Nature Protection PAT Provides
When you have dynamic PAT in place for several internal machines to access the Internet, then by PAT nature it is already an advantage. PAT is designed to provide single Outside IP address for multiple Inside machines which connection is initiated from those Inside machines going out. When hackers on the Internet send unwelcomed traffic into Inside network, these traffic are unable to reach the intended Inside machines since there are multiple IP addresses represented by PAT and NAT session does not match such traffic, hence PAT dropped the traffic. For more info on NAT/PAT process, check out the following FAQ.
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices
Different Protection Approaches
Further more, the following should be in place to protect your network in addition to nature PAT protection.
1. Setup a hardware firewall (i.e. PIX Firewall) in front of the router
2. Upgrade the router to run IOS image with FW feature
3. Apply basic Firewall ACL to Internet-facing router interface
Check out the following FAQ for sample configuration on setting a PIX Firewall in front of a router.
»Cisco Forum FAQ »Internet - PIX/ASA - Router - LAN
This setup should be the best approach to tackle the problem. However there are some constraints that might prevent you to choose this option, such as:
* Financial burden
* The router has integrated modem (i.e. DSL, cable modem, T1, ISDN) or the router Internet-facing (WAN) interface is not Ethernet interface
* You do BGP peering with another AS, hence requires a router or layer-3 switch to be the public edge equipment
When the WAN interface router is not Ethernet or your router is BGP peering, then you then have a choice to setup a hardware firewall behind the router, while the router run basic firewall ACL.
Check out the following FAQ for sample configuration on setting a PIX Firewall behind a router.
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN
When you have financial burden, then the only choice is to have the router run basic firewall ACL.
Upgrading the router is also a good approach. There are followings that might prevent you to do so.
* You currently don't have proper Smartnet contract and getting/renewing the contract might be a hassle
* The router might run too hot on memory and CPU when the router already run heavy routing
* Activating any additional features on router (including FW feature) will take the router resources (memory and CPU) that might degrade the router robustness or performance
* You don't have management control over the router, since there is another party doing so (i.e. your ISP or vendor)
* You need to meet government agency regulations and using the router as a firewall might not meet such regulations
When you have at least one of those situations, then your best option should be putting a hardware firewall in front of or behind the router.
This option is the most economical and might be a quick way to tackle the problem. Keep in mind that
* This basic Firewall ACL only works on certain situations and certain protocol usages
* Should you choose to implement this basic Firewall ACL on the router, it is suggested to have additional hardware firewall sitting behind the router for long-term and complete solution
Assumptions on the sample configuration:
* There is Ethernet 0 interface as your LAN interface and Ethernet 1 interface as your WAN interface
* You have a single static Public IP address within your network (the 126.96.36.199/30)
* The Internet default gateway is 188.8.131.52/30
* Your LAN only has 10.0.0.0/24 as internal network and nothing else
* You run public Web and Mail servers (the www and smtp) using the 184.108.40.206 as the public IP address
* The internal Mail server IP address is 10.0.0.2 and the internal Web server IP address is 10.0.0.3
* You also use 220.127.116.11 for Internet browsing traffic from your LAN
* You use your ISP DNS servers to browse the Internet (the TCP and UDP port 53)
* Your LAN user typical daily usage is only browsing the Internet (that only use protocol TCP) and no other protocols used
* You keep logs on potential illegitimate traffic attempts
Following is the sample configuration
1. The sample configuration is not intended as full router configuration. It only shows related commands.
2. ACL 100: Inbound Traffic Firewall
* The key of the Firewall ACL (ACL 100) is the "established" keyword
* Internet browsing mean outbound connections initiated from your LAN out to the Internet
* Most common Internet browsing (i.e. open up websites, FTP sites, some Internet video or audio live streaming) only requires protocol TCP
* With Internet browsing, only established TCP packets that are necessary to enter your network as reply packets
* These established TCP packets are TCP ACK (acknowledge) during the three-way handshake or on ESTABLISHED mode (the actual data transfer); and RST (reset to close the connection)
* With "established" keyword, only TCP packet ACK and RST will be permitted to enter your network
* Note that there is no need to specify "access-list 100 permit tcp any eq 53 host 18.104.22.168" since the "access-list 100 permit tcp any host 22.214.171.124 established" would take care reply TCP port 53 (DNS) packets
* This ACL assumes that you have static IP address assignment from ISP (the real static IP; not static by DHCP - read this FAQ for more info http://www.dslreports.com/faq/14829 ). If your router must receive ISP IP address from ISP DHCP server, then you need to permit incoming bootps traffic as well. Here is the ACL 100 looks like which incorporates ISP DHCP incoming bootps packets.
* Sometimes you need permit some basic ICMP traffic to pass through the router which are Echo Reply (ICMP Type 0), Unreachable (ICMP Type 3), and Time Exceeded (ICMP Type 11). When this is the case, then the ACL 100 should look something like this
3. ACL 101: Outbound Traffic Firewall
* Those TCP and UDP ports are known used by virus/worm, therefore outbound connection to the Internet on such ports should be blocked
* The host IP addresses are "invalid IP addresses" in Internet browsing perspective
* Since only the 126.96.36.199/30 subnet is used as the Public IP subnet, any other IP addresses from different subnet try to go out to the Internet using the router should be illegitimate traffic; hence should be blocked
4. ACL 110: NAT/PAT Traffic Firewall
* NAT/PAT sourcing from any IP address within your Public IP subnet or any IP address other than your internal subnet should be illegitimate traffic and known used by DOS (Denial of Service) attack; hence should be blocked
* No private subnet on the Internet, hence NAT/PAT to those subnets should be blocked as well
5. Blackholing illegitimate traffic
Since there are no other private subnets within your network than 10.0.0.0/24, traffic to other private subnets should go to Null interface (black hole).
In addition, there should be blackhole routes in place for unassigned or reserved IANA IP addresses since a lot of time, hackers use these IP addresses. For more info on these unassigned or reserved IANA IP addresses, check out the following IANA site.
Abuse Issues and IP Addresses
As illustration, you can verify (after the link research) that 188.8.131.52/8 IP subnet is IANA reserved IP addresses. Therefore there should be no traffic to and from 184.108.40.206/8. The black hole route for this then should be the following
More Sample Configuration using ACL as Basic Firewall
With the above description, following is the list of typical network security perimeter to protect your network which each choice has its own merit depending on your network requirements
* Internet router with Basic Internet Firewall ACL and firewall behind the router
* Internet router with Basic Internet Firewall ACL that does NAT/PAT and firewall behind the router
* Internet router with Basic Internet Firewall ACL and firewall behind the router that does NAT/PAT
* Internet router, firewall behind router, and IDS/IPS to either monitor or zap unwanted traffic