How to protect your network from malicious traffic

Lately I stumbled upon a Cisco 877 security hardening guide. The suggestion is to block (via source IP) private, reserved and unallocated IP ranges. I will explain why this is a bad idea and how to properly block malicious traffic.

How to not protect your network

These ACL statements are quoted from the guide.

access-list 101 deny tcp any any eq 139 (blocks port 139 netbios attacks used for ms fileshares)

If you are doing NAT (which is most likely the case), no traffic will be forwarded to your internal Windows box anyway.

access-list 101 deny ip 10.0.0.0 0.255.255.255 any(blocks internal lan range)

This is the same as with port 139: NAT or CBAC will filter it anyway.

access-list 101 deny ip 50.0.0.0 0.255.255.255 any (blocks unused 50.* address space which attackers may spoof)
access-list 101 deny ip 100.0.0.0 0.255.255.255 any (blocks unused 100.* address space which attackers may spoof)

So you have blocked 2 unallocated networks. Se below for the details on blocking unallocated networks.

access-list 101 permit ip any any (permits all other traffic)

You should never end an ACL with a permit ip any any statement, because thats really bad practice. The ACL is pointless. You should permit good traffic and and let the implicit deny handle the bogus traffic. You will receive bogus traffic from allocated ranges and valid (but compromised) host anyway, so this is not a security enhancement.

ip verify unicast source reachable-via rx allow-default

As long as you have a default route on the router, this command will not do anything at all. This is for routers with no default route (having the full BGP routing table).

Blocking unallocated networks

Bogus traffic (like spam and ddos attackes) sometimes come from unallocated networks, which is why some people are blocking those networks. This is not necessarily a bad idea, but one has to MAINTAIN those ACLs, otherwise you will block good traffic.

That’s a big problem. BGP also suffers from those outdated filters (see De-Bogonising New Address Blocks on ripe.net).

access-list 104 deny ip 2.0.0.0 0.255.255.255 any

2/8 is allocated to the RIPE NCC, your filters are outdated and your are probably dropping packets from legitimate users.

So how do I do it the right way?

You need stateful packet inspection (SPI), because a static ACL cannot give you the security you need. CBAC will do this for you.

You will setup an ACL to permit only the traffic CBAC doesn’t match (like PATs or services/protocols running on the router).

access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any echo-reply
!
ip inspect name FW udp
ip inspect name FW tcp
ip inspect name FW ftp
ip inspect name FW icmp
ip inspect name FW http
!
interface Vlan1
ip inspect FW in
!
interface Dialer0
no ip unreachables
ip access-group 110 in
!

In this case you will only permit echo-replays and unreachables to the router. Traffic which isn’t permitted by CBAC or the ACL statements is dropped.

I always configure ‘no ip unreachables’ on the WAN facing interface if I expect ACL drops, because otherwise the router would send a ICMP Type 3 Code 9/10 message (Network/Host is Administratively Prohibited).

You can verify this functionality with ‘show access-lists’ and ‘show ip inspect sessions’:

sh ip inspect sessions
Established Sessions
Session 82A56C1C (10.50.1.50:1154)=>(12.34.39.164:80) tcp SIS_OPEN
Session 82A5739C (10.50.1.50:61488)=>(98.76.2.129:53) udp SIS_OPEN
Session 82A56E9C (10.50.1.50:57253)=>(55.44.2.129:53) udp SIS_OPEN

Leave a Reply