Download PowerPoint

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts
no text concepts found
Transcript 
Network Security
Router Based Rules
David Funk
Systems Administrator
Computer Systems Support
COE, University of Iowa
Router Filtering
Goals and Limitations
 Know your network topology
 Know your hardware’s characteristics
 Proper division of labor

Router Filtering

Goals and Limitations

Protect resources



Easy stuff (IP packet spoof filter)
Harder (protect port 135/139)
Permit necessary access



Servers visible to outside world
Use proxies to protect “tender” resources
Use “tougher” machines for outside services
Router Filtering

Know your network topology


Choose logical boundaries
Segregate hosts by class




Client only
Local servers
Global servers
Intranets
Topology
Border router
Internal
router
Client net
Server net
Hardware
ACL limits
 In VS Out filters
 Statefull filters


TCP SYN packet for pseudo state
Protocol restrictions
 Data rate limits


Fail over options?
Division of Labor
Border VS Internal Routers
 Filters on end Hosts
 Add hardware where necessary
 Fault tolerance?

Details
Testing
 Maintenance
 Honeypot + sniffer logs
 Software Updates
 Documentation
 Oddball stuff (DHCP)

Details














access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
103
103
103
103
103
103
103
103
103
103
103
103
103
103
deny ip 128.255.16.0 0.0.15.255 any log
deny ip 127.0.0.0 0.0.0.15 any log
deny ip 192.168.0.0 0.0.255.255 any log
permit ip host 128.255.1.3 any
permit ip host 128.255.64.3 any
deny ip any 128.255.18.12 0.0.1.1 log
deny ip any host 128.255.19.11 log
deny ip any 128.255.18.16 0.0.1.0 log
deny ip any 128.255.26.64 0.0.1.15 log
permit ip any 128.255.22.0 0.0.0.31
permit udp any 128.255.16.40 0.0.3.7 eq 135
permit tcp any 128.255.16.40 0.0.3.7 eq 135
permit udp any 128.255.16.40 0.0.3.7 eq 139
permit tcp any 128.255.16.40 0.0.3.7 eq 139
Details


























access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
103
permit udp any 128.255.16.40 0.0.3.7 eq 135
permit tcp any 128.255.16.40 0.0.3.7 eq 135
permit udp any 128.255.16.40 0.0.3.7 eq 139
permit tcp any 128.255.16.40 0.0.3.7 eq 139
permit udp 128.255.0.0 1.0.255.255 128.255.23.0 0.0.0.255 eq 135
permit tcp 128.255.0.0 1.0.255.255 128.255.23.0 0.0.0.255 eq 135
permit udp any 128.255.23.0 0.0.0.255 eq 137
permit udp any 128.255.23.0 0.0.0.255 eq 138
permit tcp any 128.255.23.0 0.0.0.255 eq 139
permit tcp any 128.255.23.0 0.0.0.255 eq 445
permit udp any 128.255.23.0 0.0.0.255 eq 445
deny udp any eq tftp 128.255.16.0 0.0.15.255 log
deny udp any 128.255.16.0 0.0.15.255 eq tftp log
deny udp any 128.255.16.0 0.0.15.255 eq 135 log
deny tcp any 128.255.16.0 0.0.15.255 eq 135 log
deny udp any 128.255.16.0 0.0.15.255 eq 138 log
deny tcp any 128.255.16.0 0.0.15.255 eq 139 log
deny tcp any 128.255.16.0 0.0.15.255 eq 445 log
deny udp any 128.255.16.0 0.0.15.255 eq 445 log
deny tcp any 128.255.16.0 0.0.15.255 eq 593 log
permit tcp any 128.255.16.0 0.0.15.255 established
deny tcp any 128.255.16.0 0.0.15.255 eq 6346
deny tcp any 128.255.16.0 0.0.15.255 eq 4444 log
deny tcp any 128.255.16.0 0.0.15.255 eq 707 log
deny tcp any 128.255.16.0 0.0.15.255 eq 50000 log
permit ip any 128.255.23.0 0.0.0.255
Details










access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
access-list
103
103
103
103
103
103
103
103
103
103
deny tcp any 128.255.16.0 0.0.15.255 eq 5000 log
deny tcp any 128.255.16.0 0.0.15.255 eq 1900 log
deny tcp any 128.255.16.0 0.0.15.255 eq 1433
deny udp any 128.255.16.0 0.0.15.255 eq 1434
deny udp any 128.255.20.0 0.0.1.255 eq 111 log
deny udp any 128.255.16.0 0.0.15.255 eq snmp log
permit tcp any 128.255.20.0 0.0.1.255 eq 6000
permit tcp any 128.255.20.0 0.0.1.255 eq ssh
permit tcp any eq 20 128.255.20.0 0.0.1.255 gt 1023
deny tcp any 128.255.20.0 0.0.1.255 log
Details




access-list
access-list
access-list
access-list
127
127
127
127
permit ip 128.255.27.0 0.0.0.255 any
permit udp any eq bootps any
permit udp any eq bootpc any
deny ip any any log
Related documents