Complete Access List for a Private-Only Network

Previous page
Table of content
Next page


The following sample access list is appropriate for a network that has outbound and return traffic only, with no public servers or screened subnets. Most likely, this network is a low-risk/low-budget setup in which security is not first priority. Therefore, a single inexpensive security device is chosen. For an example of an access list that works with public servers, see the next section. Both are designed to work on a Cisco router that runs IOS version 12.0 or later.

 no ip source-route no service tcp-small-servers no service udp-small-servers no service finger

Next are all the commands to be applied directly to the external serial interface, including the access-group commands that apply the inbound and outbound filters to it. The serial 0 interface connects the router to the Internet. We also stop all services that need to be disabled at the interface configuration level.

 interface serial 0  ip access-group filterin in  ip access-group filterout out  no cdp enable  no snmp  no ip direct-broadcast  no ip redirects  no ip unreachables

The next section is an inbound, reflexive access list called filterin, which begins with an ingress filter to prevent spoofing. It is followed by a permit list that only allows in ICMP packet-too-big statements. Filterin concludes with an evaluate packets statement, which checks the reflexive list "packets" to see whether the incoming traffic matches it and will be permitted through. Any traffic that fails the evaluate packets check is dropped by an implied deny all. However, we append a deny ip any any log-input statement so that we can keep track of all denied traffic. If you wanted to open any other services or ports inbound, the permit statements would be added here, before the evaluate packets line.

 ip access-list extended filterin deny ip 190.190.190.0 0.0.0.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip host 0.0.0.0 any permit icmp any any packet-too-big evaluate packets deny ip any any log-input

Filterout is next. It is the outbound reflexive access list that was applied to interface serial 0. It lists all the traffic types we are allowing out of our network. Through the use of the packet's reflexive access list, the evaluate packets statement in the filterin access list will determine the return traffic that is allowed back in. You might notice that the last statement under filterout is an ICMP packet-too-big statement. This statement allows outbound information to other routers that send acceptable return traffic, but with too large of a packet size. This statement is not reflexively inspected; therefore, it doesn't allow for return traffic. ICMP traffic has varying results when it is used in a reflexive access list, so for most applications, it is best to simply apply ICMP in individual inbound and outbound nonreflexive access lists. If your security policy specifies any other outbound traffic (and in turn, return traffic) that isn't already listed here, you can add the permit statements to the bottom of the list, following the pattern of the other reflexive statements. To make sure that a statement is treated reflexively, verify that it ends with the keyword reflect followed by the identifying list name packets.

 ip access-list extended filterout permit tcp any any eq 21 reflect packets permit tcp any any eq 22 reflect packets permit tcp any any eq 23 reflect packets permit tcp any any eq 25 reflect packets permit tcp any any eq 53 reflect packets permit tcp any any eq 80 reflect packets permit tcp any any eq 110 reflect packets permit tcp any any eq 119 reflect packets permit tcp any any eq 143 reflect packets permit tcp any any eq 443 reflect packets permit udp any any eq 53 reflect packets permit icmp any any packet-too-big

The ethernet 0 interface is configured and has extended access list number 112 applied inbound as an egress filter, only allowing packets to pass with addresses that match the internal network's address range. This prevents programs that spoof addresses when performing malicious actions from being able to leave your network. This way, you remain a good Internet neighbor. An extended access list format was chosen because it facilitates the use of the log-input command. Notice that we add a deny ip any any log-input rule to track inappropriate traffic as it attempts to exit the network segment and use log-input to enable tracking of MAC addresses.

 interface ethernet 0  ip access-group 112 in access-list 112 permit ip 190.190.190.0 0.0.0.255 any access-list 112 deny ip any any log-input

In the previous examples, the following information is assumed:

  • We have two router interfaces: a serial 0 interface that connects us to the Internet and an ethernet 0 interface that connects us to our private network.

  • This list is a template with suggestions; it shouldn't be considered a full solution for any particular network.

  • We want to limit the outbound traffic (and return traffic) to the services that are listed in filterout.

  • The internal private network number is 190.190.190.0.

  • We want to limit our ICMP message interactions to make packet-too-big statements the only type we allow outnone is allowed back in. (Ping and TRaceroute are disallowed internally.)

  • Any use of FTP outbound requires a passive (PASV) FTP client and server support for the same.

  • The listing format used for the access list information is for easier reading.

Listing A.1 shows the complete router access list.

Listing A.1. The Complete Router Access List for a Private-Only Network
 no ip source-route no service tcp-small-servers no service udp-small-servers no service finger interface serial 0 ip access-group filterin in ip access-group filterout out no cdp enable no snmp no ip direct-broadcast no ip redirects no ip unreachables ip access-list extended filterin deny ip 190.190.190.0 0.0.0.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip host 0.0.0.0 any permit icmp any any packet-too-big evaluate packets deny ip any any log-input ip access-list extended filterout permit tcp any any eq 21 reflect packets permit tcp any any eq 22 reflect packets permit tcp any any eq 23 reflect packets permit tcp any any eq 25 reflect packets permit tcp any any eq 53 reflect packets permit tcp any any eq 80 reflect packets permit tcp any any eq 110 reflect packets permit tcp any any eq 119 reflect packets permit tcp any any eq 143 reflect packets permit tcp any any eq 443 reflect packets permit udp any any eq 53 reflect packets permit icmp any any packet-too-big interface ethernet 0 ip access-group 112 in access-list 112 permit ip 190.190.190.0 0.0.0.255 any access-list 112 deny ip any any log-input


    Previous page
    Table of content
    Next page
    Inside Network Perimeter Security
    Inside Network Perimeter Security (2nd Edition)
    ISBN: 0672327376
    EAN: 2147483647
    Year: 2005
    Pages: 230
    Authors: Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent, Ronald W. Ritchey
    BUY ON AMAZON
    Project Management JumpStart
    Java for RPG Programmers, 2nd Edition
    Visual C# 2005 How to Program (2nd Edition)
    Postfix: The Definitive Guide
    Java Concurrency in Practice
    Special Edition Using FileMaker 8
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy