Cisco C827 and ACL

Discussion in 'other firewalls' started by kamui, May 17, 2004.

Thread Status:
Not open for further replies.
  1. kamui

    kamui Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    218
    Location:
    France
    Hi All ,

    Can someone give me à good secure ACL , this my rules but I want a better rules ;)


    Thx :)
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    You may be better off posting this on a Cisco forum or comp.sys.dcom.cisco. This guide may be of help also.

    I would certainly recommend that you block source routed packets (no ip source-route) The source routing option allows an attacker to specify a route for their packets which allows them to receive a response even with a spoofed sender IP address - this does have a legitimate use for network diagnostics but on the Internet it is almost exclusively used with ill-intent.

    However, no detailed advice can be given without knowing the specifics of your network requirements (e.g. you are allowing GRE - do you need it?). As a general comment, I would suggest taking the approach of blocking all traffic except for certain protocols you deem "safe". This configuration seems to take the opposite approach in only blocking a couple of ports used commonly by worms - this does not therefore deal with current (and future) exploits using other ports.
     
  3. kamui

    kamui Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    218
    Location:
    France
    okit thx bro but this site doesn't work comp.sys.dcom.cisco :(

    For the details , I juste have one pc ,
    LAN IP : 10.0.0.1
    SUb MAsk :255.0.0.0
    Gateway :10.0.0.138
    Router IP : 10.0.0.138

    I find this acl with google what do you think plz ??
    http://www.rpatrick.com/tech/acl/

    :eek:

    And did you know a good cisco forum ??

    ++
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi kamui

    You might want to take a look a the following, the faq has some good info and additional links.

    DSLR Cisco Forum
    DSLR Cisco FAQ

    Regards,

    CrazyM
     
  5. kamui

    kamui Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    218
    Location:
    France
    Merci beaucoup Crazy M ;)
    ++
     
  6. kamui

    kamui Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    218
    Location:
    France
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi kamui

    In the other post you mention anti spoofing rules. Does your router have an anti spoofing feature? Some do, and you could use that or acl's, but not both.

    Another link you might want to look at:

    Improving Security on Cisco Routers

    You refer to a list found from your google search above, did you happen to see the link there to a more complete explanation and example:

    Secure IOS Template Version 3.5 28 APR 2004

    It has other useful links and also refers to a utility for auditing configs:

    NCAT (Network Config Audit Tool) and RAT (Router Audit Tool)
    http://ncat.sourceforge.net/

    ... which you can find here:
    CIS Level-1 / Level-2 Benchmark and Audit Tool for Cisco IOS Routers

    Lots of reading, but if you want to go beyond the default config with your Cisco it is something you will have to do to ensure your configuration is correct and secure.

    Regards,

    CrazyM
     
  8. kamui

    kamui Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    218
    Location:
    France
    oki thx bro , yes a lot of reading as you said , i need to improve my english , i'm french lol

    :D
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It's not a website, it's a Usenet group. Use a Usenet reader to access it (Outlook Express isn't too bad for Usenet, despite its flaws as an email client) or Google Groups (comp.dcom.sys.cisco). If you decide to post there, then be sure that you follow the rules of Usenet Netiquette.
     
  10. kamui

    kamui Registered Member

    Joined:
    Aug 19, 2003
    Posts:
    218
    Location:
    France
Thread Status:
Not open for further replies.