Discussion in 'other firewalls' started by kamui, May 17, 2004.
Hi All ,
Can someone give me à good secure ACL , this my rules but I want a better rules
You may be better off posting this on a Cisco forum or comp.sys.dcom.cisco. This guide may be of help also.
I would certainly recommend that you block source routed packets (no ip source-route) The source routing option allows an attacker to specify a route for their packets which allows them to receive a response even with a spoofed sender IP address - this does have a legitimate use for network diagnostics but on the Internet it is almost exclusively used with ill-intent.
However, no detailed advice can be given without knowing the specifics of your network requirements (e.g. you are allowing GRE - do you need it?). As a general comment, I would suggest taking the approach of blocking all traffic except for certain protocols you deem "safe". This configuration seems to take the opposite approach in only blocking a couple of ports used commonly by worms - this does not therefore deal with current (and future) exploits using other ports.
okit thx bro but this site doesn't work comp.sys.dcom.cisco
For the details , I juste have one pc ,
LAN IP : 10.0.0.1
SUb MAsk :255.0.0.0
Router IP : 10.0.0.138
I find this acl with google what do you think plz ??
And did you know a good cisco forum ??
You might want to take a look a the following, the faq has some good info and additional links.
DSLR Cisco Forum
DSLR Cisco FAQ
Merci beaucoup Crazy M
plz help nobody answered me in the other forum
In the other post you mention anti spoofing rules. Does your router have an anti spoofing feature? Some do, and you could use that or acl's, but not both.
Another link you might want to look at:
Improving Security on Cisco Routers
You refer to a list found from your google search above, did you happen to see the link there to a more complete explanation and example:
Secure IOS Template Version 3.5 28 APR 2004
It has other useful links and also refers to a utility for auditing configs:
NCAT (Network Config Audit Tool) and RAT (Router Audit Tool)
... which you can find here:
CIS Level-1 / Level-2 Benchmark and Audit Tool for Cisco IOS Routers
Lots of reading, but if you want to go beyond the default config with your Cisco it is something you will have to do to ensure your configuration is correct and secure.
oki thx bro , yes a lot of reading as you said , i need to improve my english , i'm french lol
It's not a website, it's a Usenet group. Use a Usenet reader to access it (Outlook Express isn't too bad for Usenet, despite its flaws as an email client) or Google Groups (comp.dcom.sys.cisco). If you decide to post there, then be sure that you follow the rules of Usenet Netiquette.
Separate names with a comma.