Search Infrastructure Access-List Lesson Contents 1.Configuration 1. IEMP Packet Filtering 2.1P Fragment Fiering 13, RFC 3330 Address Filtering 4, RFC 7918 Address Fitering 115, RFC 2827 Address Fltering 1.6.86 Fitering {As lexplained in mylesson about the router security polity, routers are often used at the ‘edge of our network where they are vulnerable to attacks, Because ofthis, you should have an access list chat blocks some ofthe most common attacks while you only permit traffic that s really required, What your access-list wll lock Ike really depends on the the role of your router. Do you Use it for NAT/PAT with some users behind Itfor nternet access or Ista transit router ‘on the Internet? Do you use any VPNs or GP? What kind of traffic ows through your router? These are all questions that you need to answer before you create an infrastructure access-list. To give you an idea what a infrastructure accesslst could look lke I show you some ‘common statements that you might find in an infrastructure access-list. 1. Configuration Here's the topology: ddd Fa0/0——( Internat —_— ‘The router above is connected to the Internet with one interface and has a public IP address, Behind the router isa hast that requires Internet access, 1.1. ICMP Packet Filtering ICMP Is an Important protocol for debugging, troubleshooting and error reporting so you shouldn’ completely block it. However it can be misused for reconnaissance or DoS attacks so it might wise to restrict it Course Contents cenrencon3se401 Uni Stehing ni: Routing Unies Networ reise Unies Secunsy Bt: Devie Access Corral 1B a 2:mrasvusureSecutty Sondre Acceseist Management Pane Protertion DP 1D 23 WietesSeeuty 1B 5: Nework seeury Design Compenenss Bo 5-Tunnelng 1B Unto: Automation 1B Unee-viualzaion Unis: Pracice amna(config-ext-nacl)#permit cmp any any echo-reply Ra(config-ext~1 )Aperait emp any any unreachable Ri(config-ext-nacl)apermit Lemp any any tine-exceeded Ra(config-ext-nacl)deny emp any any With the access-list statements above we only allow echo-reply so that we can respond ‘to pings. Unreachable and time-exceeded are required for a traceroute. Allother ICMP types are denies, 1.2. IP Fragment Filtering Fragmentation isthe process of breaking down IP packets into multiple smaller packets. This can be useful ifyour packets are too large for the interface MIU, ‘The problem with fragmentation is that tnere are a number of exploits so it might be wise to drop all fragmented packets: Ra(config-ext-nacl)deny 4p any any Fragments 1.3. RFC 3330 Address Filtering RFC 3330 describes the special addresses that were assigned for IPv4, There are no legitimiate packets that you could receive from your Internet connection that have these special addresses as the source address: Ra (config-ext-nacl)ideny ip host 0.0.0.0 any ).0 0.255.255.255 any Ra (config-ext-nacl)#deny ip 192.0.2.0 0.0.0.255 any Ra(config-ext-nacl)#deny 4p 224.8.0.0 15.255.255.255 any Ra(config-ext-nacl) deny 4p 127 Let me explain these statements: + You should never see an IP packet that uses 0.00.0 as ts source IP address so we blockit +The 127.0.00/8 range is forthe loopback, you should never see an IP packet from ‘the Internet that uses this address. + 192.0.2.0/28 was assigned as the TEST-NET by IANA andl addresses in this range are never used on the Internet + 24.0.0: 4s the mukicast range. 1,4, RFC 1918 Address Filtering Private addresses are used on our local network, you shouldnt expect to see any IP packets from the Internet with a private adress as the source. Ra(config-ext-nacl) deny ip 1€.0.0.0 @.255.255.255 any ra(confie ‘t-nacl)#deny 4p 172.26.0.0 8.15.255.255 any Ra(config-ext-nacl)deny 1p 192.168.9.0 0.0.255.255 any 1.5. RFC 2827 Address Filtering you have your own public address space then you should add itn your accessist You should never see an IP packet from the Internet that has one of your own IP addresses as the source: Ra(config-ext-naci)#deny 4p 1.0.0.8 0.255.255.255 any1.6. BGP Filtering your router has an eBGP adjacency with another router then it might be wise to only permit this specitic TCP connection: Ra(config-ext-nach)spermit tep host 3.3.3.3 host 1.1.1.1 eq bgp Ra(config-ext-nach)apermit tep host 3.3.3.3 eq bgp host 2.2.2.2 Ra(config-ext-nacl) deny tep any any eq bEp ‘The statements above will permit BGP trafic Beween 1.1.1.1 and 3.3.3.3 but will deny al other BGP traffic. "hope this example has been helpful to get an idea what an infrastructure access-list could look tke. For your own network you really should research what protocols you require and what traffic you should permit or deny. beavis Lesson NextLesson ( visser vac mmesaseddccesist > © Togs: ACL, Secusiy Forum Replies Helle, Theresa po Ra(config-ext-nacl}Rdery 1p 224.0.0.8 31.285.255.255 any etme expan these statement: 2240.0. 4's the mubcast ange. Ithinki shouldbe 15,255. 255 255 instead) a Ioranides Hello sales2161 Yesyou ae correct iletRene know. Thanks! Isthis scenario relevant int he reat workin our production network, ll our routers ste behind fertigat frewal,& ‘ Hello Waker ‘The dea ofan nastructure acess ss mare ofa concept than an aetalimplementation svatey, The idea sto ensure that there ae some fundamental best practices that shoul be enables tthe edge of your network, fo protect an secret. Nowa the very least, you simply have a router you must employ these as simple access Iss on tha outer, ensixing that you are blockingthe appropriate ICMP packets private addresses and fragments to name a fs Now if you have 2 fvewall or some sort of secur appllance onthe edge of th Continue reading in our forum ie, ‘thanks helped alo 2021 NetworkLessons, Disclaimer Privacy Policy Support About