RE: Router config question

You learn something new everyday... Well after reading a little more in
the newer PIX Command References, it appears you CAN use object groups
with the "object-group" command and "object-group-search" keyword
starting with PIX 6.2. Cough, Cough (Man my foot tastes bad without any
salt) ;-) Now why doesn't Cisco add the same capability to the router
IOS and make life easier to navigate between different Cisco platforms?
It's one thing to do things differently between vendors... but
differently between your own platforms? Does anyone know of any plans to
add this to the IOS?
 

-----Original Message-----
From: Chad [mailto:chad@mr-lew.com] 
Sent: Friday, November 12, 2004 5:20 PM
To: 'Jason Ha'; 'Chris Morse'; 'Eric McCarty'; 'Dennis Dimka'; 'Dan
Tesch'; 'Firewalls Securityfocus'
Subject: RE: Router config question


Jason,
 
    There really isn't any "object group" that gets created by using
ACLs. To say that ACLs simplify large policies is a bit misleading to
those that may not be familiarf with them. The access-group command is
how the ACL is actually applied. Conduits are automatically applied,
where as you can enter multiple ACLs, but none of them are applied until
you do so with the access-group command. You still can only have one
inbound ACL on a PIX and one inbound and one outbound ACL on Cisco
routers. There is no capability to combine multiple ACLs into groups...
but wouldn't it be nice. ;-)
 
Cheers,
Chad

-----Original Message-----
From: Jason Ha [mailto:JHa@verisign.com.au] 
Sent: Friday, November 12, 2004 5:01 PM
To: Chris Morse; Chad@mr-lew.com; Eric McCarty; Dennis Dimka; Dan Tesch;
Firewalls Securityfocus
Subject: RE: Router config question


Chris,
 
Ah, that's easy then... >:)
 
The REAL main reason that I would take ACLs over conduits is the ability
to create object groups, thus simplifying large policies.
 
Here's a doco that goes through the conversion of conduits to ACLs and
also explains why (from Cisco's standpoint) it is a better idea to use
ACLs as opposed to Conduits. Most of it is relevant.
 
http://www.giac.org/practical/GSEC/Bill_Donaldson_GSEC.pdf
 
It's explained in page 8 btw.
 
Regards,
 
Jason

  _____  

From: Chris Morse [mailto:chris.morse@planexpress.net] 
Sent: Wednesday, 10 November 2004 4:13 PM
To: Chad@mr-lew.com; Eric McCarty; Dennis Dimka; Dan Tesch; Firewalls
Securityfocus
Subject: RE: Router config question


let me narrow the last comment, interrogatory to PIX only.

  _____  

From: Chad [mailto:chad@mr-lew.com]
Sent: Mon 11/8/2004 9:07 PM
To: 'Eric McCarty'; 'Dennis Dimka'; 'Dan Tesch'; 'Firewalls
Securityfocus'
Subject: RE: Router config question


Actually, shouldn't it read more like this:
 
Access-list 110 permit tcp any 10.0.1.10 255.255.255.255 eq 80
Access-list 110 permit tcp any 10.0.1.11 255.255.255.255 eq 25
Access-list 110 deny ip any any

Of course you would catch it when you hit enter on the router... ;-)

-----Original Message-----
From: Eric McCarty [mailto:eric@piteduncan.com] 
Sent: Monday, November 08, 2004 5:22 PM
To: Dennis Dimka; Dan Tesch; Firewalls Securityfocus
Subject: RE: Router config question



Erm... Shouldn't this read :
Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255
Access-list 110 permit tcp 25 10.0.1.11 255.255.255.255
Access-list 110 deny ip any any


And as stated before those ACL Entries were for a bug in Cisco's ISO
Software, if you are running the most current IOS Version for your
Router, the issue has been long fixed and you no longer need those
ACL's. However if you are running your router as a router & Firewall in
one you should definately consider Dennis's advice and remove all ACL's
and add only permits for what you need (web, ssh, ftp, etc. etc.) and
allow the implicit deny all to drop the rest.

 
Eric McCarty



-----Original Message-----
From: Dennis Dimka [ <mailto:dennis.dimka@manna.com>
mailto:dennis.dimka@manna.com]
Sent: Monday, November 08, 2004 1:28 PM
To: 'Dan Tesch'; Firewalls Securityfocus
Subject: RE: Router config question

This is a little sloppy.  If you don't have a dedicated firewall (and
the
2611 is essentially your firewall) you should allow only what you need
in, and deny the rest.  Not only is this leaps and bounds more secure,
it mitigates the need to deny specific ports.  For example, if you have
a public mail and a public web server and email server...

Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255 Access-list 110
permit tcp 24 10.0.1.11 255.255.255.255 Access-list 110 deny ip any any

The last line is already implied at the end of any access list, but
having it in your ACL reminds you of this, and also shows you a
HITCOUNT.

-----Original Message-----
From: Dan Tesch [ <mailto:dan.tesch@comcast.net>
mailto:dan.tesch@comcast.net]
Sent: Monday, November 08, 2004 7:23 AM
To: Firewalls Securityfocus
Subject: Router config question

Hello, I inherited a Cisco 2611 that I have been trying to clean up and
understand the config on.

For a while I have been wondering why the following were being
specifically blocked...

access-list 110 deny   53 any any
access-list 110 deny   55 any any
access-list 110 deny   77 any any
access-list 110 deny   pim any any

I was doing some reading trying to learn about PIM and found this link
which references a DOS vuln.

 
<http://securecomputing.stanford.edu/alerts/cisco-update-17jul2003.html>
http://securecomputing.stanford.edu/alerts/cisco-update-17jul2003.html

Was this a way to circumvent the listed vuln.?  the doc references IOS
below 12.3, as I am now above that - may I safely remove these denys?

Thanks