On 17/12/2003 at 23:02:01, Ing. Andr�s E. Gallo wrote:
> Pls, if someone can share an ACL to put in a border router ( facing to
> internet ) and/or have any comments on this one below -got it somewhere-,
> let me know.
IMHO they're both awful, since they both end in "permit ip any any".
That basically means 'allow anything I didn't think of above', which is
a really bad idea.
The underlying principle in any security setup should always be 'deny
everything unless it's specifically allowed', not 'allow anything I
forgot to deny'. That way all the support calls are 'Hey, I can't access
server X!' (which is easy to fix) and not 'Hey, all the files on server
X are missing!' (which is quite a bit harder). :)
Your border access list should:
- deny anything you want to block outright (eg that set of bogon networks),
- allow the absolute minimum services through (ie SMTP to your MX
servers, HTTP to a web server if you host one), and then
- deny everything else (with "deny ip any any log") at the end.
That way you're not exposing anything you don't need to (like the SSH
services on your MX boxes, and all the fun stuff MS runs on Windows
boxen by default), and you won't get bitten by someone connecting to a
service you didn't realise you were running.
As a starting point I'd suggest something like the following:
access-list 100 remark -- Incoming email -------------------------------------
access-list 100 permit tcp any host 192.0.2.1 eq 25
access-list 100 permit tcp any host 192.0.2.2 eq 25
access-list 100 remark
access-list 100 remark -- Webmail --------------------------------------------
access-list 100 permit tcp any host 192.0.2.3 eq 80
access-list 100 permit tcp any host 192.0.2.3 eq 443
access-list 100 permit tcp any host 192.0.2.3 eq 8385
access-list 100 remark
access-list 100 remark -- Deny others ----------------------------------------
access-list 100 deny ip any any log
Add any other services which you know need to be Internet accessible,
and then drop the rest. Short, easy to maintain, and next time some worm
or another leads to recommendations to block port X at your border,
you're already doing it.
Cheers,
Evan
