Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Router config question

from [Firewall Consulting] Network Security [Permanent Link]
Subject: RE: Router config question
Date: Mon, 15 Nov 2004 15:19:39 -0800 


 How about Outbound and Apply statements?  I'm very fond of them...



-----Original Message-----
From: Joseph T. Finley [mailto:jfinley@securium.net] 
Sent: Friday, November 12, 2004 5:16 PM
To: Firewalls Securityfocus
Subject: RE: Router config question


Chris,

What do you mean re-enter the ACL? Each ACL is accompanied by a sequence
number and you can just "no access-list xxxxxxx" and it will only blank
that entry. I would encourage everyone on 6.x PIX OS to use ACL's, stay
away from conduits...

Joe


________________________________

From: Chris Morse [mailto:chris.morse@planexpress.net] 
Sent: Wednesday, November 10, 2004 12:12 AM
To: Chad@mr-lew.com; Eric McCarty; Dennis Dimka; Dan Tesch; Firewalls
Securityfocus
Subject: RE: Router config question


I have to ask, perhaps out of sheer ignorance; Why use Acces-list? Cisco
pushed them in an effort to depracate conduits, but I can enter conduits
on the fly, wothout re-entering the entire ACL everytime. I really want
outside input on this. Got a few big configs to move. Your thoughts?

________________________________

From: Chad [mailto:chad@mr-lew.com]
Sent: Mon 11/8/2004 9:07 PM
To: 'Eric McCarty'; 'Dennis Dimka'; 'Dan Tesch'; 'Firewalls
Securityfocus'
Subject: RE: Router config question


Actually, shouldn't it read more like this:
 
Access-list 110 permit tcp any 10.0.1.10 255.255.255.255 eq 80
Access-list 110 permit tcp any 10.0.1.11 255.255.255.255 eq 25
Access-list 110 deny ip any any

Of course you would catch it when you hit enter on the router... ;-)

        -----Original Message-----
        From: Eric McCarty [mailto:eric@piteduncan.com] 
        Sent: Monday, November 08, 2004 5:22 PM
        To: Dennis Dimka; Dan Tesch; Firewalls Securityfocus
        Subject: RE: Router config question
        
        

        Erm... Shouldn't this read :
        Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255
        Access-list 110 permit tcp 25 10.0.1.11 255.255.255.255
        Access-list 110 deny ip any any
        

        And as stated before those ACL Entries were for a bug in Cisco's
ISO Software, if you are running the most current IOS Version for your
Router, the issue has been long fixed and you no longer need those
ACL's. However if you are running your router as a router & Firewall in
one you should definately consider Dennis's advice and remove all ACL's
and add only permits for what you need (web, ssh, ftp, etc. etc.) and
allow the implicit deny all to drop the rest.

         
        Eric McCarty

        
        
        -----Original Message-----
        From: Dennis Dimka [mailto:dennis.dimka@manna.com
<mailto:dennis.dimka@manna.com> ]
        Sent: Monday, November 08, 2004 1:28 PM
        To: 'Dan Tesch'; Firewalls Securityfocus
        Subject: RE: Router config question
        
        This is a little sloppy.  If you don't have a dedicated firewall
(and the
        2611 is essentially your firewall) you should allow only what
you need in, and deny the rest.  Not only is this leaps and bounds more
secure, it mitigates the need to deny specific ports.  For example, if
you have a public mail and a public web server and email server...
        
        Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255
Access-list 110 permit tcp 24 10.0.1.11 255.255.255.255 Access-list 110
deny ip any any
        
        The last line is already implied at the end of any access list,
but having it in your ACL reminds you of this, and also shows you a
HITCOUNT.
        
        -----Original Message-----
        From: Dan Tesch [mailto:dan.tesch@comcast.net
<mailto:dan.tesch@comcast.net> ]
        Sent: Monday, November 08, 2004 7:23 AM
        To: Firewalls Securityfocus
        Subject: Router config question
        
        Hello, I inherited a Cisco 2611 that I have been trying to clean
up and understand the config on.
        
        For a while I have been wondering why the following were being
specifically blocked...
        
        access-list 110 deny   53 any any
        access-list 110 deny   55 any any
        access-list 110 deny   77 any any
        access-list 110 deny   pim any any
        
        I was doing some reading trying to learn about PIM and found
this link which references a DOS vuln.
        
        
http://securecomputing.stanford.edu/alerts/cisco-update-17jul2003.html
<http://securecomputing.stanford.edu/alerts/cisco-update-17jul2003.html>

        
        Was this a way to circumvent the listed vuln.?  the doc
references IOS below 12.3, as I am now above that - may I safely remove
these denys?
        
        Thanks
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Check Point ClusterXL Load Sharing VPN, Robert D Hughes
Next by Date:  Re: Pix 515's fail to failover, Spigga
Previous by Thread:  RE: Router config question, Joseph T. Finley
Next by Thread:  RE: Router config question, Andrew Shore
Indexes:  [Date] [Thread] [Top] [All Lists]