Download
1 / 12
120 likes | 225 Vues
Network Security. Router Based Rules David Funk Systems Administrator Computer Systems Support COE, University of Iowa. Router Filtering. Goals and Limitations Know your network topology Know your hardware’s characteristics Proper division of labor. Router Filtering.
E N D
Network Security Router Based Rules David Funk Systems Administrator Computer Systems Support COE, University of Iowa
Router Filtering • Goals and Limitations • Know your network topology • Know your hardware’s characteristics • Proper division of labor
Router Filtering • Goals and Limitations • Protect resources • Easy stuff (IP packet spoof filter) • Harder (protect port 135/139) • Permit necessary access • Servers visible to outside world • Use proxies to protect “tender” resources • Use “tougher” machines for outside services
Router Filtering • Know your network topology • Choose logical boundaries • Segregate hosts by class • Client only • Local servers • Global servers • Intranets
Topology Border router Internal router Client net Server net
Hardware • ACL limits • In VS Out filters • Statefull filters • TCP SYN packet for pseudo state • Protocol restrictions • Data rate limits • Fail over options?
Division of Labor • Border VS Internal Routers • Filters on end Hosts • Add hardware where necessary • Fault tolerance?
Details • Testing • Maintenance • Honeypot + sniffer logs • Software Updates • Documentation • Oddball stuff (DHCP)
Details • access-list 103 deny ip 128.255.16.0 0.0.15.255 any log • access-list 103 deny ip 127.0.0.0 0.0.0.15 any log • access-list 103 deny ip 192.168.0.0 0.0.255.255 any log • access-list 103 permit ip host 128.255.1.3 any • access-list 103 permit ip host 128.255.64.3 any • access-list 103 deny ip any 128.255.18.12 0.0.1.1 log • access-list 103 deny ip any host 128.255.19.11 log • access-list 103 deny ip any 128.255.18.16 0.0.1.0 log • access-list 103 deny ip any 128.255.26.64 0.0.1.15 log • access-list 103 permit ip any 128.255.22.0 0.0.0.31 • access-list 103 permit udp any 128.255.16.40 0.0.3.7 eq 135 • access-list 103 permit tcp any 128.255.16.40 0.0.3.7 eq 135 • access-list 103 permit udp any 128.255.16.40 0.0.3.7 eq 139 • access-list 103 permit tcp any 128.255.16.40 0.0.3.7 eq 139
Details • access-list 103 permit udp any 128.255.16.40 0.0.3.7 eq 135 • access-list 103 permit tcp any 128.255.16.40 0.0.3.7 eq 135 • access-list 103 permit udp any 128.255.16.40 0.0.3.7 eq 139 • access-list 103 permit tcp any 128.255.16.40 0.0.3.7 eq 139 • access-list 103 permit udp 128.255.0.0 1.0.255.255 128.255.23.0 0.0.0.255 eq 135 • access-list 103 permit tcp 128.255.0.0 1.0.255.255 128.255.23.0 0.0.0.255 eq 135 • access-list 103 permit udp any 128.255.23.0 0.0.0.255 eq 137 • access-list 103 permit udp any 128.255.23.0 0.0.0.255 eq 138 • access-list 103 permit tcp any 128.255.23.0 0.0.0.255 eq 139 • access-list 103 permit tcp any 128.255.23.0 0.0.0.255 eq 445 • access-list 103 permit udp any 128.255.23.0 0.0.0.255 eq 445 • access-list 103 deny udp any eq tftp 128.255.16.0 0.0.15.255 log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq tftp log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq 135 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 135 log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq 138 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 139 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 445 log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq 445 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 593 log • access-list 103 permit tcp any 128.255.16.0 0.0.15.255 established • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 6346 • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 4444 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 707 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 50000 log • access-list 103 permit ip any 128.255.23.0 0.0.0.255
Details • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 5000 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 1900 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 1433 • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq 1434 • access-list 103 deny udp any 128.255.20.0 0.0.1.255 eq 111 log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq snmp log • access-list 103 permit tcp any 128.255.20.0 0.0.1.255 eq 6000 • access-list 103 permit tcp any 128.255.20.0 0.0.1.255 eq ssh • access-list 103 permit tcp any eq 20 128.255.20.0 0.0.1.255 gt 1023 • access-list 103 deny tcp any 128.255.20.0 0.0.1.255 log
Details • access-list 127 permit ip 128.255.27.0 0.0.0.255 any • access-list 127 permit udp any eq bootps any • access-list 127 permit udp any eq bootpc any • access-list 127 deny ip any any log
