Securing Your OSPF Network

Previous Table of Contents Next


The following access list examples are designed based upon many of the well-known port numbers found within the TCP/IP protocol stack. For a list of some of the more common well-known port numbers, refer to Table 10-2, which appears later in the case study.


Notes:  
Port 111 is only a directory service. If you can guess the ports on which the actual data services are provided, you can access them. Most RPC services do not have fixed port numbers. You should find the ports on which these services can be accessed and block them. Unfortunately, because ports can be bound anywhere, Cisco recommends blocking all UDP ports except DNS where practical.

Cisco recommends that you filter the finger TCP service at port 79 to prevent outsiders from learning about internal user directories and the names of hosts from which users log in.


The following two access-list commands will allow Domain Name System (DNS, port 53) and Network Time Protocol (NTP, port 123) requests and replies based upon their TCP/IP port addresses:

    access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0    255.255.255.255 eq 53    access-list 101 permit udp 0.0.0.0 255.255.255.255 0.0.0.0    255.255.255.255 eq 123 

The following command denies the Network File Server (NFS) User Datagram Protocol (UDP, port 2049) port:

    access-list 101 deny udp 0.0.0.0 255.255.255.255 0.0.0.0    255.255.255.255 eq 2049 

The following commands deny OpenWindows on ports 2001 and 2002 and deny X11 on ports 6001 and 6002. This protects the first two screens on any host. If you have any machine that uses more than the first two screens, be sure to block the appropriate ports.

    access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.    255.255 eq 6001    access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.    255.255 eq 6002    access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.    255.255 eq 2001    access-list 101 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.    255.255 eq 2002 

The following command permits Telnet access from anyone to the communication server (125.50.13.2):

    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.2 0.0.0.0    eq 23 

The following commands permit FTP access from anyone to the host 125.50.13.100 on subnet 125.50.13.0:

    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100    0.0.0.0 eq 21    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100    0.0.0.0 eq 20 

For the following examples, network 125.50.1.0 is on the internal network as shown in Figure 10-3.

The following access-list commands permit TCP and UDP connections for port numbers greater than 1023 to a very limited set of hosts. Make sure no communication servers or protocol translators are in this list.

    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100    0.0.0.0 gt 1023    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.100     0.0.0.0 gt 1023    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.101    0.0.0.0 gt 1023    access-list 101 permit udp 0.0.0.0 255.255.255.255 125.50.13.100    0.0.0.0 gt 1023    access-list 101 permit udp 0.0.0.0 255.255.255.255 125.50.1.100    0.0.0.0 gt 1023    access-list 101 permit udp 0.0.0.0 255.255.255.255 125.50.1.101    0.0.0.0 gt 1023 

Standard FTP uses ports above 1023 for their data connections; therefore, for standard FTP operation, ports above 1023 must all be open. For more details, see the File Transfer (FTP) Port Questions later in the “Additional Firewall Security Considerations” section of this case study.

The following access-list commands permit DNS access to the DNS server(s) listed by the Network Information Center (NIC):

    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100    0.0.0.0 eq 53    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.100    0.0.0.0 eq 53 

The following commands permit incoming Simple Mail Transfer Protocol (SMTP) e-mail to only a few machines:

    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.13.100    0.0.0.0 eq 25    access-list 101 permit tcp 0.0.0.0 255.255.255.255 125.50.1.100    0.0.0.0 eq 25 

The following commands allow internal Network News Transfer Protocol (NNTP) servers to receive NNTP connections from a list of authorized peers:

    access-list 101 permit tcp 56.1.0.18 0.0.0.1 125.50.1.    100 0.0.0.0 eq 119    access-list 101 permit tcp 182.12.18.32 0.0.0.0 125.50.1.    100 0.0.0.0 eq 119 

The following command permits Internet Control Message Protocol (ICMP) for error message feedback:

    access-list 101 permit icmp 0.0.0.0 255.255.255.255    0.0.0.0 255.255.255.255 


Previous Table of Contents Next




OSPF Network Design Solutions
OSPF Network Design Solutions
ISBN: 1578700469
EAN: 2147483647
Year: 1998
Pages: 200
Authors: Tom Thomas

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net