Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Router config question

from [Andrew Shore] Network Security [Permanent Link]
Subject: RE: Router config question
Date: Tue, 16 Nov 2004 09:04:37 -0000 
Adding Establish will NOT make an access list statefull.

 

Furthermore just adding Established to an access-list opens up a whole
can of worms that you don't want.

 

________________________________

From: pramod [mailto:pramod.dahate@getronics.com] 
Sent: 14 November 2004 12:03
To: Chad@mr-lew.com; 'Eric McCarty'; 'Dennis Dimka'; 'Dan Tesch';
'Firewalls Securityfocus'
Subject: Re: Router config question

 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 

hi
adding an established at end of access list will make it stateful
too.

 

Access-list 110 permit tcp any 10.0.1.10 255.255.255.255 eq 80
established
Access-list 110 permit tcp any 10.0.1.11 255.255.255.255 eq 25
established
Access-list 110 deny ip any any

 

Pramod Dahate(MCSE,CCNA,CCSA,CISSP)
Security Analyst
Network Management Centre

 

Getronics Australia Pty Limited
Getronics combines the service capabilities of the original Dutch
company with those of Wang Global, acquired in 1999, and of the
Olivetti
systems and services division. We are ranked second worldwide in
network
and desktop outsourcing and fourth in network consulting and
integration
(Source: IDC 2002-2003).

 

2 Minna Close
Belrose NSW 2085
Australia
Tel: +61 2 9847 7680
Fax:+61 2 9847 7774
cell:+61 04 11 074 256(o)
cell:+61 04 31 453 014(p)
Email: pramod.dahate@getronics.com

 

ICT Security | Network Integration Services | Network & Desktop
Outsourcing | Application Integration & Management
www.getronics.com.au

 

Please note that whilst we take all care, neither Getronics nor the
sender accepts any responsibility for viruses and it is your
responsibility to scan for viruses. The contents are intended only
for
use by the addressee and may contain confidential and/or privileged
- ----- Original Message ----- 
From: Chad 
To: 'Eric McCarty' ; 'Dennis Dimka' ; 'Dan Tesch' ; 'Firewalls
Securityfocus' 
Sent: Tuesday, November 09, 2004 2:07 PM
Subject: RE: Router config question

 


Actually, shouldn't it read more like this:

 

Access-list 110 permit tcp any 10.0.1.10 255.255.255.255 eq 80
Access-list 110 permit tcp any 10.0.1.11 255.255.255.255 eq 25
Access-list 110 deny ip any any

 

Of course you would catch it when you hit enter on the router... ;-)
- -----Original Message-----
From: Eric McCarty [mailto:eric@piteduncan.com] 
Sent: Monday, November 08, 2004 5:22 PM
To: Dennis Dimka; Dan Tesch; Firewalls Securityfocus
Subject: RE: Router config question

 


Erm... Shouldn't this read :
Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255
Access-list 110 permit tcp 25 10.0.1.11 255.255.255.255
Access-list 110 deny ip any any

 


And as stated before those ACL Entries were for a bug in Cisco's ISO
Software, if you are running the most current IOS Version for your
Router, the issue has been long fixed and you no longer need those
ACL's. However if you are running your router as a router & Firewall
in one you should definately consider Dennis's advice and remove all
ACL's and add only permits for what you need (web, ssh, ftp, etc.
etc.) and allow the implicit deny all to drop the rest.

 


Eric McCarty

 


- -----Original Message-----
From: Dennis Dimka [mailto:dennis.dimka@manna.com]
Sent: Monday, November 08, 2004 1:28 PM
To: 'Dan Tesch'; Firewalls Securityfocus
Subject: RE: Router config question

 

This is a little sloppy.  If you don't have a dedicated firewall (and
the
2611 is essentially your firewall) you should allow only what you
need in, and deny the rest.  Not only is this leaps and bounds more
secure, it mitigates the need to deny specific ports.  For example,
if you have a public mail and a public web server and email server...

 

Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255 Access-list
110 permit tcp 24 10.0.1.11 255.255.255.255 Access-list 110 deny ip
any any

 

The last line is already implied at the end of any access list, but
having it in your ACL reminds you of this, and also shows you a
HITCOUNT.

 

- -----Original Message-----
From: Dan Tesch [mailto:dan.tesch@comcast.net]
Sent: Monday, November 08, 2004 7:23 AM
To: Firewalls Securityfocus
Subject: Router config question

 

Hello, I inherited a Cisco 2611 that I have been trying to clean up
and understand the config on.

 

For a while I have been wondering why the following were being
specifically blocked...

 

access-list 110 deny   53 any any
access-list 110 deny   55 any any
access-list 110 deny   77 any any
access-list 110 deny   pim any any

 

I was doing some reading trying to learn about PIM and found this
link which references a DOS vuln.

 

http://securecomputing.stanford.edu/alerts/cisco-update-17jul2003.html

 

Was this a way to circumvent the listed vuln.?  the doc references
IOS below 12.3, as I am now above that - may I safely remove these
denys?

 

Thanks

 


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

 

iQA/AwUBQZdJcvPsKiNU8MIoEQJduQCgzp2m+mu5JjuoknPH7YWlxfYjsAMAnRiy
mGLEyKpPx4OY8PpJpOxX4rvO
=A/+J
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Router config question, Jason Ha
Next by Date:  ADSL/ routing issues with SecurePlatform, Leon, Mauricio (Toronto)
Previous by Thread:  RE: Router config question, Jason Ha
Next by Thread:  RE: Router config question, Paris E. Stone
Indexes:  [Date] [Thread] [Top] [All Lists]