit tcp any any eq 143 reflect packets
permit tcp any any eq 443 reflect packets
permit udp any any eq 53 reflect packets
permit icmp any any packet-too-big


interface ethernet 0
ip access-group filterin1 in

ip access-list extended filterin1
permit ip 190.190.190.0 0.0.0.255 any
deny ip any any log-input

interface ethernet 1
ip access-group filterout2 out
ip access-group filterin2 in

ip access-list extended filterout2
permit tcp any gt 1023 host 200.200.200.2 eq 80
permit tcp any gt 1023 host 200.200.200.3 eq 25
permit tcp any host 200.200.200.4 eq 53
permit udp any host 200.200.200.4 eq 53
permit icmp any 200.200.200.0 0.0.0.255 packet-too-big
deny ip any any log-input

ip access-list extended filterin2
permit tcp host 200.200.200.2 eq 80 any gt 1023 est
permit tcp host 200.200.200.3 eq 25 any gt 1023 est
permit udp host 200.200.200.4 eq 53 any gt 1023
permit icmp 200.200.200.0 0.0.0.255 any packet-too-big
deny ip any 190.190.190.0 0.0.0.255
permit tcp host 200.200.200.4 any eq 53
permit udp host 200.200.200.4 any eq 53
permit tcp host 200.200.200.3 any eq 25
deny ip any any log-input