Complete Access List for a Screened Subnet Network That Allows Public Server Internet Access

Previous page
Table of content
Next page


The following is an access list that takes the preceding section's access lists and incorporates inbound access to a screened subnet containing web, mail, and DNS servers. This example would most likely be used for a lower-risk, lower-budget network that needs to use its router as its sole security device. By using an additional interface to serve as a "screened subnet," we allow increased protection while implementing publicly accessible services. All public access servers are assumed to be properly hardened, and because of their volatile nature, any available defense-in-depth measures should be implemented.

In this initial section, we disable unneeded global services. These commands must be configured in global configuration mode:

 no service finger no ip source-route no service tcp-small-servers no service udp-small-servers

Next are all the commands to be applied directly to the external serial interface, including the access-group commands that apply the inbound and outbound filters to it. The serial 0 interface is the one that connects the router to the Internet. We also stop all services to be disabled at the interface configuration level.

 interface serial 0  ip access-group filterin in  ip access-group filterout out  no snmp  no ip direct-broadcast  no ip redirects  no ip unreachables  no cdp enable

Next is the filterin access list, which includes antispoofing commands. This list is followed by ingress lines that allow any web, SMTP, or DNS inbound traffic to the server that handles such a request. It next allows ICMP packet-too-big packets, followed by an evaluate packets line that reflexively examines any remaining inbound traffic to see if it matches any of the currently temporarily formed reflexive access lists that filterout created. This is followed by a statement to log all denied inbound packets.

 ip access-list extended filterin deny ip 190.190.190.0 0.0.0.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip host 0.0.0.0 any permit tcp any host 200.200.200.2 eq 80 permit tcp any host 200.200.200.3 eq 25 permit tcp any host 200.200.200.4 eq 53 permit udp any host 200.200.200.4 eq 53 permit icmp any any packet-too-big evaluate packets deny ip any any log-input

Filterout is next, and it starts by allowing response traffic back from the web, mail, and DNS servers. Notice the est (established) keyword at the end of these lists. This confirms that only replies are leaving the servers, behaving like an egress list for our screened subnet. Following that is the reflexive access lines that permit outbound traffic and create the reflexive lists that allow inbound traffic. To grant other services outbound access, you would need to add a reflexive access list here. Filterout is ended with an ICMP filter allowing packet-too-big messages to go through.

 ip access-list extended filterout permit tcp host 200.200.200.2 eq 80 any gt 1023 est permit tcp host 200.200.200.3 eq 25 any gt 1023 est permit udp host 200.200.200.4 eq 53 any gt 1023 permit tcp any any eq 21 reflect packets permit tcp any any eq 22 reflect packets permit tcp any any eq 23 reflect packets permit tcp any any eq 25 reflect packets permit tcp any any eq 53 reflect packets permit tcp any any eq 80 reflect packets permit tcp any any eq 110 reflect packets permit tcp any any eq 119 reflect packets permit tcp any any eq 143 reflect packets permit tcp any any eq 443 reflect packets permit udp any any eq 53 reflect packets permit icmp any any packet-too-big

Progressing to interface ethernet 0, no outbound list is applied; therefore, any traffic that matches the private network's address range is passed on.

 interface ethernet 0  ip access-group filterin1 in

Filterin1 is applied inbound to the ethernet 0 interface. Filterin1 contains an egress filter, only allowing traffic that is addressed from the private network's address range to be forwarded to the serial interface. It also contains a deny statement, logging all nonstandard egress traffic.

 ip access-list extended filterin1 permit ip 190.190.190.0 0.0.0.255 any deny ip any any log-input

Ethernet 1 contains filterout2 and filterin2.

Filterout2 permits network traffic in from the Internet to be forwarded to the web server if it's HTTP traffic, to the mail server if it's SMTP traffic, and to the external DNS server if it's DNS traffic. Notice that these first three lines serve as a basic ingress filter. Filterout2 also permits ICMP packet-too-big messages to pass and supports logging of undesirables through its last statement.

 interface ethernet 1 ip access-group filterout2 out ip access-group filterin2 in ip access-list extended filterout2 permit tcp any gt 1023 host 200.200.200.2 eq 80 permit tcp any gt 1023 host 200.200.200.3 eq 25 permit tcp any host 200.200.200.4 eq 53 permit udp any host 200.200.200.4 eq 53 permit icmp any 200.200.200.0 0.0.0.255 packet-too-big deny ip any any log-input

Filterin2 allows reply traffic from each of the three public servers out to the serial interface. This serves as a basic egress filter. Packet-too-big messages are also forwarded. The deny any 190.190.190.0 line disables communications between the screened subnet and your private network. This is necessary because the outbound traffic on ethernet 0 is open to the screened subnet. The next lines allow SMTP and DNS traffic from their particular servers to the Internet. Serial 1's filterout then passes this traffic through its reflexive access lists so that it will have the same level of protection as the private network's outbound traffic. If any other outbound traffic is desired from the screened subnet, this is where additional filters are added. These additional filters are added after the deny statement that prevents everything except reply traffic from entering the private segment, but before the last statement that logs undesirables. DNS support for the private segment would most likely be handled internally (split DNS) or by an outside party. No DNS zone transfers would take place between the private and screened subnets.

 ip access-list extended filterin2 permit tcp host 200.200.200.2 eq 80 any gt 1023 est permit tcp host 200.200.200.3 eq 25 any gt 1023 est permit udp host 200.200.200.4 eq 53 any gt 1023 permit icmp 200.200.200.0 0.0.0.255 any packet-too-big deny ip any 190.190.190.0 0.0.0.255 permit tcp host 200.200.200.4 any eq 53 permit udp host 200.200.200.4 any eq 53 permit tcp host 200.200.200.3 any eq 25 deny ip any any log-input

In the preceding example, the following information is assumed:

  • This list is a template with suggestions; it shouldn't be considered a full solution for any particular network.

  • The screened subnet's network number is 200.200.200.0.

  • The internal private network number is 190.190.190.0.

  • The screened subnet's web server's address is 200.200.200.2.

  • The screened subnet's SMTP mail server's address is 200.200.200.3.

  • The screened subnet's DNS server's address is 200.200.200.4.

  • No other hosts are on the screened subnet.

  • We have three router interfaces: a serial 0 interface that connects us to the Internet, an ethernet 0 interface that connects us to our private network, and an ethernet 1 interface that connects us to our screened subnet.

  • We want to limit the outbound traffic (and return traffic) to the services that are listed in filterout.

  • We want to limit our ICMP message interactions to make packet-too-big statements the only type we allow outnone is allowed back in. (Ping and traceroute are disallowed internally.)

  • Any use of FTP outbound requires a PASV (or passive) FTP client and server support for the same.

  • The listing format used for the access list information is for easier reading.

Listing A.2 shows the complete router access list.

Listing A.2. The Router Access List for a Screened Subnet Network That Allows Public Server Internet Access
 no service finger no ip source-route no service tcp-small-servers no service udp-small-servers interface serial 0 ip access-group filterin in ip access-group filterout out no snmp no ip direct-broadcast no ip redirects no ip unreachables no cdp enable ip access-list extended filterin deny ip 190.190.190.0 0.0.0.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip host 0.0.0.0 any permit tcp any host 200.200.200.2 eq 80 permit tcp any host 200.200.200.3 eq 25 permit udp any host 200.200.200.4 eq 53 permit icmp any any packet-too-big evaluate packets deny ip any any log-input ip access-list extended filterout permit tcp host 200.200.200.2 eq 80 any gt 1023 est permit tcp host 200.200.200.3 eq 25 any gt 1023 est permit udp host 200.200.200.4 eq 53 any gt 1023 permit tcp any any eq 21 reflect packets permit tcp any any eq 22 reflect packets permit tcp any any eq 23 reflect packets permit tcp any any eq 25 reflect packets permit tcp any any eq 53 reflect packets permit tcp any any eq 80 reflect packets permit tcp any any eq 110 reflect packets permit tcp any any eq 119 reflect packets permit tcp any any eq 143 reflect packets permit tcp any any eq 443 reflect packets permit udp any any eq 53 reflect packets permit icmp any any packet-too-big interface ethernet 0 ip access-group filterin1 in ip access-list extended filterin1 permit ip 190.190.190.0 0.0.0.255 any deny ip any any log-input interface ethernet 1 ip access-group filterout2 out ip access-group filterin2 in ip access-list extended filterout2 permit tcp any gt 1023 host 200.200.200.2 eq 80 permit tcp any gt 1023 host 200.200.200.3 eq 25 permit tcp any host 200.200.200.4 eq 53 permit udp any host 200.200.200.4 eq 53 permit icmp any 200.200.200.0 0.0.0.255 packet-too-big deny ip any any log-input ip access-list extended filterin2 permit tcp host 200.200.200.2 eq 80 any gt 1023 est permit tcp host 200.200.200.3 eq 25 any gt 1023 est permit udp host 200.200.200.4 eq 53 any gt 1023 permit icmp 200.200.200.0 0.0.0.255 any packet-too-big deny ip any 190.190.190.0 0.0.0.255 permit tcp host 200.200.200.4 any eq 53 permit udp host 200.200.200.4 any eq 53 permit tcp host 200.200.200.3 any eq 25 deny ip any any log-input


    Previous page
    Table of content
    Next page
    Inside Network Perimeter Security
    Inside Network Perimeter Security (2nd Edition)
    ISBN: 0672327376
    EAN: 2147483647
    Year: 2005
    Pages: 230
    Authors: Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent, Ronald W. Ritchey
    BUY ON AMAZON
    ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
    MySQL Stored Procedure Programming
    C++ GUI Programming with Qt 3
    The Java Tutorial: A Short Course on the Basics, 4th Edition
    Web Systems Design and Online Consumer Behavior
    MPLS Configuration on Cisco IOS Software
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy