Securing Your OSPF Network

Previous Table of Contents Next


Every access list has an implicit deny all (that is, everything not mentioned in the access list) statement at the end of the list to ensure that attributes that are not expressly permitted will be denied. When put together without descriptions of each line’s function, the completed access list will look like the following:

    access-list 101 permit udp 0.0.0.0 255.255.255.255    0.0.0.0 255.255. 255.255 eq 123    access-list 101 deny udp 0.0.0.0 255.255.255.255    0.0.0.0 255.255.255.255 eq 2049    access-list 101 deny tcp 0.0.0.0 255.255.255.255    0.0.0.0 255.255.255.255 eq 6001    access-list 101 deny tcp 0.0.0.0 255.255.255.255    0.0.0.0 255.255.255.255 eq 6002    access-list 101 deny tcp 0.0.0.0 255.255.255.255    0.0.0.0 255.255.255.255 eq 2001    access-list 101 deny tcp 0.0.0.0 255.255.255.255    0.0.0.0 255.255.255.255 eq 2002    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.13.2 0.0.0.0 eq 23    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.13.100 0.0.0.0 eq 21    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.13.100 0.0.0.0 eq 20    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.13.100 0.0.0.0 gt 1023    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.1.100 0.0.0.0 gt 1023    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.1.101 0.0.0.0 gt 1023    access-list 101 permit udp 0.0.0.0 255.255.255.255    125.50.13.100 0.0.0.0 gt 1023    access-list 101 permit udp 0.0.0.0 255.255.255.255    125.50.1.100 0.0.0.0 gt 1023    access-list 101 permit udp 0.0.0.0 255.255.255.255    125.50.1.101 0.0.0.0 gt 1023    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.13.100 0.0.0.0 eq 53    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.1.100 0.0.0.0 eq 53    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.13.100 0.0.0.0 eq 25    access-list 101 permit tcp 0.0.0.0 255.255.255.255    125.50.1.100 0.0.0.0 eq 25    access-list 101 permit tcp 56.1.0.18 0.0.0.1 125.50.1.100    0.0.0.0 eq 119    access-list 101 permit tcp 182.12.18.32 0.0.0.0 125.50.1.    100 0.0.0.0 eq 119    access-list 101 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0    255.255.255.255 

Applying Access Lists to Interfaces

After this access list has been loaded onto the router and stored into nonvolatile random-access memory (NVRAM), assign it to the appropriate interface. In this case study, traffic coming from the outside world via the serial 0 interface of the firewall router is filtered (via access list 101) before it is placed on the subnet 125.50.13.0 (Ethernet 0). Therefore, the access-group command, which assigns an access list to filter incoming connections, must be assigned to Ethernet 0 as shown here:

    interface ethernet 0    ip access-group 101 in 

To control outgoing access to the Internet from the network, define an access list and apply it to the outgoing packets on serial 0 interface of the firewall router. To do this, returning packets from hosts using Telnet or FTP must be allowed to access the firewall subnetwork 125.50.13.0.

Configuring the Firewall Communication Server

In this case study, the firewall communication server has a single inbound modem on line 2:

    interface Ethernet0    ip address 125.50.13.2 255.255.255.0    !    access-list 10 deny 125.50.14.0 0.0.0.255    access-list 10 permit 125.50.0.0 0.0.255.255    !    access-list 11 deny 125.50.13.2 0.0.0.0    access-list 11 permit 125.50.0.0 0.0.255.255    !    line 2    login tacacs    location FireWallCS#2    !    access-class 10 in    access-class 11 out    !    modem answer-timeout 60    modem InOut    telnet transparent    terminal-type dialup    flowcontrol hardware    stopbits 1    rxspeed 38400    txspeed 38400    !    tacacs-server host 125.50.1.100    tacacs-server host 125.50.1.101    tacacs-server extended    !    line vty 0 15    login tacacs 

Defining the Communication Server’s Access Lists

In this example, the network number is used to permit or deny access; therefore, standard IP access list numbers (range 1 through 99) are used. For incoming connections to modem lines, only packets from hosts on the internal Class B network and packets from those hosts on the firewall subnetwork are permitted:

    access-list 10 deny 125.50.14.0 0.0.0.255    access-list 10 permit 125.50.0.0 0.0.255.255 

Outgoing connections are allowed only to internal network hosts and to the communication server. This prevents a modem line in the outside world from calling out on a second modem line:

    access-list 11 deny 125.50.13.2 0.0.0.0    access-list 11 permit 125.50.0.0 0.0.255.255 

Applying Access Lists to Lines

Apply an access list to an asynchronous line with the access-class command. In this case study, the restrictions from access list 10 are applied to incoming connections on line 2. The restrictions from access list 11 are applied to outgoing connections on line 2:

    access-class 10 in    access-class 11 out 

Spoofing & In Bound Access Lists

In Software Release 9.21, Cisco introduced the ability to assign input access lists to an interface. This enables a network administrator to filter packets before they enter the router instead of as they leave the router. In most cases, input access lists and output access lists accomplish the same functionality. However, input access lists are considered more intuitive by some people and can be used to protect some types of IP address from “spoofing,” whereas output access lists will not provide sufficient security.

Figure 10-4 illustrates a cyber thief host that is “spoofing,” or illegally claiming to be an address that it is not. Someone in the outside world is claiming to originate traffic from network 125.50.13.0. Although the IP address is spoofed, the router interface to the outside world assumes that the packet is coming from 125.50.13.0. If the input access list on the router allows traffic coming from 125.50.13.0, it will accept the illegal packet.


Figure 10-4  Spoofing example.


Previous Table of Contents Next




OSPF Network Design Solutions
OSPF Network Design Solutions
ISBN: 1578700469
EAN: 2147483647
Year: 1998
Pages: 200
Authors: Tom Thomas

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net