Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Router config question

from [Jan Nielsen] Network Security [Permanent Link]
Subject: Re: Router config question
Date: Sat, 13 Nov 2004 00:16:39 +0100 
MessageEhm , i think we are talking about IOS Firewall in this thread, only the 
pix has conduits.  And by the way, you should move to acls for a  number of 
reasons : 

1.Performance 
2.no changes are being made to pix code to make them better/easier/faster to use
3.They will no longer exist in pix 7.0 code which you will wan't to use when 
you see the features in it once it is released :-)
4.access-lists is the way every other cisco device defines rules so there is 
some leveraging of knowledge by knowing/using acls

About entering on the fly, this can also be done with acls in the pix by 
thinking a bit about your ruleset first and using object-groups, this will 
enable you to add services to defined groups of adresses without having to 
copy/paste a new acl every time.


Just my 2 cents
Jan
CCSP / Infosec

  ----- Original Message ----- 
  From: Chris Morse 
  To: Chad@mr-lew.com ; Eric McCarty ; Dennis Dimka ; Dan Tesch ; Firewalls 
Securityfocus 
  Sent: Wednesday, November 10, 2004 6:12 AM
  Subject: RE: Router config question


  I have to ask, perhaps out of sheer ignorance; Why use Acces-list? Cisco 
pushed them in an effort to depracate conduits, but I can enter conduits on the 
fly, wothout re-entering the entire ACL everytime. I really want outside input 
on this. Got a few big configs to move. Your thoughts?


------------------------------------------------------------------------------
  From: Chad [mailto:chad@mr-lew.com]
  Sent: Mon 11/8/2004 9:07 PM
  To: 'Eric McCarty'; 'Dennis Dimka'; 'Dan Tesch'; 'Firewalls Securityfocus'
  Subject: RE: Router config question


  Actually, shouldn't it read more like this:

  Access-list 110 permit tcp any 10.0.1.10 255.255.255.255 eq 80
  Access-list 110 permit tcp any 10.0.1.11 255.255.255.255 eq 25
  Access-list 110 deny ip any any

  Of course you would catch it when you hit enter on the router... ;-)
    -----Original Message-----
    From: Eric McCarty [mailto:eric@piteduncan.com] 
    Sent: Monday, November 08, 2004 5:22 PM
    To: Dennis Dimka; Dan Tesch; Firewalls Securityfocus
    Subject: RE: Router config question


    Erm... Shouldn't this read :
    Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255
    Access-list 110 permit tcp 25 10.0.1.11 255.255.255.255
    Access-list 110 deny ip any any


    And as stated before those ACL Entries were for a bug in Cisco's ISO 
Software, if you are running the most current IOS Version for your Router, the 
issue has been long fixed and you no longer need those ACL's. However if you 
are running your router as a router & Firewall in one you should definately 
consider Dennis's advice and remove all ACL's and add only permits for what you 
need (web, ssh, ftp, etc. etc.) and allow the implicit deny all to drop the 
rest.


    Eric McCarty


    -----Original Message-----
    From: Dennis Dimka [mailto:dennis.dimka@manna.com]
    Sent: Monday, November 08, 2004 1:28 PM
    To: 'Dan Tesch'; Firewalls Securityfocus
    Subject: RE: Router config question

    This is a little sloppy.  If you don't have a dedicated firewall (and the
    2611 is essentially your firewall) you should allow only what you need in, 
and deny the rest.  Not only is this leaps and bounds more secure, it mitigates 
the need to deny specific ports.  For example, if you have a public mail and a 
public web server and email server...

    Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255 Access-list 110 
permit tcp 24 10.0.1.11 255.255.255.255 Access-list 110 deny ip any any

    The last line is already implied at the end of any access list, but having 
it in your ACL reminds you of this, and also shows you a HITCOUNT.

    -----Original Message-----
    From: Dan Tesch [mailto:dan.tesch@comcast.net]
    Sent: Monday, November 08, 2004 7:23 AM
    To: Firewalls Securityfocus
    Subject: Router config question

    Hello, I inherited a Cisco 2611 that I have been trying to clean up and 
understand the config on.

    For a while I have been wondering why the following were being specifically 
blocked...

    access-list 110 deny   53 any any
    access-list 110 deny   55 any any
    access-list 110 deny   77 any any
    access-list 110 deny   pim any any

    I was doing some reading trying to learn about PIM and found this link 
which references a DOS vuln.

    http://securecomputing.stanford.edu/alerts/cisco-update-17jul2003.html

    Was this a way to circumvent the listed vuln.?  the doc references IOS 
below 12.3, as I am now above that - may I safely remove these denys?

    Thanks
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: freeware/open source monitor for attempts, xyberpix
Next by Date:  Re: freeware/open source monitor for attempts, Steve Paltzer
Previous by Thread:  Re: Router config question, Kevin
Next by Thread:  RE: Router config question, JGrimshaw
Indexes:  [Date] [Thread] [Top] [All Lists]