Chris,
Ah, that's easy then... >:)
The REAL main reason that I would take ACLs over conduits is the ability to
create object groups, thus simplifying large policies.
Here's a doco that goes through the conversion of conduits to ACLs and also
explains why (from Cisco's standpoint) it is a better idea to use ACLs as
opposed to Conduits. Most of it is relevant.
http://www.giac.org/practical/GSEC/Bill_Donaldson_GSEC.pdf
It's explained in page 8 btw.
Regards,
Jason
_____
From: Chris Morse [mailto:chris.morse@planexpress.net]
Sent: Wednesday, 10 November 2004 4:13 PM
To: Chad@mr-lew.com; Eric McCarty; Dennis Dimka; Dan Tesch; Firewalls
Securityfocus
Subject: RE: Router config question
let me narrow the last comment, interrogatory to PIX only.
_____
From: Chad [mailto:chad@mr-lew.com]
Sent: Mon 11/8/2004 9:07 PM
To: 'Eric McCarty'; 'Dennis Dimka'; 'Dan Tesch'; 'Firewalls Securityfocus'
Subject: RE: Router config question
Actually, shouldn't it read more like this:
Access-list 110 permit tcp any 10.0.1.10 255.255.255.255 eq 80
Access-list 110 permit tcp any 10.0.1.11 255.255.255.255 eq 25
Access-list 110 deny ip any any
Of course you would catch it when you hit enter on the router... ;-)
-----Original Message-----
From: Eric McCarty [mailto:eric@piteduncan.com]
Sent: Monday, November 08, 2004 5:22 PM
To: Dennis Dimka; Dan Tesch; Firewalls Securityfocus
Subject: RE: Router config question
Erm... Shouldn't this read :
Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255
Access-list 110 permit tcp 25 10.0.1.11 255.255.255.255
Access-list 110 deny ip any any
And as stated before those ACL Entries were for a bug in Cisco's ISO
Software, if you are running the most current IOS Version for your Router,
the issue has been long fixed and you no longer need those ACL's. However if
you are running your router as a router & Firewall in one you should
definately consider Dennis's advice and remove all ACL's and add only
permits for what you need (web, ssh, ftp, etc. etc.) and allow the implicit
deny all to drop the rest.
Eric McCarty
-----Original Message-----
From: Dennis Dimka [ <mailto:dennis.dimka@manna.com>
mailto:dennis.dimka@manna.com]
Sent: Monday, November 08, 2004 1:28 PM
To: 'Dan Tesch'; Firewalls Securityfocus
Subject: RE: Router config question
This is a little sloppy. If you don't have a dedicated firewall (and the
2611 is essentially your firewall) you should allow only what you need in,
and deny the rest. Not only is this leaps and bounds more secure, it
mitigates the need to deny specific ports. For example, if you have a
public mail and a public web server and email server...
Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255 Access-list 110
permit tcp 24 10.0.1.11 255.255.255.255 Access-list 110 deny ip any any
The last line is already implied at the end of any access list, but having
it in your ACL reminds you of this, and also shows you a HITCOUNT.
-----Original Message-----
From: Dan Tesch [ <mailto:dan.tesch@comcast.net>
mailto:dan.tesch@comcast.net]
Sent: Monday, November 08, 2004 7:23 AM
To: Firewalls Securityfocus
Subject: Router config question
Hello, I inherited a Cisco 2611 that I have been trying to clean up and
understand the config on.
For a while I have been wondering why the following were being specifically
blocked...
access-list 110 deny 53 any any
access-list 110 deny 55 any any
access-list 110 deny 77 any any
access-list 110 deny pim any any
I was doing some reading trying to learn about PIM and found this link which
references a DOS vuln.
<http://securecomputing.stanford.edu/alerts/cisco-update-17jul2003.html>
http://securecomputing.stanford.edu/alerts/cisco-update-17jul2003.html
Was this a way to circumvent the listed vuln.? the doc references IOS below
12.3, as I am now above that - may I safely remove these denys?
Thanks
smime.p7s
Description: S/MIME cryptographic signature
