Brandon, if you provide any sort of network access, its impossible to make
your network "invisible". It's just the nature of the beast.
For example, for your users to be able to receive inbound mail, you have to
have port 25 open to your mail server. If an external mail server can
connect to your internal mail server on port 25, so can a scanning engine.
There's no good way to differentiate between the two.
Block all ports that you can and secure the servers that must be
world-accessible. In your list, I would say you could block at least ldap
and whatever 1002 is. You may also be able to block pop3 if you don't need
to allow external users to pop mail from your server. These can be blocked
with simple router access-lists.
If your providing web services, mail and DNS, those ports must be open, your
only choice is to properly secure the servers providing those services.
There are good resources on securing host OSes from most major vendors,
contact your support channel or search on the web. (i.e. Sun, MS, HP, etc)
You may also want to look at Content Based Access Control (CBAC). If you do
a search on CCO for "CBAC" or "security technical tips" it should lead you
to what you need. You also need to consider placing your world-accessible
servers on a separate DMZ interface on the router. This is best practice
design.
A good resource for general security perimeter design is "Building Internet
Firewalls" by Chapman and Zwicky.
If your really interested in combating scans, I'd suggest taking a look at
LaBrea:
http://www.incidents.org/archives/intrusions/msg01368.html
and the honeynet project:
http://project.honeynet.org
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Brandon Peyton
Sent: Thursday, August 30, 2001 9:32 AM
To: [EMAIL PROTECTED]
Subject: Edge Security... [7:17864]
Hi,
I'm sure this has probably been covered in the archives, and what I have
searched isnt exactly what I need.
I've got a 2611 (12.0) and I'm trying to configure my router to provide me
with a secure network. 2 mailservers and 2 DNS machines and about 12
workstations and 4 routers.
What I'm trying to do is make my network completely invisible to the outside
world. When someone scans my IP range they will see nothing. However my
inside traffic should have no problems accessing anything anywhere.
I also want to block certain ports, for some reason my unix machines like to
advertise ldap 389 and i want to completely block that from being seen
outside.
Currently if you scan my network you'll see:
|___ 22 ssh
|___ 25 Antigen
|___ 53 domain
|___ 80 Executor
|___ 110 pop3
|___ 389 ldap
|___ 1002
I would like to close certain ports on the cisco for outgoing traffic, and
make anyone portscanning me see nothing open.
I've spend a huge amount of time on CCO but still havent found what I want.
Any suggestions?
Thanks
Brandon
I currently have applied this config:
ip subnet-zero
no ip source-route
no ip finger
no ip source-route
ip route 0.0.0.0 0.0.0.0 Null0 255
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
access-list 101 deny ip 224.0.0.0 7.255.255.255 any log
access-list 101 permit icmp any any host-unreachable
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any ttl-exceeded
access-list 101 deny tcp any any eq ident
access-list 101 deny ip any any log
access-list 102 permit tcp any host (mailserver 1) eq smtp
access-list 102 permit tcp any host (mailserver 2) eq smtp
access-list 102 deny ip any any log
access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip any 192.168.0.0 0.0.255.255 log
access-list 103 deny ip any 172.16.0.0 0.15.255.255 log
access-list 103 deny ip any 10.0.0.0 0.255.255.255 log
access-list 103 permit ip any any
access-list 104 deny tcp any any eq finger
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17944&t=17864
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
