This Content Component encountered an error

Router Expert: SACLs: Filtering suggestions and ideas

This month's article continues on the intrusion detection track.

This Content Component encountered an error
Read about Michael
By Michael J. Martin

This month's article continues on the intrusion detection track. Last month, we looked at how the IOS implements Static Access Control Lists (SACL). This month we will consider what we should be filtering.

A Quick Review...
Before we look at what, let's review how. When writing filtering access-lists there are two things to consider placement and processing. A SACL is essentially a pattern-matching filter. The "filter" is processed in a top-down fashion; with packet handling action being determined when the first "match" is found. So when creating your SACL's kept these little life rules in mind.

  1. Less is more, but to little is not enough. The longer the list, the longer it takes to process. On early model routers, (AGS, IGS, 2x00, 4x00) SACL processing impacted packet forwarding performance, this is not the case with today's routers accept with excessively long or complex lists. Which begs the question, how much filtering is needed. The answer is relative to the networking environment. The degree of system exposure vs. threat level and the impact of the loss of use of the systems being protected. The type of services the systems are providing, the operating system and of course the systems reachability exposure (Is the system on the Internet or on a corporate intranet?) Both environments have associated threats, as the administrator you need to assess them and install the proper protection measures. However, regardless of the risk (or perceived risk) network traffic filtering should not be instated in a vacuum. Traffic filtering should be part of an over all security strategy, conceived by those responsible for security and approved accordingly. When using traffic filters documentation is critical. Filtering rules should be available to system managers. So they can understand the effects of the filter rules may have on there applications. SACL are a powerful tool and if implemented without an understanding of the networking and application environment can have adverse to dire impact on the operation of the network. Evaluation and syndication are the keys to implementing SACLs successfully. Failure to do so, will not only result in many wasted hours of troubleshooting, but a very pissed off System Administrator and user community.

  2. Everything in nature is hierarchical. The IOS provides two basic SACL structures: standard and extended. Standard SACLs provide traffic matching on source IP address of a packet only. Extended SACLs provide traffic matching on source or destination (or both), protocol type (IP, ICMP, TCP, UDP, etc) and service port (0 thru 65535). When creating IP address match oriented SACL place the most commonly "hit" address match rules at the top. When creating extended match SACL protocol specific entries (TCP, UDP, ICMP, etc) should precede "IP" match statements.

  3. If A First You Do Not Succeed Try, Try, again. For all there powers, IOS SACLs have one flaw, they are not editable. New matching entries are appended to the end of the list and existing entries (with the exception of named lists) cannot be deleted. This requires that each time a list need to be edited, the existing list must be removed from the interface, edited, and re-installed. For standard security filters (i.e., spoofing, RFC-1918, etc) this does not present a real issue since these lists are not changed with any frequency. However, with gateway SACL's that filter protocols and ports this can be quite a pain. Whenever possible the modification of these lists should be automated using PERL or EXPECT scripts. Automation ensures no only accuracies, but protects against process mistakes as well (the oops I just filtered myself from accessing the router again syndrome).

  4. Location, Location, Location. SACL placement is everything in terms of a SACLs efficiency and effectiveness. When using SACL filtering should be installed as close to the traffic source as possible. While filtering immediacy is crucial, filter placement direction is even more so, since it determines how the packets are examined.


Above is a simple diagram illustrating the relationship of the "host" to the routers interfaces when creating inbound and outbound SACL and their placement on the routers interfaces.

What To Filter... a Strainer and a Buzz saw?
Effective filtering can be achieved through one of two basic methods, the strainer method or the buzz saw method. The strainer method functions just as it sounds, allows the desirable IP traffic through and blocks everything else. The foundation of the strainer method is based on access. Filtering matching is based only on source and/or destination address. The advantage of the strainer method is its simplicity. The downside is this approach is reliable, to the degree that the systems behind it are secure. In accordance with RFC-2267 an Inbound and Outbound SACL should be used filter spoofed traffic. At a minimum networks connected to the Internet should filter RFC-1918 addresses, IANA Class D (Multicast) addresses, IANA Class E addresses, DHCP "Autonet" addresses, and unallocated IPv4 address space or "bogion's". The IANA allocations change, requiring you to keep up to date. The IANA lists each prefix individually. A maintained list of the unallocated IPv4 space in aggregated form is also available. Here is a "cut & paste" inbound SACL template using the "strainer" method (the list is applied to the "outside" interface):

 
access-list 100 deny ip host 0.0.0.0 any log ! All zeros broadcast
access-list 100 deny ip host 255.255.255.255 any log ! All ones broadcast
! Unallocated IPv4 prefixes are called bogion's they should never appear
! in Internet routing tables and you should never receive traffic with
! a bogion source address.
access-list 100 deny ip 0.0.0.0 1.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 2.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 5.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 7.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
! These addresses are used for private network addressing you should never receive packets   
! from the Internet with a RFC-1918 source address, but if you look you probably
! do. If you are using this addressing in a private network comment out the RFC-1918
! entries that correspond to the prefix you are using.
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log ! RFC1918
access-list 100 deny ip 23.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 27.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 31.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 36.0.0.0 1.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 39.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 41.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 42.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 49.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 50.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 58.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 59.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 60.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 70.0.0.0 1.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 72.0.0.0 7.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 82.0.0.0 1.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 84.0.0.0 3.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 88.0.0.0 7.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 96.0.0.0 31.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log ! AUTONET - DHCP
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log ! RFC1918
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log ! RFC-1918
access-list 100 deny ip 197.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 198.18.0.0 0.1.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 201.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 222.0.0.0 1.255.255.255 any log ! Unallocated / IANA Reserved
access-list 100 deny ip 223.0.0.0 0.255.255.255 any log ! Unallocated / IANA Reserved
! Unless you are connected to the MBONE there is no reason to permit
! IP multicast traffic.
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log ! IANA Class D - Multicast
! Not usable with most TCP/IP implementations, but better safe...
access-list 100 deny ip 240.0.0.0 15.255.255.255 any ! Class E Addresses - Reserved
! The last statements of the SACL are the ANTI-Spoofing filtering for the local 
! networks and the routers Internet gateway interface address (where the filter is 
! applied).
! If you have a Class C "/24" IP assignment use (insert your prefix in place of the x.x.x.x)
access-list 100 deny ip deny x.x.x.x 0.255.255.255 any log
! If you have a Class B "/16" IP assignment use
access-list 100 deny ip deny x.x.x.x 0.0.255.255 any log
access-list 100 deny ip host x.x.x.x 255.255.255.255 any log ! The router interface
access-list 100 deny any any ! not needed but, a good reminder

The outbound "strainer" method filter is short and sweet. It allows only traffic originating with a source address from your network prefix to be forwarded. This list is often overlooked by administrators, because it function is more about being a good netizen, preventing the origination of "spoofed" (except local) packets.

 
access-list 101 permit ip x.x.x.x x.x.x.x any ! permits only traffic 
from your local net access-list 101 deny ip any any log ! Any other traffic is dropped
(not needed, here for ref)

The Buzz Saw Method
If you follow best security practices, keep your systems patched, have minimal Internet exposure, etc. The strainer method is fine for filtering both Internet (Public) & Intranet (private) network gateways. In public network environments where firewalling is not possible (or practical) due to access or performance requirements, environments where the security of systems is not within the administrative realm of the network provider, and/or environments where the system operators are unwilling (or unknowingly) running applications that violate a sites security policy, the buzz saw method is for you. Based on the access filtering provided by the strainer method. The buzz saw approach filters based on "service", by filtering on tcp/udp service ports and ICMP message types.

As you may recall the available service port range for tcp/udp is 0 to 65535. Traditionally, administrators have implemented filters to block access to "known services", ports below 1023, leaving the ports above 1024 exposed. Standards compliant TCP/IP implementations will originate service connections using a random port from the IANA "dynamic" port range, between 49152 and 65535. The range between 1024 and 49151 are the IANA "registered" service ports, allocated for various applications (and as it turns out, commonly used dynamic port allocations for a number of applications. Who cares about standards anyway?)

Ironically, it the port range above 1023, that represents the biggest security challenge for network administrators today. Since it is within this range that many common applications depend upon. This is also the range that the exploits of these applications; Distributed Denial of Service and Trojan Horse applications. Along with numerous other host and data access and data transmission applications operate. All of which if used improperly can exploit system, network and data security, With the results being anything between the loss of valuable data, misuse of network and system resources to flat out system and network breaches.

What you choose to either monitor or block needs to be balanced with the requirements of the business. So to assist you in creating a Buzz Saw SACL set that is correct for your environment lets examine some potential problem service ports.

ICMP
There are 26 potential ICMP message types. The majority of which are never seen. This filter set disables inbound and outbound ping and a number of potential exploits that can be by sending bogus ICMP messages.

 
access-list 100 deny icmp any any fragments log-input ! Attack Exploit
access-list 100 deny icmp any any echo log-input ! Disables remote ping
access-list 100 deny icmp any any echo-reply log-input ! Disables local ping
access-list 100 deny icmp any any net-redirect log-input ! Attack Exploit
access-list 100 deny icmp any any host-redirect log-input ! Attack Exploit
access-list 100 permit icmp any any source-quench
access-list 100 permit icmp any any ttl-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 deny icmp any any log-input ! drops all other ICMP messages

DHCP
If you are using a cable modem or ADSL link and require dynamic address assignment on the outbound interface you will need to permit DHCP client messages.

 
access-list 100 permit udp any any eq 68

Microsoft

As the most predominant operating system, you would expect that some security issues. The real problem with Microsoft products is not so much the products, as it is the product implementations that do not follow standards. The number of documented and undocumented ports required and the fact that many of the services in there default state are insecure. Not to mention all of the patches. As an administrator you need to decide if you want to filter these services inbound (if you have MS based servers products. i.e., WMS and IIS) or outbound to restrict access to services like Remote Desktop and Net Meeting. ISS has a nice write up on all of the Microsoft dependent port requirements in their security center database.

 
access-list 100 deny tcp any any eq 135 log ! Netbios RPC =B4portmapper service=A1
access-list 100 deny udp any any eq 135 log ! Netbios RPC =B4portmapper service=A1
access-list 100 deny tcp any any eq 137 log! Netbios Nameservice =B4WINS=A1
access-list 100 deny udp any any eq 137 log! Netbios Nameservice =B4WINS=A1
access-list 100 deny tcp any any eq 42 log ! WINS Replication (non standard)
access-list 100 deny tcp any any eq 138 log ! Netbios Datagram
access-list 100 deny udp any any eq 138 log ! Netbios Datagram
access-list 100 deny tcp any any eq 139 log ! Netbios Session
access-list 100 deny udp any any eq 139 log ! Netbios Session
access-list 100 deny tcp any any eq 445 log ! SMB/File Sharing
access-list 100 deny udp any any eq 445 log ! SMB/File Sharing
access-list 100 deny tcp any any eq 1080 log ! WINgate Proxy=20
access-list 100 deny tcp any any eq 1433 log ! MSSQL - SQL Spida Worm
access-list 100 deny tcp any any eq 1512 log ! MS WINS
access-list 100 deny udp any any eq 1503 ! T.120 Tel Conf (Net Meeting)
access-list 100 deny tcp any any eq 1503 ! T.120 Tel Conf (Net Meeting)
access-list 100 deny udp any any eq 1720 ! H.323 Call Service (Net Meeting)
access-list 100 deny tcp any any eq 1720 ! H.323 Call Service (Net Meeting)
access-list 100 deny udp any any eq 1755 ! Windows Media Control
access-list 100 deny tcp any any eq 1755 ! Windows Media Control
access-list 100 deny udp any any eq 7007 ! WM Encoder to Server
access-list 100 deny tcp any any eq 7007 ! WM Encoder to Server=20
access-list 100 deny udp any any eq 3389 ! Remote Desktop Protocol
access-list 100 deny tcp any any eq 3389 ! Remote Desktop Protocol
access-list 100 deny tcp any any eq 12345 log ! NetBus
access-list 100 deny udp any any eq 12345 log ! NetBus

UNIX Filter List

 
access-list 100 deny tcp any any eq 7 log ! Echo Service
access-list 100 deny udp any any eq 7 log! Echo Service
access-list 100 deny tcp any any eq 9 log ! Discard Service
access-list 100 deny udp any any eq 9 log ! Discard Service
access-list 100 deny tcp any any eq 13 log! daytime service
access-list 100 deny udp any any eq 13 log! daytime service
access-list 100 deny tcp any any eq 17 log! qotd service
access-list 100 deny udp any any eq 17 log! qotd service
access-list 100 deny tcp any any eq 19 log! Character Generator chargen
access-list 100 deny udp any any eq 19 log! Character Generator chargen
access-list 100 deny tcp any any eq 20 ! ftp-data
access-list 100 deny tcp any any eq 21 ! ftp=20
access-list 100 deny tcp any any eq 23 ! telnet, you should be using SSH

access-list 100 deny tcp any any eq 25 ! SMTP Sendmail Service
access-list 100 deny tcp any any eq 53 ! Domain Name Service (Server to Server Comm)
access-list 100 deny udp any any eq 53 ! DNS Resolver Service
access-list 100 deny udp any any eq 69 log ! TFTP Service
access-list 100 deny udp any any eq 79 log ! Finger Service
access-list 100 deny tcp any any eq 79 log ! Finger Service
access-list 100 deny tcp any any eq 98 log ! Linuxconf
access-list 100 deny tcp any any eq 111 ! portmapper/sunrpc
access-list 100 deny udp any any eq 111 ! portmapper/sunrpc
access-list 100 deny tcp any any eq 113 log ! Identification Service
access-list 100 deny udp any any eq 161 log ! Simple Network Managment Protocol
access-list 100 deny udp any any eq 162 log ! SNMP Trap
access-list 100 deny tcp any any eq 513 ! Remote Login
access-list 100 deny tcp any any eq 514 log ! Syslog Service
access-list 100 deny udp any any eq 514 log ! Syslog Service
access-list 100 deny tcp any any eq 515 log ! LPR Printer Service
access-list 100 deny tcp any any eq 635 log ! mountd (NFS Service)
access-list 100 deny tcp any any eq 692 log ! CDE Tooltalk=20
access-list 100 deny tcp any any eq 1080 log ! SOCKS
access-list 100 deny tcp any any eq 1027 ! ICQ
access-list 100 deny tcp any any eq 1029 ! ICQ
access-list 100 deny tcp any any eq 1032 ! ICQ
access-list 100 eny tcp any any eq 3128 log ! SQUID Proxy Server Default Port
access-list 100 deny tcp any any eq 2049 log ! nfsd
access-list 100 deny tcp any any range 6000 6007 log ! XWindows Display
access-list 100 deny tcp any any range 6666 6669 log ! Internet Relay Chat
access-list 100 deny tcp any any eq 10083 log ! Tool Talk DB Server Service=20

VPN Services

While VPN's are great for providing secure remote access and site-to-site connectivity over the Internet they also can be a major security exploit. If you support VPN services, implement explicit inbound permit rules. Outbound you should explicitly drop filter at least the default VPN client ports. There are also a growing number of "tunneling" applications using SSL port 443. Since any secure web transaction is dependent on SSL, port 443 is almost always open on Firewall rule sets. So with a basically guaranteed open port, circumventing the Firewall is a breeze. Products like Cisco's 3000 series VPN supports TCP wrapping of IPSec traffic. With a little creativity SSH's tunneling option and the UNIX tool netcat can also be used to send traffic through TCP port 443 and then of course for the unimaginative there are applications like HTTP Tunnel and Firewall Tunnel.

Inbound Filter:

 
access-list 100 permit udp any eq 500 host <vpn addr> eq 500 ! ISAKMP
access-list 100 permit 50 any host <vpn addr>! IPsec AH
access-list 100 permit 51 any host <vpn addr>! IPsec ESP
access-list 100 permit udp any host <vpn addr>eq 10000 ! Cisco VPN 
access-list 100 permit udp any host <vpn addr>eq 5001 ! Nortel VPN 
access-list 100 permit udp any host <vpn addr>eq 259 ! Check Point VPN
access-list 100 permit gre any host <vpn addr>! PPTP is protocol 47/GRE
access-list 100 permit tcp any host <vpn addr>eq 1723 ! MS PPTP control

Outbound filter (If your site does not support VPN use as inbound filter as well):

 
access-list 101 deny udp any any eq 500 log
access-list 101 deny udp any any eq 10000 log
access-list 101 deny udp any any eq 5001 log
access-list 101 deny udp any any eq 1723 log
access-list 101 deny gre any any log
access-list 101 deny 50 any any log
access-list 101 deny 51 any any log

Internet Gaming
Traditionally, to the enterprise Internet gaming service access is more an "acceptable use" issue, then an outward threat to security. However a recent SANS article brings up an interesting side effect of Internet gaming, namely IDS false positives. If you are running NIDS, minimizing "false alarms" is a major concern, not only are they annoying to track down but to many can in some instances crash the reporting component. Here is the list of recommended ports for outbound filtering:

 
access-list 101 deny tcp any any eq 47624 log ! MS DirectX and Direct Play
access-list 101 deny tcp any any range 2300 2400 log ! MS DirectX and Direct Play
access-list 101 deny udp any any range 2300 2400 log ! MS DirectX and Direct Play
access-list 101 deny tcp any any eq 6667 ! MSN Zone online gaming
access-list 101 deny tcp any any eq 9110 ! MSN Zone online gaming
access-list 101 deny tcp any any eq 9113 ! MSN Zone online gaming
access-list 101 deny tcp any any range 8995 11000 ! MSN Zone online gaming
access-list 101 deny tcp any any range 28800 29000 ! MSN Zone online gaming
access-list 101 deny udp any any range 28800 29000 ! MSN Zone online gaming
access-list 101 deny tcp any any range 8000 9000 ! MSN Zone online gaming
access-list 101 deny tcp any any eq 7785 ! Ultima Online Gaming
access-list 101 deny tcp any any eq 9999 ! Ultima Online Gaming
access-list 101 deny tcp any any range 5001 5010 ! Ultima Online Gaming
access-list 101 deny tcp any any range 7775 7777 ! Ultima Online Gaming
access-list 101 deny tcp any any range 8800 8900 ! Ultima Online Gaming
access-list 101 deny tcp any any eq 6112 ! Battle.net
access-list 101 deny udp any any eq 6112 ! Battle.net
access-list 101 deny tcp any any range 8000 8999 ! Mplayer
access-list 101 deny tcp any any eq 2346 ! Ranbow Six
access-list 101 deny udp any any eq 2346 ! Ranbow Six
access-list 101 deny tcp any any eq 26000 ! Quake
access-list 101 deny tcp any any eq 27901 ! Quake
access-list 101 deny tcp any any range 27950 27952 ! Quake
access-list 101 deny udp any any range 27910 27961 ! Quake
access-list 101 deny tcp any any eq 7777 ! Unreal
access-list 101 deny tcp any any eq 8888 ! Unreal
access-list 101 deny tcp any any eq 27900 ! Unreal
access-list 101 deny tcp any any range 7778 7781 ! Unreal
access-list 101 deny tcp any any range 3100 3999 ! Delta Force
access-list 101 deny udp any any range 3100 3999 ! Delta Force
access-list 100 deny udp any any range 3568 3569 ! Delta Force

Trojan Horse's
There are a number of sites providing reporting on new and existing attacks Doshelp.com & Simovits.com (in Sweden) are two of the better one. The port filters below just represent some of the more common exploits. With these types of exploits consider filtering inbound and outbound gateways on your public and private gateways, since the vulnerability and potential threat (even more so on the internal network (IMHO) exist equally. The known ports for the DDOS attacks Stacheldraht & Trin00 are listed at the end of the list. And one more thing an attacker using these tools can change the port to anyone he/she wants to use. The value in filtering these types of exploits is to defend against, Script Kiddy's, curious minds and people who really do not know what there doing, which is the source of a surprising number these types of attacks.

 
access-list 100 deny tcp any any eq 41 ! Deep Throat Windows 98/NT Trojan
access-list 100 deny tcp any any eq 999 ! Deep Throat Windows 98/NT Trojan
access-list 100 deny tcp any any eq 2140 ! Deep Throat Windows 98/NT Trojan
access-list 100 deny udp any any eq 2140 ! Deep Throat Windows 98/NT Trojan
access-list 100 deny tcp any any eq 3150 ! Deep Throat Windows 98/NT Trojan
access-list 100 deny tcp any any eq 6670 ! Deep Throat Windows 98/NT Trojan
access-list 100 deny tcp any any eq 6671 ! Deep Throat Windows 98/NT Trojan
access-list 100 deny udp any any eq 3150 ! Deep Throat Windows 98/NT Trojan
access-list 100 deny tcp any any eq 60000 ! Deep Throat Windows 98/NT Trojan
access-list 100 deny tcp any any eq 31 ! Agent 31/Masters Paradise
access-list 100 deny tcp any any eq 3129 ! Agent 31/Masters Paradise
access-list 100 deny tcp any any range 40421 40426 ! Agent 31/Masters Paradise
access-list 100 deny tcp any any eq 58 !DM Setup virus
access-list 100 deny tcp any any eq 90 ! Hidden Port 2.o
access-list 100 deny tcp any any eq 113 ! Kazimas
access-list 100 deny tcp any any eq 119 ! Happy99
access-list 100 deny tcp any any eq 146 ! Infector 1.3
access-list 100 deny tcp any any eq 456 ! Hackers Paradise
access-list 100 deny tcp any any eq 531 ! Rasmin
access-list 100 deny tcp any any eq 1045 ! Rasmin
access-list 100 deny tcp any any eq 555 !Stealth Spy
access-list 100 deny tcp any any eq 666 ! Attack FTP, Doom Server
access-list 100 deny tcp any any eq 777 !AIM Spy
access-list 100 deny tcp any any range 901 902 ! Backdoor Devil
access-list 100 deny tcp any any eq 9400 In Command
access-list 100 deny tcp any any eq 1000 ! Der Spacher
access-list 100 deny tcp any any range 1011 1015 ! Doly Trojan
access-list 100 deny tcp any any eq 1024 ! NetSpy
access-list 100 deny tcp any any eq 1033 ! NetSpy
access-list 100 deny udp any any eq 1349 ! BackOrifuce
access-list 100 deny udp any any eq 8787 ! BackOrifuce
access-list 100 deny udp any any eq 8879 ! BackOrifuce
access-list 100 deny tcp any any eq 8787 ! BackOrifuce
access-list 100 deny tcp any any eq 8879 ! BackOrifuce
access-list 100 deny udp any any eq 31337 ! BackOrifuce
access-list 100 deny tcp any any eq 54320 ! BackOrifuce
access-list 100 deny udp any any eq 54320 ! BackOrifuce
access-list 100 deny udp any any eq 54321 ! BackOrifuce
access-list 100 deny tcp any any eq 54321 ! BackOrifuce
access-list 100 deny tcp any any eq 2583 ! Wincrash
access-list 100 deny tcp any any eq 3024 ! Wincrash
access-list 100 deny tcp any any eq 5714 ! Wincrash
access-list 100 deny tcp any any eq 5741 ! Wincrash
access-list 100 deny tcp any any eq 5742 ! Wincrash
access-list 100 deny tcp any any eq 4092 ! Wincrash
access-list 100 deny tcp any any eq 3700 ! Portal Of Doom
access-list 100 deny tcp any any range 9873 9875 ! Portal Of Doom
access-list 100 deny tcp any any eq 10067  ! Portal Of Doom
access-list 100 deny udp any any eq 10067 ! Portal Of Doom
access-list 100 deny tcp any any eq 10167 ! Portal Of Doom
access-list 100 deny udp any any eq 10167 ! Portal Of Doom
access-list 100 deny tcp any any range 5400 5402 ! Blade Runner
access-list 100 deny udp any any eq 5503 ! Remote Shell
access-list 100 deny tcp any any range 5637 5638 ! PC Crasher
access-list 100 deny tcp any any range 30100 30102 ! NetSphere
access-list 100 deny tcp any any eq 30133 ! NetSphere
access-list 100 deny tcp any any eq 31335 ! Trin00
access-list 100 deny udp any any eq 27444 ! Trin00
access-list 100 deny tcp any any eq 27665 ! Trin00
access-list 100 deny tcp any any eq 1524 ! Trin00
access-list 100 deny tcp any any eq 30999 ! Kunag2
access-list 100 deny tcp any any range 31785 31791 ! Hack a Tack
access-list 100 deny tcp any any eq 65000 ! Stacheldraht DDOS
access-list 100 deny tcp any any eq 1660 ! Stacheldraht DDOS

Instant Messaging
AOL IM represents a dilemma to many sites. On the one hand it has become almost a "defacto" (Apple and Lotus both support AIM in their chat applications) application for peer-to-peer communication not just at the office, but also for keeping touch with family and friends. The first problem is the fact that AIM can be used as a secure data transport conduit (this case also exists with allowing access to Web mail services). Simply encrypt a document with PGP/GPG copy, paste and send and your file is sent, bypassing your content scanning system. The second is more of a long-term trend problem. AIM requires port 5190 to operate in its default mode, requiring this port to be opened on the firewall. Realizing, this drawback the AIM developers, provided the ability to have AIM operate of port 443 (SSL). Once again an application is exploiting the SSL rule, circumventing the firewall. So if AIM is not an application you want to support, you actually have to "blackhole" America Online. Here is the outbound filter for AIM and YM.

 
access-list 101 deny tcp any any eq 5190 log ! AOL AIM
access-list 101 deny ip any 156.163.226.0 0.0.0.255 log ! AOL 
access-list 101 deny ip any 205.188.165.0 0.0.0.255 any log ! AOL
access-list 101 deny ip any 64.12.0.0 0.0.255.255 any log ! AOL
access-list 101 deny tcp any any eq 5010 ! Yahoo Messenger
access-list 101 deny tcp any any range 5050 5051 ! Yahoo Messenger

Peer-To-Peer File Sharing
Even though NAPSTER appears to be dead, others have taken its place. The two competing services KaZaA and Gnutella have wide distribution bases. On the operations side these services consume bandwidth and slow down the network. On the legal side these services potentially violate copyright laws. Leaving your company open to potential liability. Napster is included for old times sake.

 
access-list 100 deny tcp any any eq 1214 ! KaZaa
access-list 100 deny tcp any any eq 6346 ! Gnutella
access-list 100 deny tcp any any eq 6347 ! Gnutella
access-list 100 deny tcp any any eq 6699 ! Napster
access-list 100 deny tcp any any eq 8888 ! Napster
access-list 100 deny tcp any any eq 8875 ! Napster

Remote Control / Remote Terminal
With Window's lack of a remote management VTY interface a number of products have been developed to provide GUI remote access. If you have windows systems you probably use at least one of these packages. Considering the potential risk, access should be explicitly permitted. Here is an example inbound SACL.

 
access-list 100 deny tcp host <remt addr> host <server> any eq 1494 ! CITRIX Metaframe
access-list 100 deny udp <remt addr> host <server> eq 1604 ! CITRIX Metaframe
access-list 100 deny udp <remt addr> host <server> eq 2598 ! CITRIX Metaframe
access-list 100 deny tcp <remt addr> host <server> eq 1680 ! CarbonCopy
access-list 100 deny tcp <remt addr> host <server> eq 5631 ! PC Anywhere
access-list 100 deny udp <remt addr> host <server> eq 5632 ! PC Anywhere
access-list 100 deny tcp <remt addr> host <server> eq 5500 ! ATT VNC
access-list 100 deny tcp <remt addr> host <server> eq 5800 ! ATT VNC
access-list 100 deny tcp <remt addr> host <server> eq 5900 ! ATT VNC
access-list 100 deny tcp <remt addr> host <server> eq 3389 ! W2K Terminal Server
access-list 100 deny udp <remt addr> host <server> eq 3389 ! W2K Terminal Server
access-list 100 deny any host 63.251.224.177 log ! gotomypc.com, to
disable the gotomypc.com service use this rule
access-list 100 deny udp <remt addr> host <server> eq 3389 ! Remote Desktop Protocol
access-list 100 deny tcp <remt addr> host <server> eq 3389 ! Remote Desktop Protocol

Known Port Services

Filtering of known service ports is a plain given. Only permit access to services you need and if possible explicitly permit access. It is also a good idea to run these services on systems that can support host level stateful firewalling (i.e., Linux, yes Linux). And while your site firewall will protect you from harm. It is still not a bad idea to just drop these requests at the Internet router, since they only add to the load of the legitimate traffic the firewall needs to process.

 
access-list 100 deny tcp any any eq 7 log ! Echo Service
access-list 100 deny udp any any eq 7 log! Echo Service
access-list 100 deny tcp any any eq 13 log! daytime service
access-list 100 deny udp any any eq 13 log! daytime service
access-list 100 deny tcp any any eq 19 log! Character Generator chargen
access-list 100 deny tcp any any eq 20 ! ftp-data
access-list 100 deny tcp any any eq 21 ! ftp 
access-list 100 deny tcp any any eq 23 ! telnet, you should be using SSH
access-list 100 deny tcp any any eq 25 ! SMTP Sendmail Service
access-list 100 deny tcp any any eq 53 ! Domain Name Service (Server to Server Comm)
access-list 100 deny udp any any eq 53 ! DNS Resolver Service
access-list 100 deny udp any any eq 69 log ! TFTP Service
access-list 100 deny udp any any eq 79 log ! Finger Service
access-list 100 deny tcp any any eq 79 log ! Finger Service
access-list 100 deny tcp any any eq 98 log ! Linuxconf
access-list 100 deny tcp any any eq 111 ! portmapper/sunrpc
access-list 100 deny udp any any eq 111 ! portmapper/sunrpc
access-list 100 deny tcp any any eq 113 log ! Identification Service
access-list 100 deny udp any any eq 161 log ! Simple Network Managment Protocol
access-list 100 deny udp any any eq 162 log ! SNMP Trap
access-list 100 deny tcp any any eq 513 ! Remote Login
access-list 100 deny tcp any any eq 514 log ! Syslog Service
access-list 100 deny udp any any eq 514 log ! Syslog Service
access-list 100 deny tcp any any eq 515 log ! LPR Printer Service
access-list 100 deny tcp any any eq 635 log ! mountd (NFS Service)
access-list 100 deny tcp any any eq 692 log ! CDE Tooltalk 
access-list 100 deny tcp any any eq 1027 ! ICQ
access-list 100 deny tcp any any eq 1029 ! ICQ
access-list 100 deny tcp any any eq 1032 ! ICQ
access-list 100 eny tcp any any eq 3128 log ! SQUID Proxy Server Default Port
access-list 100 deny tcp any any eq 2049 log ! nfsd
access-list 100 deny tcp any any range 6000 6007 log ! XWindows Display
access-list 100 deny tcp any any range 6666 6669 log ! Internet Relay Chat
access-list 100 deny tcp any any eq 10083 log ! Tool Talk DB Server Service 

Conclusion
The hope is that you found this information valuable and that it will assist you with the arduous task for securing your network. Like all advice, take what you can use and forget the rest. These are recommendations, each site is unique, with different needs. Account for them when creating your SACL implementation. And tune in next month as we wrap up all of this IDS talk with a method for implementing dynamic SMURF attack defense.

This was first published in September 2002

Dig deeper on Network Security Best Practices and Products

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close