dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



You probably have a router running basic IOS image without Firewall (FW) feature. You understand that you need a good firewall to protect your network from Internet intruders. Therefore there must be some kind of protection in place to at least try to block unwelcomed incoming traffic from the Internet or from Untrusted network coming in.

Nature Protection PAT Provides

When you have dynamic PAT in place for several internal machines to access the Internet, then by PAT nature it is already an advantage. PAT is designed to provide single Outside IP address for multiple Inside machines which connection is initiated from those Inside machines going out. When hackers on the Internet send unwelcomed traffic into Inside network, these traffic are unable to reach the intended Inside machines since there are multiple IP addresses represented by PAT and NAT session does not match such traffic, hence PAT dropped the traffic. For more info on NAT/PAT process, check out the following FAQ.
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Different Protection Approaches

Further more, the following should be in place to protect your network in addition to nature PAT protection.

1. Setup a hardware firewall (i.e. PIX Firewall) in front of the router
2. Upgrade the router to run IOS image with FW feature
3. Apply basic Firewall ACL to Internet-facing router interface

Option 1

Check out the following FAQ for sample configuration on setting a PIX Firewall in front of a router.
»Cisco Forum FAQ »Internet - PIX/ASA - Router - LAN

This setup should be the best approach to tackle the problem. However there are some constraints that might prevent you to choose this option, such as:

* Financial burden
* The router has integrated modem (i.e. DSL, cable modem, T1, ISDN) or the router Internet-facing (WAN) interface is not Ethernet interface
* You do BGP peering with another AS, hence requires a router or layer-3 switch to be the public edge equipment

When the WAN interface router is not Ethernet or your router is BGP peering, then you then have a choice to setup a hardware firewall behind the router, while the router run basic firewall ACL.

Check out the following FAQ for sample configuration on setting a PIX Firewall behind a router.
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN

When you have financial burden, then the only choice is to have the router run basic firewall ACL.

Option 2

Upgrading the router is also a good approach. There are followings that might prevent you to do so.

* You currently don't have proper Smartnet contract and getting/renewing the contract might be a hassle
* The router might run too hot on memory and CPU when the router already run heavy routing
* Activating any additional features on router (including FW feature) will take the router resources (memory and CPU) that might degrade the router robustness or performance
* You don't have management control over the router, since there is another party doing so (i.e. your ISP or vendor)
* You need to meet government agency regulations and using the router as a firewall might not meet such regulations

When you have at least one of those situations, then your best option should be putting a hardware firewall in front of or behind the router.

Option 3

This option is the most economical and might be a quick way to tackle the problem. Keep in mind that

* This basic Firewall ACL only works on certain situations and certain protocol usages
* Should you choose to implement this basic Firewall ACL on the router, it is suggested to have additional hardware firewall sitting behind the router for long-term and complete solution

Assumptions on the sample configuration:

* There is Ethernet 0 interface as your LAN interface and Ethernet 1 interface as your WAN interface
* You have a single static Public IP address within your network (the 1.1.1.2/30)
* The Internet default gateway is 1.1.1.1/30
* Your LAN only has 10.0.0.0/24 as internal network and nothing else
* You run public Web and Mail servers (the www and smtp) using the 1.1.1.2 as the public IP address
* The internal Mail server IP address is 10.0.0.2 and the internal Web server IP address is 10.0.0.3
* You also use 1.1.1.2 for Internet browsing traffic from your LAN
* You use your ISP DNS servers to browse the Internet (the TCP and UDP port 53)
* Your LAN user typical daily usage is only browsing the Internet (that only use protocol TCP) and no other protocols used
* You keep logs on potential illegitimate traffic attempts

Following is the sample configuration

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip access-group 100 in
ip access-group 101 out
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
ip nat inside source static tcp 10.0.0.2 25 1.1.1.2 25
ip nat inside source static tcp 10.0.0.3 80 1.1.1.2 80
!
ip nat inside source list 110 interface Ethernet1 overload
!
access-list 100 remark Basic Firewall to protect from Internet intruders
access-list 100 permit tcp any host 1.1.1.2 eq 25
access-list 100 permit tcp any host 1.1.1.2 eq 80
access-list 100 permit udp any eq 53 host 1.1.1.2
access-list 100 permit tcp any host 1.1.1.2 established
access-list 100 deny ip any any log-input
!
access-list 101 remark Deny Illegitimate Traffic go outbound
access-list 101 deny tcp any any eq 135 log-input
access-list 101 deny tcp any eq 135 any log-input
access-list 101 deny udp any any eq 135 log-input
access-list 101 deny udp any eq 135 any log-input
access-list 101 deny tcp any any range 137 139 log-input
access-list 101 deny tcp any range 137 139 any log-input
access-list 101 deny udp any any range 137 139 log-input
access-list 101 deny udp any range 137 139 any log-input
access-list 101 deny tcp any any eq 445 log-input
access-list 101 deny tcp any eq 445 any log-input
access-list 101 deny udp any any eq 445 log-input
access-list 101 deny udp any eq 445 any log-input
access-list 101 deny tcp any any eq 593 log-input
access-list 101 deny tcp any eq 593 any log-input
access-list 101 deny tcp any any eq 707 log-input
access-list 101 deny tcp any eq 707 any log-input
access-list 101 deny tcp any any eq 4444 log-input
access-list 101 deny tcp any eq 4444 any log-input
access-list 101 deny ip host 0.0.0.0 any log-input
access-list 101 deny ip host 255.255.255.255 any log-input
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input
access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input
access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input
access-list 101 permit ip 1.1.1.0 0.0.0.3 any
access-list 101 deny ip any any log-input
!
access-list 110 remark Deny NAT/PAT for Illegitimate Traffic
access-list 110 deny ip 1.1.1.0 0.0.0.3 any log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255 log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log-input
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 deny ip any any log-input
 

Notes:

1. The sample configuration is not intended as full router configuration. It only shows related commands.

2. ACL 100: Inbound Traffic Firewall
* The key of the Firewall ACL (ACL 100) is the "established" keyword
* Internet browsing mean outbound connections initiated from your LAN out to the Internet
* Most common Internet browsing (i.e. open up websites, FTP sites, some Internet video or audio live streaming) only requires protocol TCP
* With Internet browsing, only established TCP packets that are necessary to enter your network as reply packets
* These established TCP packets are TCP ACK (acknowledge) during the three-way handshake or on ESTABLISHED mode (the actual data transfer); and RST (reset to close the connection)
* With "established" keyword, only TCP packet ACK and RST will be permitted to enter your network
* Note that there is no need to specify "access-list 100 permit tcp any eq 53 host 1.1.1.2" since the "access-list 100 permit tcp any host 1.1.1.2 established" would take care reply TCP port 53 (DNS) packets
* This ACL assumes that you have static IP address assignment from ISP (the real static IP; not static by DHCP - read this FAQ for more info »Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address ). If your router must receive ISP IP address from ISP DHCP server, then you need to permit incoming bootps traffic as well. Here is the ACL 100 looks like which incorporates ISP DHCP incoming bootps packets.

access-list 100 remark Basic Firewall to protect from Internet intruders
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit tcp any any eq 25
access-list 100 permit tcp any any eq 80
access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any any established
access-list 100 deny ip any any log-input
 

* Sometimes you need permit some basic ICMP traffic to pass through the router which are Echo Reply (ICMP Type 0), Unreachable (ICMP Type 3), and Time Exceeded (ICMP Type 11). When this is the case, then the ACL 100 should look something like this

access-list 100 remark Basic Firewall to protect from Internet intruders
access-list 100 permit icmp any host 1.1.1.2 0
access-list 100 permit icmp any host 1.1.1.2 3
access-list 100 permit icmp any host 1.1.1.2 11
access-list 100 permit tcp any host 1.1.1.2 eq 25
access-list 100 permit tcp any host 1.1.1.2 eq 80
access-list 100 permit udp any eq 53 host 1.1.1.2
access-list 100 permit tcp any host 1.1.1.2 established
access-list 100 deny ip any any log-input
 

3. ACL 101: Outbound Traffic Firewall
* Those TCP and UDP ports are known used by virus/worm, therefore outbound connection to the Internet on such ports should be blocked
* The host IP addresses are "invalid IP addresses" in Internet browsing perspective
* Since only the 1.1.1.0/30 subnet is used as the Public IP subnet, any other IP addresses from different subnet try to go out to the Internet using the router should be illegitimate traffic; hence should be blocked

4. ACL 110: NAT/PAT Traffic Firewall
* NAT/PAT sourcing from any IP address within your Public IP subnet or any IP address other than your internal subnet should be illegitimate traffic and known used by DOS (Denial of Service) attack; hence should be blocked
* No private subnet on the Internet, hence NAT/PAT to those subnets should be blocked as well

5. Blackholing illegitimate traffic
Since there are no other private subnets within your network than 10.0.0.0/24, traffic to other private subnets should go to Null interface (black hole).

In addition, there should be blackhole routes in place for unassigned or reserved IANA IP addresses since a lot of time, hackers use these IP addresses. For more info on these unassigned or reserved IANA IP addresses, check out the following IANA site.

Abuse Issues and IP Addresses

As illustration, you can verify (after the link research) that 23.0.0.0/8 IP subnet is IANA reserved IP addresses. Therefore there should be no traffic to and from 23.0.0.0/8. The black hole route for this then should be the following
ip route 23.0.0.0 255.0.0.0 Null0
 

More Sample Configuration using ACL as Basic Firewall
»Cisco Forum FAQ »Configure DMZ on routers

Considerations

With the above description, following is the list of typical network security perimeter to protect your network which each choice has its own merit depending on your network requirements

* Internet router with Basic Internet Firewall ACL and firewall behind the router
* Internet router with Basic Internet Firewall ACL that does NAT/PAT and firewall behind the router
* Internet router with Basic Internet Firewall ACL and firewall behind the router that does NAT/PAT
* Internet router, firewall behind router, and IDS/IPS to either monitor or zap unwanted traffic

Expand got feedback?

by aryoba See Profile
last modified: 2010-12-12 09:44:51