IOS access-lists are not statefull.
Ie if you allow internal to any eq 80 then return traffic from the external
server can not get back into the network.
You either need to create an allow any eq 80 to internal type access-list
statement or use firewall feature set which generates reverse dynamic rules.
________________________________
From: Kidder, Roy [mailto:Roy.Kidder@safelite.com]
Sent: 26 August 2004 13:32
To: Daniel Benden; firewalls@securityfocus.com
Subject: RE: Cisco 836 Firewall
I'm not familiar with the 836, but I have used the 800 series routers and IOS.
If you're permitting traffic out on a single IP (PAT) and nothing inbound, your
internal network is reasonably secure. The other thing you'll want to do is
secure the router itself. The easiest way to do this is to apply an access list
to the outside interface which denies telnet (tcp/23) and ssh (tcp/22) to all
inbound traffic. In addition to that, I would suggest turning off any
small-servers which are running on the router as well as the web configuration
interface (assuming you're using command line). Also, if you're not using SNMP,
I'd also turn that off. If you are using the web interface and/or SNMP, then
I'd include those in your access list for telnet and ssh.
Another good idea is to throw away any RFC1918 IP addresses which appear on
your outside interface. This protects your inside network (assuming you're
using RFC1918 there) from being spoofed from the outside world.
Basically the idea you're trying to accomplish is to drop any packets from the
outside world that could potentially be those coming from an intruder. And by
doing this on your outside interface, you're dropping the packets before they
could even reach the service for which they're destined.
Hope that helps,
Roy
________________________________
From: Daniel Benden [mailto:DanielBenden@dbedvtkserver.de]
Sent: Tuesday, August 24, 2004 4:03 PM
To: firewalls@securityfocus.com
Subject: Cisco 836 Firewall
Hello,
does anybody know a good and secure Setup for a CISCO 836 integrated firewall?
As of my knowledge, I dont need a firewall, when using dynamic nat. All PCs use
one ip to the internet, and no global to local IP mappings were added, so the
network should not be attackable from the outside. AM I right with this?
Thans in Advance
Mit freundlichen Grüßen
Daniel Benden
--
Daniel Benden EDV- und TK-Consulting
Hahnenkamp 6
52445 Titz
Deutschland
Tel: +49 (0) 2164 7027-0
Fax: +49 (0) 2164 7027-10
24h Service: +49 (0) 2164 7027-19
*************************************************************
This message, including any attachments, may contain
confidential information intended for a specific individual
and purpose, and may be protected by law. If you are not
the intended recipient, please notify the sender by e-mail
or telephone immediately, and then immediately delete this
message. Any disclosure, copying or distribution of this
message, or the taking of any action based on it, by any
unintended recipient is strictly prohibited.
