Lately I stumbled upon a Cisco 877 security hardening guide. The suggestion is to block (via source IP) private, reserved and unallocated IP ranges. I will explain why this is a bad idea and how to properly block malicious traffic.
How to not protect your network
These ACL statements are quoted from the guide.
access-list 101 deny tcp any any eq 139 (blocks port 139 netbios attacks used for ms fileshares)
If you are doing NAT (which is most likely the case), no traffic will be forwarded to your internal Windows box anyway.
access-list 101 deny ip 10.0.0.0 0.255.255.255 any(blocks internal lan range)
This is the same as with port 139: NAT or CBAC will filter it anyway.
access-list 101 deny ip 188.8.131.52 0.255.255.255 any (blocks unused 50.* address space which attackers may spoof)
access-list 101 deny ip 184.108.40.206 0.255.255.255 any (blocks unused 100.* address space which attackers may spoof)
So you have blocked 2 unallocated networks. Se below for the details on blocking unallocated networks.
access-list 101 permit ip any any (permits all other traffic)
You should never end an ACL with a permit ip any any statement, because thats really bad practice. The ACL is pointless. You should permit good traffic and and let the implicit deny handle the bogus traffic. You will receive bogus traffic from allocated ranges and valid (but compromised) host anyway, so this is not a security enhancement.
ip verify unicast source reachable-via rx allow-default
As long as you have a default route on the router, this command will not do anything at all. This is for routers with no default route (having the full BGP routing table).
Blocking unallocated networks
Bogus traffic (like spam and ddos attackes) sometimes come from unallocated networks, which is why some people are blocking those networks. This is not necessarily a bad idea, but one has to MAINTAIN those ACLs, otherwise you will block good traffic.
That’s a big problem. BGP also suffers from those outdated filters (see De-Bogonising New Address Blocks on ripe.net).
access-list 104 deny ip 220.127.116.11 0.255.255.255 any
2/8 is allocated to the RIPE NCC, your filters are outdated and your are probably dropping packets from legitimate users.
So how do I do it the right way?
You need stateful packet inspection (SPI), because a static ACL cannot give you the security you need. CBAC will do this for you.
You will setup an ACL to permit only the traffic CBAC doesn’t match (like PATs or services/protocols running on the router).
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any echo-reply
ip inspect name FW udp
ip inspect name FW tcp
ip inspect name FW ftp
ip inspect name FW icmp
ip inspect name FW http
ip inspect FW in
no ip unreachables
ip access-group 110 in
In this case you will only permit echo-replays and unreachables to the router. Traffic which isn’t permitted by CBAC or the ACL statements is dropped.
I always configure ‘no ip unreachables’ on the WAN facing interface if I expect ACL drops, because otherwise the router would send a ICMP Type 3 Code 9/10 message (Network/Host is Administratively Prohibited).
You can verify this functionality with ‘show access-lists’ and ‘show ip inspect sessions’:
sh ip inspect sessions
Session 82A56C1C (10.50.1.50:1154)=>(18.104.22.168:80) tcp SIS_OPEN
Session 82A5739C (10.50.1.50:61488)=>(22.214.171.124:53) udp SIS_OPEN
Session 82A56E9C (10.50.1.50:57253)=>(126.96.36.199:53) udp SIS_OPEN