Inside Network Perimeter Security: Packet Filtering

Date: Apr 15, 2005 By Lenny Zeltser, Karen Kent, Stephen Northcutt, Ronald Ritchey, Scott inters! Sa"ple #hapter is
pro$ided courtesy o% Sa"s!
&his chapter discusses the "any 'ays that pac(et %ilterin) can *e used as a "eans to secure the peri"eter o% your
net'or(! +t also 'ei)hs the positi$e and ne)ati$e points o% usin) a pac(et %ilter as the "eans to control tra%%ic %lo' *ased
on address and port, and the 'ea(nesses o% the pac(et,%ilterin) technolo)y!
-ac(et %ilterin) is one o% the oldest and "ost 'idely a$aila*le "eans to control access to net'or(s! &he concept is
si"ple: Deter"ine 'hether a pac(et is allo'ed to enter or e.it the net'or( *y co"parin) so"e *asic identi%yin) pieces
o% in%or"ation located in the pac(et/s header! -ac(et,%ilterin) technolo)y can *e %ound in operatin) syste"s, so%t'are
and hard'are %ire'alls, and as a security %eature o% "ost routers!
&he )oal o% this chapter is to e.plore the hi)hli)hts and 'ea(nesses o% pac(et,%ilterin) technolo)y and ho' to
i"ple"ent this technolo)y success%ully! e discuss the *asics o% &#-0+- and ho' it applies to pac(et %ilterin), alon)
'ith the rules o% ho' to i"ple"ent pac(et %ilters usin) #isco router access lists! e e.plore uses %or rules that %ilter on
source address, such as the allo'ance and prohi*ition o% tra%%ic %ro" )i$en hosts and in)ress and e)ress %ilters! e
also co$er %ilters that e.a"ine destination addresses and "a(e decisions *ased on port nu"*ers and their uses %or
i"pro$ed control o% tra%%ic %lo'! e e.a"ine the pro*le"s o% the pac(et %ilter, includin) its 'ea(nesses to spoo%in),
%ra)"entation, control o% return tra%%ic, and the pro*le"s 'ith po(in) an al'ays,open hole in your de%ense! 1inally, 'e
e.plore the po'er o% dyna"ic pac(et %ilters and the 'ays they can help correct "any o% the do'n%alls o% static pac(et
%ilterin)!
TCP/IP Primer: How Packet Filtering Works
Be%ore 'e )o into the details o% pac(et %ilterin), it is necessary to understand the construct and technolo)ies *ehind the
&#-0+- protocol and its associated pac(ets!
NOTE
&he ne.t se$eral sections pro$ide a *asic o$er$ie' o% the &#-0+- protocol! Ad$anced readers "i)ht %ind this re$ie'
unnecessary and "i)ht pre%er to s(ip ahead to the section 2&he #isco Router as a -ac(et 1ilter!2
hen syste"s on a net'or( co""unicate, they need to spea( the sa"e lan)ua)e, or protocol! 3ne such protocol suite
is &#-0+-, the pri"ary co""unications lan)ua)e o% the +nternet! &o %acilitate such co""unications, the in%or"ation you
send needs to *e *ro(en do'n into "ana)ea*le pieces called packets! -ac(et headers are s"all se)"ents o%
in%or"ation that are stuc( at the *e)innin) o% a pac(et to identi%y it!
&he +- portion o% &#-0+- stands %or Internet Protocol! +t is responsi*le %or identi%yin) the pac(ets 4*y their +- address5
and %or )uidin) the" to their destination! +- pac(ets are directed, or routed, *y the $alues located in their pac(et
headers! &hese identi%iers hold in%or"ation a*out 'here the pac(ets ca"e %ro" 4source address5, 'here they are )oin)
4destination address5, as 'ell as other in%or"ation descri*in) the type o% ser$ice the pac(et "i)ht support, a"on) other
thin)s!
IP Version 6
&he $ersion o% +- protocol that is "ost co""only used on the +nternet today and that 'e are re%errin) to in this chapter
is +- $ersion 6 4+-$65! +t 'as created in the 1780s and has "any li"itations that ha$e re9uired e.pansions to (eep it
$alid into the t'enty,%irst century! &hose li"itations include a restricted address space, no inte)rated security, no
inte)rated "eans to auto"atically assi)n addresses, and the list )oes on! Althou)h technolo)ies 'ere created as
2*and,aids2 to help o$erco"e these issues 4NA&, +-Sec, and D:#-5, it 'asn/t lon) *e%ore de$elop"ent *e)an on a
replace"ent $ersion! +n the 70s, +- $ersion ; 4+-$;5 'as *orn! +t has a "uch lar)er potential address space "ade up o%
ei)ht 1;,*it $alues, instead o% +-$6/s %our 8,*it $alues! +-$6 addresses are "ost co""only notated as deci"als in the
%or"at 172!1;8!1!1, 'here the deci"al nu"*ers are so"e $alue *et'een 0 and 255 42<85! +-$; addresses are notated
as he.adeci"al in the %or"at 12=6:AB#D:1A2B:6=21:#D>1:#5D;:?87D:112A, 'here the he.adeci"al nu"*ers are
so"e $alue *et'een 0 and 1111 4or 0 and ;55=5 deci"al, 2<1;5! :e.adeci"al is used to (eep the already lon) +-$;
addresses notation "ore concise and reada*le! 3ne shorthand "ethod o% +-$; notatin) in$ol$es a**re$iatin) lists o%
@eroes 'ith dou*le colons 4::5! 1or e.a"ple, the +-$; address 12=6:5;?8:0000:0000:0000:0000:0000:1A16 can instead
*e listed as 12=6:5;?8::1A16! &he dou*le colons indicate that all di)its *et'een those listed are @eroes! 3ther
i"pro$e"ents that +-$; o%%ers are inte)rated authentication and encryption "ethods, auto"atic address assi)n"ent
capa*ilities, i"pro$ed Auality o% Ser$ice 4AoS5 "ethods, and an i"pro$ed header %or"at that "o$es anythin) *ut
essential routin) in%or"ation to e.tension headers, allo'in) %or 9uic(er processin)! Despite all its ad$anta)es, +-$; is
still not hea$ily i"ple"ented! As a net'or( ad"inistrator it is i"portant that you are a'are o% +-$; and its possi*le
ad$anta)es %or your en$iron"ent, e$en thou)h you "ay not *e re9uired to use it %or years to co"e! 1or "ore
in%or"ation on the +-$; standard, re%er to R1# 26;0!
hen an +- pac(et arri$es at a router, the router chec(s its destination to see 'hether it (no's ho' to )et to the place
'here the pac(et 'ants to )o! +% it does, it passes the pac(et to the appropriate net'or( se)"ent! &he %act that a router
passes any pac(et 'hose destination it is a'are o% is called implicit permit! Bnless %urther security "easures are added,
all tra%%ic is allo'ed in as 'ell as out! 1or this reason, a "ethod is re9uired to control the in%or"ation enterin) and e.itin)
the inter%aces o% the router!
TCP and UDP Ports
&he &#- part o% &#-0+- stands %or Transmission Control Protocol, and it is a relia*le transport,oriented 'ay %or
in%or"ation to *e co""unicated! Bser Data)ra" -rotocol 4BD-5 is an unrelia*le transport protocol that 'or(s 'ell 'ith
pro)ra"s that don/t rely on the protocol to "a(e sure their payload )ets 'here it/s )oin)! Both &#- and BD- use ports
to (eep trac( o% co""unication sessions! #ertain ports are set aside as the particular ones throu)h 'hich to contact a
ser$er runnin) a )i$en ser$ice such as :&&- 4port 805, 1&- 4port 215, &elnet 4port 2=5, DNS 4port 5=5, or SC&- 4port
255! 4&hese ser$ices and ho' to secure the" are discussed in "ore detail later!5 &he ori)inal R1# that docu"ents 'ell,
(no'n ports is R1# 1?00! :o'e$er, %or a "ore up,to,date in%or"ati$e list o% all o% &#-/s and BD-/s ser$er,side ports
and the ser$ices to 'hich they are assi)ned, chec( out this lin( to the +ANA 'e*site:
http:00'''!iana!or)0assi)n"ents0port,nu"*ers! +ANA is the +nternet Assi)ned Nu"*ers AuthorityDthe )ood people
'ho trac( the nu"*er standards %or the +nternet as 'e (no' it!
hen a client contacts a ser$er, it rando"ly pic(s a source port nu"*ered a*o$e 102= to )o out throu)h! &hen the
client contacts the ser$er on a set port, such as port 2= %or &elnet! hen the ser$er replies, the in%or"ation lea$es on
port 2= and returns to the client on the rando" )reater,than 102= port %ro" 'hich it le%t! &his port in%or"ation is the only
'ay that a pac(et %ilter can deter"ine the ser$ice it is %ilterin)!
1or e.a"ple, you "i)ht 'ant to %ilter out all &elnet tra%%icE you do so *y *loc(in) all tra%%ic directed at &#- port 2=! Fou
"i)ht also 'ant to allo' all :&&- tra%%ic co"in) to port 80! :o'e$er, i% so"eone is runnin) a &elnet ser$er on port 80
so"e'here on your net'or(, and all you ha$e %or protection is the a%ore"entioned pac(et %ilter, the tra%%ic passes!
-ac(et,%ilterin) syste"s don/t ha$e the intelli)ence to loo( *eyond the port nu"*er to deter"ine 'hat ser$ice is runnin)
at the application layer! Fou need to (eep this in "ind 'hen constructin) %ilterin) rules to *loc( access to a ser$ice that
you are runnin) on an alternati$e port! So"eti"es, 'e* ser$ers run on alternati$e ports, such as 8000, 8080, and the
li(eE i% you 'anted to allo' access to said 'e* ser$ers, then creatin) a pac(et,%ilterin) rule that allo's in standard :&&-
tra%%ic on port 80 'ouldn/t *e e%%ecti$e!
TCPs T!ree"way Hands!ake
&o *e)in co""unicatin), connection,oriented &#- uses 'hat/s (no'n as the three-way handshake! hen :ost A
'ants to connect to :ost B to trans%er data, it has to let :ost B (no' that it 'ants to connect! :ost A does this *y
sendin) a pac(et to :ost B 'ith the SFN 4or synchroni@ation5 %la) set, "eanin), 2+ 'ant to start a ne' con$ersation!2 +%
:ost B can and 'ants to con$erse *ac( to :ost A, it returns a pac(et 'ith the SFN and A#K 4or ac(no'led)"ent5 %la)s
set, "eanin), 2+ 'ant to start a con$ersation 'ith you, too, and + a" ac(no'led)in) that + 'ill *e a part o% your
con$ersation!2 1inally, :ost A returns the third part o% the handsha(e, a pac(et 'ith Gust the A#K %la) set, "eanin), 2+
'ill also ta(e part in your con$ersation, so let/s start tal(in)H2 ith that, data *e)ins trans%errin)! +n a si"pli%ied $ie', the
t'o hosts are si"ply e.chan)in) SFN %la))ed pac(ets to say they 'ant to start a con$ersation and A#K %la))ed
pac(ets to say they ac(no'led)e the receipt o% the SFN! &he second host si"ply 2pi))y*ac(s2 its ac(no'led)"ent
onto the sa"e pac(et that contains its initiatin) SFN!
-ac(et,%ilterin) syste"s can use these %la)s to deter"ine the sta)e o% the current three,'ay handsha(e! 1or e.a"ple, i%
you didn/t 'ant to allo' ne' connections %ro" the outside, you could choose to only per"it tra%%ic %la))ed 'ith A#KE the
pac(ets startin) a ne' connection contain the SFN %la) only!
T!e Cisco #outer as a Packet Filter
&he #isco A#L is one o% the "ost a$aila*le pac(et %ilters %ound today! &he "eans *y 'hich a #isco router %ilters
pac(ets is (no'n as an access control list (ACL)! An A#L ser$es as a laundry list o% thin)s %or the router to loo( at in the
pac(et header, to decide 'hether the pac(et should *e per"itted or denied access to a net'or( se)"ent! &his is the
*asis o% the tra%%ic,control %eatures o% a #isco router!
Routers are a con$enient choice %or net'or( %ilterin) *ecause they are already a part o% your net'or(/s in%rastructure!
3ne is located at your net'or(/s %urther"ost ed)e as 'ell as at the intersections o% all your net'or( se)"ents! +% you
'ant to (eep so"ethin) out o% a net'or( se)"ent, the %urther"ost point is the *est place to screen it! &his section
co$ers the *asic synta. and usa)e o% the #isco A#L and its en$iron"ent, the #isco +3S! All e.a"ples in this chapter
are illustrated throu)h the use o% #isco A#Ls 4+3S $ersion 12!1 or )reater5, althou)h the theories de"onstrated can *e
applied to any pac(et,%ilterin) syste"!
$n $lternati%e Packet Filter: IPC!ains
Althou)h e.a"ples in this chapter are )i$en as #isco access lists, other so%t'are pro)ra"s and de$ices use si"ilar
technolo)y! 1ollo'in) is an e.a"ple o% +-#hains, one such pro)ra"! +-#hains is a pac(et,%ilterin) syste" that co"es
*undled 'ith "any $ersions o% Linu.! &hou)h +-#hains is not as popular as it once 'as, *ein) superseded *y +-&a*les,
you "ay still run into it or choose to deploy it as an e%%ecti$e pac(et %ilterin) "echanis" %or your ser$er or net'or(!
+% you 'anted to *loc( :&&- tra%%ic %ro" any'here to your host 200!200!200!2 and lo) the "atches, you 'ould use the
#isco A#L:
access-list 111 deny tcp any host 200.200.200.2 eq 80 log
ith +-#hains, you 'ould use
ipchains A input i eth1 p tcp s 0.0.0.0/0 d 200.200.200.2/32 80 -l j DEN
'here A input "eans to place this rule on the end o% the e.istin) input chain!
i eth1 tells +-#hains to apply this rule to the inter%ace eth1, -p tells the protocol to 'atch %or &#-, the -s
para"eter sets the source address, and 0.0.0.0/0 indicates to 'atch %or any source address!
&he /0 is the 'ildcard, and it "eans to "atch the speci%ied *its e.actly! Because the 'ildcard is 0 in this case, it "eans
2don/t "atch anythin) e.actly or allo' anythin)!2 &his is e9ui$alent to the #isco any (ey'ord!
&he -d para"eter is the destination address! +n this e.a"ple, it is e9ual to the host address 200!200!200!2 *ecause
the /32 'ildcard "as( is used! +t tells +-#hains to "atch the %irst =2 *its 4or e$erythin)5 e.actly! &his is e9ui$alent to
usin) the 0!0!0!0 'ildcard or the host (ey'ord in #isco A#Ls!
&he destination address in this case is %ollo'ed *y the port nu"*er o% the *loc(ed protocol 480, %or :&&- tra%%ic5! +% the
source port 'ere %iltered as 'ell, it 'ould ha$e %ollo'ed the source address!
1inally, the -l para"eter "eans 2lo) this in%or"ation,2 and j DEN stipulates that any "atchin) pac(ets should *e
dropped and not to send any in%or"ation o% this *ac( to the sender! +t is the counterpart to the #isco deny (ey'ord!
As you can see, althou)h si"ilar in %unction, static pac(et %ilters co"e in di%%erent %or"s! Despite the di%%erences in
appearance and synta., a%ter you ha$e a )rasp o% pac(et,%ilterin) concepts, your (no'led)e can *e applied to any o%
these %iltration syste"s!
T!e Cisco $C&
&he #isco A#L is si"ply a "eans to %ilter tra%%ic that crosses your router! +t has t'o "aGor synta. typesDnu"*ered and
na"ed listsDand it co"es in se$eral %ilterin) types, includin) standard, e.tended, and re%le.i$e, all o% 'hich 'ill *e
discussed in this chapter! Nu"*ered access lists are entered in the %or"at
access-list number criteria
'here number is a )i$en ran)e that represents the type o% access list it is! &he ran)e 1I77 represents standard +-
lists, and the ran)e 100I177 represents e.tended +- lists! 3$er ti"e, these *asic ran)es ha$e *een e.panded to
include 1=00I1777 %or standard and 2000I2;77 %or e.tended! 3ther access list nu"*er ran)es are reser$ed %or
alternati$e protocols, and so on!
&he na"ed access list uses the %or"at
ip access-list type name
'here the type code stands %or standard, e.tended, and so on, and the name code represents a uni9ue na"e %or the
list! &his can help "a(e the list "ore identi%ia*le! 1or e.a"ple, 2dnsin*ound2 "i)ht "ean "ore to so"eone than the
nu"*er 211=2 does!
Bpon enterin) the precedin) co""and to start list creation, you are dropped into a con%i)uration "ode Gust %or that
access list! :ere, you can enter %ilterin) co""ands in the %ollo'in) %or"at:
pe!"it#deny criteria
>ither type o% A#L 'or(s 'ell and can *e used separately or to)ether! Althou)h standard and e.tended lists can *e
'ritten in either %or"at, re%le.i$e access lists can use only the na"ed %or"at! &o re"o$e either type o% A#L, reenter it
preceded *y the 'ord no!
#ule 'rder
Cany o% the access lists de"onstrated throu)hout this te.t are 2deny2 access lists that sho' ho' to *loc( a particular
address or port! :o'e$er, *ecause o% a concept called implicit deny, droppin) such a list into an other'ise e"pty router
con%i)uration could cause the *loc(in) o% all tra%%icH +"plicit deny ta(es place 'hen as little as one access list is added to
an inter%ace on a #isco router! &he router stops its standard *eha$ior o% %or'ardin) all routa*le tra%%ic and instead
*e)ins co"parin) all pac(ets recei$ed to the ne'ly added access list! +% the tra%%ic doesn/t "atch the applied access
list4s5, it is dropped! Addin) one si"ple access list chan)es the *eha$ior o% the router entirely! 3nly pac(ets that "atch
the added access list as per"itted tra%%ic are allo'ed!
hen "ultiple rules are added, e$en "ore concerns arise! Because rules are processed %ro" the top do'n and a
pac(et only has to pass or %ail one rule to *e dropped or allo'ed into the net'or(, it is i"perati$e to put speci%ic %ilters
*e%ore )eneral %ilters! 3ther'ise, a "ore )eneral rule "i)ht allo' a pac(et access that "ay ha$e *een denied *y
another "ore speci%ic rule later in the access list! hen a pac(et 2"atches2 a rule, the pac(et is i""ediately dropped 4i%
it is a deny rule5 or %or'arded 4i% it is a per"it rule5 'ithout *ein) tested *y the rest o% the access list entries!
Be care%ul 'hen plannin) the order o% access list rules! &hat is 'hy a co"plete access list rule*ase needs to *e laid out
in ad$ance and *uilt %ro" the )round up! Addin) rules carelessly is a sure recipe %or disaster!
NOTE
hene$er possi*le, asse"*le your access lists %ollo'in) the precept 2allo' 'hat you need2 rather than 2deny 'hat you
don/t!2
Cisco I'S (asics
Be%ore 'e )o into detail on the synta. o% #isco access lists, it is necessary to discuss the inter%ace *y 'hich #isco
routers are con%i)ured! #isco routers can *e con%i)ured in one o% se$eral 'ays! &hey can *e accessed throu)h a serial
connection to the console port on the *ac( o% the router, throu)h a &elnet session, or $ia a 'e* *ro'ser 'ith ne'er
"odels! A%ter you ha$e access to the router, actually )ettin) it into con%i)uration "ode is a relati$ely easy process, as
outlined here:
1! Fou recei$e the standard pro"pt 4desi)nated *y the J sy"*ol5 !oute!na"e$!
2! Fou "ust )o into ena*le "ode *e%ore con%i)uration "ode! &ypin) ena%le and pressin) the >nter (ey
acco"plishes this! Fou are pro"pted %or a secret pass'ord! A%ter enterin) it, you are in ena*le "ode, 'hich is
identi%ied *y the !oute!na"e& pro"pt 4desi)nated *y the nu"*er si)n KLM5!
=! &o con%i)ure the router, enter ter"inal con%i)uration "ode *y typin) con'ig t 4'hich is short %or configure
terminal5 and pressin) >nter! Fou then see the )lo*al con%i)uration pro"pt: !oute!na"e(con'ig)&! &his
is 'here you enter )lo*al con%i)uration co""ands, includin) access lists!
6! Fou can enter inter%ace con%i)uration "ode %ro" the )lo*al con%i)uration "ode *y typin) int s1, 'here int
stands %or inter%ace and s1 is the inter%ace na"e 4in this case, serial 15! &his %or"at is also carried into
>thernet inter%aces 4e0, e1, and so on5 as 'ell as other inter%ace types! &ypin) the inter%ace co""and
chan)es the pro"pt to the inter%ace con%i)uration pro"pt: !oute!na"e(con'ig-i')&! 1ro" here, you
can type inter%ace,speci%ic co""ands, and this is 'here you can apply access lists to indi$idual inter%aces 'ith
the access-g!oup co""and!
5! >.it any con%i)uration le$el *y typin) the e*it co""and! #o"pletely e.it out o% con%i)uration "ode %ro" any
su*le$el *y pressin) #trlNZ! Lea$e ena*le "ode *y typin) disa%le!
)**ecti%e Uses o* Packet"Filtering De%ices
Because pac(et %ilterin) is older technolo)y and lac(s the capa*ility to di%%erentiate *et'een types o% net'or( tra%%ic, you
"i)ht *e 'onderin) 'hy 'e are discussin) it! hat could *e the possi*le use %or this technolo)y in a 'orld that is %illed
'ith hi,tech %ire'alls that can trac( protocols usin) (no'led)e o% the 'ay they 'or( to intelli)ently di%%erentiate *et'een
inco"in) and out)oin) tra%%ic strea"sO Pood 9uestionH hy use a -# 'hen 'e ha$e superco"putersO So"eti"es a
li)hter,'ei)ht, less e.pensi$e "eans to )et thin)s done is a "aGor ad$anta)e! Because pac(et %ilters don/t )o to )reat
depth in their analysis o% tra%%ic strea"s, they are %aster than other %ire'all technolo)ies! &his is partially due to the
speed at 'hich the header in%or"ation can *e chec(ed and partially due to the %act that pac(ets don/t ha$e to *e
2decoded2 to the application le$el %or a decision to *e "ade on the"! #o"ple. decisions are not necessary, si"ply a
co"parison o% *its in a pac(et to *its in an A#L!
Filtering (ased on Source $ddress: T!e Cisco Standard $C&
3ne o% the thin)s that pac(et,%ilterin) technolo)y is )reat %or is the *loc(in) or allo'in) o% tra%%ic *ased on the +-
address o% the source syste"! So"e 'ays that this technolo)y can *e use%ully applied are %ilters *loc(in) speci%ic hosts
4*lac(listin)5, %ilters allo'in) speci%ic hosts 4such as *usiness partners5, and in the i"ple"entation o% in)ress and
e)ress %ilters! Any o% these e.a"ples can *e i"ple"ented on a #isco router *y usin) a 2standard2 access list!
&he standard access list is used to speci%ically allo' or disallo' tra%%ic %ro" a )i$en source +- address only! +t cannot
%ilter *ased on destination or port nu"*er! Because o% these li"itations, the standard access list is %ast and should *e
pre%erred 'hen the source address is the only criteria on 'hich you need to %ilter!
&he synta. %or a standard access list is as %ollo's:
access-list list number 1-99 or 1300-1999 pe!"it #deny source address mask log
Notice that 'hen A#Ls 'ere %irst created, the list nu"*er had to *e 1I77! &his ran)e 'as e.panded in +3S $ersion
12!0415 to include the nu"*ers 1=00I1777! &he only 'ay that the #isco +3S can identi%y the list as a standard A#L is i%
a list nu"*er in one o% these t'o ran)es is used! &he mask option is a re9uired 'ildcard "as(, 'hich tells the router
'hether this is a sin)le host 'e are %ilterin) or an entire net'or( ran)e! 41or "ore in%or"ation on 'ildcard "as(s, chec(
out the side*ar 2&he #isco ildcard Cas( >.plained2 later in this chapter5! &he log option can *e appended to tell the
router to speci%ically lo) any "atches o% this %ilter! &hese lo) entries can *e sa$ed in local "e"ory or "ore
appropriately sent to a re"ote Syslo) ser$er! 1or "ore in%or"ation on router lo))in), see #hapter ;, 2&he Role o% a
Router,2 and #hapter 20, 2Net'or( Lo) Analysis!2
&he pre$iously listed access list notation is entered in )lo*al con%i)uration "ode and can *e applied to the inter%ace in
the inter%ace con%i)uration "ode 'ith the access-g!oup state"ent, as sho'n here:
ip access-g!oup list number in#out
&he access-g!oup co""and is used to speci%ically apply an A#L to an inter%ace 4*y its list nu"*er5 either in*ound
or out*ound! 3nly one access list can *e applied in one direction 4in or out5 per inter%ace! &his "eans a "a.i"u" o%
t'o applied A#Ls per inter%ace: one in*ound and one out*ound!
3ne o% the con%usin) concepts o% router A#Ls is the 'ay that applyin) %ilters 2in2 or 2out2 'or(s! &his is con%usin)
*ecause people nor"ally $isuali@e 2in2 as tra%%ic "o$in) to'ard their internal net'or( and 2out2 as tra%%ic "o$in) a'ay
%ro" their net'or( to'ard outside entities! :o'e$er, this pre"ise does not necessarily hold true 'hen tal(in) a*out the
in and out (ey'ords in #isco router access lists! Speci%ically, the (ey'ords tell the router to chec( the tra%%ic "o$in)
to'ard 4in5 or a'ay %ro" 4out5 the inter%ace listed!
+n a si"ple dual,inter%ace router, this concept is "ore easily illustrated! Let/s assu"e you ha$e an inter%ace called e1
4hoo(ed to your internal net'or(5 and an e.ternal inter%ace called s1 4hoo(ed up to the +nternet, %or e.a"ple5! &ra%%ic
that co"es into the s1 inter%ace "o$es to'ard your internal net'or(, 'hereas tra%%ic that )oes out o% the s1 inter%ace
"o$es to'ard the +nternet!
So %ar this see"s to *e pretty lo)ical, *ut no' let/s consider the internal e1 inter%ace! &ra%%ic that co"es into e1 "o$es
a'ay %ro" your internal net'or( 4to'ard the +nternet5, and tra%%ic that )oes out o% e1 )oes to'ard your internal net'or(!
VLAN Interfaces and Direction
hen deter"inin) direction, QLAN inter%aces are a little "ore con%usin) than physical router inter%aces! Applyin) an
access )roup 2in2 on a QLAN inter%ace "eans that tra%%ic "o$in) a'ay %ro" the net'or( 'ill *e %iltered, 'hereas 2out2
"eans that tra%%ic co"in) into the QLAN 'ill *e %iltered!
Keep in "ind 'hen you apply access-g!oup co""ands to your inter%aces that you apply the access list in the
direction that the tra%%ic is tra$elin), in re)ards to the router/s inter%ace! Fou "i)ht *e thin(in), 2hat is the di%%erence,
then, *et'een in*ound on the s1 inter%ace and out*ound on the e1 inter%aceO Both re%er to tra%%ic that is "o$in) in the
sa"e direction! hich is "ore appropriate to useO2
TIP
&o "a.i"i@e per%or"ance, %ilter tra%%ic as it enters the router!
&he less 'or( the router has to do, the *etter! Al'ays try to %ilter tra%%ic at the %irst inter%ace it enters, or apply your %ilters
2in*ound2 as "uch as possi*le!
Returnin) to our e.a"ple, i% so"ethin) should *e *loc(ed 4or per"itted, %or that "atter5 co"in) in %ro" the +nternet, it
'ould "a(e the "ost sense to *loc( it co"in) in to the s1 4outside5 inter%ace! +n addition, i% so"ethin) should *e
%iltered lea$in) your net'or(, it 'ould *e *est to %ilter it in*ound on the e1 4inside5 inter%ace! Basically, you should sho'
pre%erence to the in (ey'ord in your access lists! So"e speci%ic e.ceptions to this rule e.ist, 'hich in$ol$e certain
access list types 4such as re%le.i$e A#Ls5 that re9uire *ein) placed out*ound!
&hese e.a"ples o%ten list the actual pro"pt %or a router na"ed 2router2 to re"ind you o% the co""and "odes that the
router 'ill *e in 'hen enterin) the $arious co""ands!
&he %ollo'in) is an e.a"ple o% an actual %ilter that uses the pre$ious synta. and 170!170!170!. as the source net'or(/s
+- address that you 'ant to deny:
!oute!(con'ig)&access-list 11 deny 1+0.1+0.1+0.0 0.0.0.2,,
&his %ilter/s list nu"*er is 11! +t denies any pac(et 'ith a source net'or( address o% 170!170!170 'ith any source host
address! +t is applied to the inter%ace in*ound, so it %ilters the tra%%ic on the 'ay into the router/s inter%ace!
&he co""and to apply the access list to your serial 1 inter%ace 'ould *e
!oute!(con'ig-i')&ip access-g!oup 11 in
'here 'e are in inter%ace con%i)uration "ode %or the inter%ace to 'hich 'e are applyin) the access list, in*ound!
The Cisco Wildcard Mask Explained
&he 'ildcard "as( is one o% the least understood portions o% the #isco A#L synta.! &a(e a loo( at the %ollo'in)
e.a"ple:
access-list 12 pe!"it 1+2.1-8.1.0 0.0.0.2,,
+n this case, 0!0!0!255 represents the 'ildcard "as(! +t loo(s li(e a re$erse su*net "as( and represents the portion o%
the listed +- address ran)e to %ilter a)ainst the tra%%ic in 9uestion! Zeros "ean, 2&est this portion o% the address,2 and
ones "ean, 2+)nore this portion o% the address 'hen testin)!2
+n our e.a"ple, let/s say a pac(et co"es in 'ith a source address o% 172!1;8!2!2?! Because the %irst octet o% the
'ildcard "as( is a @ero, the router co"pares the %irst octet o% the inco"in) pac(et to the $alue 172, listed in the access
list! +n this case, they are the sa"e, so the router continues to the second octet o% the 'ildcard "as(, 'hich is also a
@ero! A)ain, the second octet o% the $alue o% the source address o% the inco"in) pac(et is co"pared to the $alue 1;8!
Because they are also the sa"e, the router continues to the third octet! Because the 'ildcard "as( speci%ies a @ero in
the third octet as 'ell, it continues to test the address, *ut the $alue o% the third octet does not "atch, so the pac(et is
dropped!
1or the sa(e o% e.a"ple, let/s continue to loo( at the %ourth octet, e$en thou)h in actuality the pac(et 'ould ha$e *een
dropped at this point! &he 'ildcard/s %ourth octet is $alued at 255! +n *inary, this e9uates to 11111111! +n this e.a"ple,
the $alue 0 in the access list does not "atch the $alue 2? o% the co"pared pac(etE ho'e$er, *ecause the 'ildcard
'ants us to i)nore this octet, the access list allo's the pac(et to pass 4assu"in) it hadn/t %ailed on the pre$ious octet5!
&he concept "i)ht see" pretty easy 'ith a 'ildcard $alue that deals 'ith entire octets, *ut it )ets tric(y 'hen you need
to deal 'ith an address ran)e that is s"aller than 255! &he reality is that the router doesn/t test octet *y octet, *ut *it *y
*it throu)h each o% the octets!
hat i% you 'ant to allo' tra%%ic %ro" syste"s in the address ran)e 172!1;8!1!1;I172!1;8!1!=1 onlyO &he %irst three
octets o% the 'ildcard are easy: 0!0!0! +t/s the last octet that is di%%icult! +t/s ti"e to )ra* your handy,dandy *inary
calculator! #onsider 'hat 1; loo(s li(e in *inary: 0001 0000! No' loo( at =1: 0001 1111! &he di%%erence *et'een these
t'o *inary $alues occurs in the last %our *its! &here%ore, the $alues *et'een 1; and =1 are co$ered in the ran)e 10000I
11111! &o allo' those $alues, you need to place @eros in your 'ildcard "as( %or the portions that need to "atch
e.actly, and ones %or the *inary $alues that chan)e! Because the last %our *its are the only *its that chan)e in the
desired ran)e, the 'ildcard "as( re%lects those %our *its 'ith ones! +n *inary, our 'ildcard "as( is as %ollo's:
00000000.00000000.00000000.00001111
&ranslated 'ith our *inary calculator, that is 0!0!0!15!
&his 'ildcard "as( 'or(s %or any ran)e o% 15 addresses you are co"parin), so to "a(e it 'or( %or 1;I=1, you "ust
properly re%lect the ran)e in the +- address portion o% the access list! Four %inal access list loo(s li(e this:
access-list 10 pe!"it 1+2.1-8.1.1- 0.0.0.1,
A 'ildcard "as( is al'ays conti)uous @eros and ones, 'ithout interruption, as in the e.a"ple listed pre$iously! +n so"e
cases, you need "ore than one A#L state"ent and 'ildcard "as( to co$er a ran)e o% net'or( addresses! 1or
e.a"ple, i% you 'ant to *loc( addresses in the ran)e 2=2I255, you need the co""and
access-list 110 deny ip 1+2.1-8.1.232 0.0.0.. any
to *loc( the ran)e 2=2I2=7, and you also need to speci%y
access-list 110 deny ip 1+2.1-8.1.2/0 0.0.0.1, any
to *loc( the ran)e 260I255!
lacklistin!" The lockin! of #pecific Addresses
3ne popular use o% the standard access list is the 2*lac(listin)2 o% particular host net'or(s! &his "eans that you can
*loc( a sin)le host or an entire net'or( %ro" accessin) your net'or(! &he "ost popular reason %or *loc(in) a )i$en
address is "ischie%! +% your intrusion detection syste" 4+DS5 sho's that you are *ein) scanned constantly *y a )i$en
address, or you ha$e %ound that a certain +- address see"s to *e constantly tryin) to lo) in to your syste"s, you "i)ht
si"ply 'ant to *loc( it as a pre$entati$e "easure!
1or e.a"ple, i% your intranet 'e* ser$er should only *e o%%erin) its in%or"ation to your *usiness locations in the
continental Bnited States, and you are )ettin) a lot o% hits %ro" a ran)e o% +-s in #hina, you "i)ht 'ant to consider
*loc(in) those addresses!
Warnin!
&he *loc(in) o% 2spoo%ed2 addresses can lead to a denial o% ser$ice condition! Al'ays research +- addresses *e%ore
uni%or"ly *loc(in) the"!
&he *loc(in) o% address ran)es is also a popular 'ay to 2*and,aid2 your syste" a)ainst an i""ediate threat! 1or
e.a"ple, i% one o% your ser$ers 'as *ein) attac(ed %ro" a certain +- address, you could si"ply *loc( all tra%%ic %ro" that
host or net'or( nu"*er! As another e.a"ple, i% you Gust %ound out that you had a 'idespread in%ection o% a &roGan that
contacted a re"ote +R# ser$er, you could *loc( all tra%%ic co"in) %ro" that +R# ser$er! +t 'ould *e "ore appropriate to
*loc( the tra%%ic lea$in) your net'or( to that destination, ho'e$er, *ut that 'ould re9uire an e.tended access list
*ecause standard A#Ls only %ilter on source address!
A sa"ple access list to *loc( access %ro" an outside address ran)e 'ould *e
!oute!(con'ig)&access-list 11 deny 1+2.1-8.1.0 0.0.0.2,,
!oute!(con'ig-i')& ip access-g!oup 11 in
'here the net'or( nu"*er o% the outside parties to *e *loc(ed 'ould *e 172!1;8!1!0I255! 43% course, this address
ran)e is part o% the ran)es reser$ed %or pri$ate addressin), and it/s si"ply used as an e.a"ple in this instance!5 &his
access list 'ould *e applied to the e.ternal router inter%ace, in*ound!
#p$%are
3nce + 'as perusin) "y lo)s to chec( %or +nternet connections %ro" "y net'or( durin) o%%,hours to see i% anythin)
peculiar 'as )oin) on! + noticed so"e connections that 'ere initiated in the "iddle o% the ni)ht %ro" $arious stations,
repeatedly contactin) a si"ilar net'or( address! + did so"e research on the address and deter"ined that the "a(er o%
a popular %ree'are pro)ra" o'ned it!
A%ter a *rie% inspection o% one o% the 2*eaconin)2 stations, + %ound that the %ree'are pro)ra" in 9uestion 'as loaded on
the syste"! Bein) co"pletely paranoid 4as all )ood security pro%essionals are5, + i""ediately set up a rule on "y
peri"eter router to *loc( all access to the net'or( address in 9uestion! Cany so%t'are pac(a)es search %or updates
re)ularly and do not use these auto"atic 2phonin) ho"e2 sessions %or "alicious acti$ity! :o'e$er, as a %ire'all
ad"inistrator, + ha$e to *e in control o% "y net'or(/s tra%%ic %lo'! Besides, + do 9uestion 'hy these pac(a)es need to
2call out2 se$eral ti"es a ni)ht!
3% course, "y *loc( 'as Gust a 9uic( %i. until + could unload the so%t'are at all the 2in%ected2 stations, *ut i% it so"eho'
appeared a)ain, + had no %ear o% the so%t'are )ainin) outside access! &he "oral o% the story: +t can *e a lot "ore
e%%icient to *loc( a sin)le net'or( address at your peri"eter router than to run %ro" station to station to audit so%t'are!
&'riendl$ Net&" Allo%in! #pecific Addresses
Another 'ay you can use a standard access list is to per"it tra%%ic %ro" a )i$en +- address! :o'e$er, this is not
reco""ended! Allo'in) access to an address in this "anner, 'ithout any (ind o% authentication, can "a(e you a
candidate %or attac(s and scans that use spoo%ed addresses! Because 'e can only %ilter on source address 'ith a
standard A#L, any inside de$ice 'ith an +- address can *e accessed! Also, it/s i"possi*le to protect indi$idual ser$ices
on those de$ices! +% you need to set up access li(e this and can/t do it throu)h a solution that re9uires authentication or
so"e type o% Q-N, it is pro*a*ly *est to at least use an access list that considers "ore than the source address! e/ll
discuss this "ore in the section on e.tended access lists! :o'e$er, this type o% access "ay *e suita*le in situations
re9uirin) less security, such as access *et'een internal net'or( se)"ents! 1or e.a"ple, i% Bo* in accountin) needs
access to your intranet ser$er se)"ent, a standard A#L 'ould *e a si"ple 'ay to allo' his station access!
In!ress 'ilterin!
R1# 1718 pertains to reser$ed addresses! -ri$ate0reser$ed addresses are ran)es o% +- addresses that 'ill ne$er *e
distri*uted %or pu*lic use! &his 'ay, you can use these addresses in internal net'or(s 'ithout 'orry o% accidentally
pic(in) net'or( addresses that "i)ht correspond 'ith a pu*lic address you "i)ht 'ant to access so"e day!
1or e.a"ple, i"a)ine that you are in a 'orld in 'hich reser$ed pri$ate addresses don/t e.ist! Fou are installin) a ne'
pri$ate net'or( %or your *usiness that 'ill ha$e access to the +nternet and 'ill *e runnin) &#-0+-, so you 'ill ha$e to
co"e up 'ith a ran)e o% +- addresses %or your stations! Fou don/t 'ant these stations to ha$e pu*lic addressin)
*ecause they 'on/t *e ser$in) in%or"ation to the +nternet, and you 'ill *e accessin) the +nternet throu)h a pro.y ser$er!
Fou pic( a ran)e o% +- addresses at rando" 4say, 170!170!170!0I2555! Fou con%i)ure your stations and set up +nternet
access!
>$erythin) is 'or(in) )reat until the %irst ti"e you atte"pt to access your *an(/s 'e*site and recei$e an error! Fou call
the *an(, and the *an( says that e$erythin) is %ine on its end! Fou e$entually co"e to disco$er that the *an( is ri)ht!
&he *an(/s syste" you 'ere tryin) to contact has a pu*lic +- address o% 170!170!170!10, the sa"e address you ha$e
con%i)ured %or one o% your o'n stations! >$ery ti"e your 'e* *ro'ser )oes to send in%or"ation to the *an(, it ne$er
e$en lea$es your internal net'or(! Fou/$e *een as(in) your #AD station %or a 'e* pa)e, and *ecause your #AD
station doesn/t run 'e* ser$er so%t'are, you/$e Gust *een )ettin) an error! &his e.a"ple paints a clearer picture o% 'hy
reser$ed addresses are so i"portant %or the interrelationship o% pu*lic and pri$ate &#-0+- net'or(s!
&he reser$ed ran)es are as %ollo's:
#lass A: 10!0!0!0I10!255!255!255
#lass B: 1?2!1;!0!0I1?2!=1!255!255
#lass #: 172!1;8!0!0I172!1;8!255!255
Because these ran)es are o%ten used as internal net'or( nu"*ers, they are )ood candidates %or so"eone 'ho is
cra%tin) pac(ets or doin) other "alicious pac(et,trans"ittin) *eha$ior, includin) denial o% ser$ice! &here%ore, these
ran)es should *e *loc(ed at the outside o% your net'or(! +n addition, the loop*ac( address 12?!0!0!1 4the de%ault
address that all +- stations use to 2address2 the"sel$es5 is another candidate %or *ein) *loc(ed, %or the sa"e reason!
hile you are *loc(in) in$alid addresses, you should also *loc( the "ulticast address ran)e 226!0!0!0I
2=7!255!255!255 and the in$alid address 0!0!0!0! 1ollo'in) is a sa"ple access list to acco"plish this:
!oute!(con'ig)&access-list 11 deny 10.0.0.0 0.2,,.2,,.2,,
!oute!(con'ig)&access-list 11 deny 12..0.0.0 0.2,,.2,,.2,,
!oute!(con'ig)&access-list 11 deny 1.2.1-.0.0 0.1,.2,,.2,,
!oute!(con'ig)&access-list 11 deny 1+2.1-8.0.0 0.0.2,,.2,,
!oute!(con'ig)&access-list 11 deny 22/.0.0.0 1,.2,,.2,,.2,,
!oute!(con'ig)&access-list 11 deny host 0.0.0.0
!oute!(con'ig-i')& ip access-g!oup 11 in
&hese access lists are si"ilar to the last one, denyin) access to the +- address ran)es listed in an in*ound direction on
the applied inter%ace! Notice the host (ey'ord 'hen *loc(in) 0!0!0!0 in the pre$ious e.a"ple! hen *loc(in) a sin)le
host, instead o% %ollo'in) the +- address 'ith the 'ildcard 0!0!0!0, you can precede the address 'ith the (ey'ord
host! &hese lists ha$e the sa"e 2i"plicit deny2 that any access list does! &his "eans that so"e'here in access list
nu"*er 11, a pe!"it state"ent 'ould ha$e to e.istE other'ise, all in*ound tra%%ic 'ould *e deniedH An e.a"ple o% an
appropriate pe!"it state"ent "i)ht *e one that allo's the return o% esta*lished tra%%ic, li(e the %ollo'in):
!oute!(con'ig)& access-list 111 pe!"it tcp any any esta%lished
&his is, ho'e$er, an e.tended access list, 'hich 'e/ll tal( "ore a*out later in the section 21ilterin) *y -ort and
Destination Address: &he #isco >.tended A#L!2
+t is also ad$isa*le that you create a rule to *loc( tra%%ic co"in) into your net'or( that clai"s to ha$e a source address
"atchin) that o% your internal net'or(, to co"plete your in)ress access list! Qalid tra%%ic %ro" the outside 'orld doesn/t
ha$e to ha$e the sa"e addressin) as your stations! :o'e$er, i% this tra%%ic is allo'ed to pass, it could *ypass security
"echanis"s that thin( the tra%%ic is local! +% you are usin) one o% the standard pri$ate address ran)es, this is already
done! +% you/re not, it 'ould loo( li(e this:
!oute!(con'ig)&access-list 11 deny 201.201.201.0 0.0.0.2,,
:ere, your net'or( address ran)e is 201!201!201!0I255! &his rule 'ould *e added to the pre$ious list *e%ore the line
that allo's return tra%%ic!
+n)ress %ilters are an e.cellent e.a"ple o% a "eans to use pac(et,%ilterin) technolo)y to its %ullest, on any net'or(! >$en
i% you ha$e a state%ul or pro.y %ire'all, 'hy not let your peri"eter router use pac(et %ilterin) to strip o%% this un'anted
tra%%icO Let peri"eter routers *e the 2*ouncers2 o% your net'or(, strippin) o%% the undesira*les *e%ore they e$en reach
other internal protection de$ices!
)gress Filtering
Another use o% standard access lists is %or e)ress %ilters! &he concept *ehind an e)ress %ilter is that only pac(ets 'ith
your net'or(/s source address should *e lea$in) your net'or(! &his see"s li(e a %or)one conclusion, *ut as stated in
the section on in)ress %ilters, &roGans and other ne%arious pro)ra"s "i)ht use a station on your net'or( to send
spoo%ed tra%%ic to the rest o% the 'orld! By creatin) an A#L that only allo's your su*net/s address in %ro" your net'or(,
you pre$ent this type o% tra%%ic %ro" touchin) the outside 'orld! 3% course, this 'on/t help i% the pro)ra" doesn/t spoo%
the source address, *ut "any such pro)ra"s do to help slo' the rate at 'hich they can *e traced! Such an access list
'ould loo( li(e this, assu"in) an internal net'or( address o% 172!1;8!100!0:
!oute!(con'ig)&access-list 11 pe!"it 1+2.1-8.1.0 0.0.0.2,,
+"plicit deny ta(es care o% denyin) all other source addresses! Fou could use an e.tended access list to ti)hten this
do'n e$en "ore and li"it thin)s such as the types o% tra%%ic and destinations your stations are allo'ed to access! &his
A#L 'ould *e applied to the inside inter%ace in*ound, e%%ecti$ely on the outside ed)e o% your router/s net'or( inter%ace!
Fou "i)ht *e 'onderin) 'hat the ad$anta)e is in i"ple"entin) a rule such as this! 2hat 'ill this do %or "eO2 you
"i)ht *e as(in) yoursel%! ell, it is no di%%erent %ro" du"pin) your tray at the local %ast %ood restaurantE it/s the )ood
nei)h*or policy! +t doesn/t do anythin) %or you directly 4other than possi*ly pre$ent you %ro" %acin) outside liti)ation5,
*ut i% e$eryone did it, oh 'hat a 'orld 'e 'ould li$e in! +"a)ine the e%%ect on distri*uted denial o% ser$ice attac(s that
use @o"*ies stationed on innocent people/s net'or(s! &hese %ilters 4assu"in) that the denial o% ser$ice KDoSM @o"*ies
ta(e ad$anta)e o% so"e type o% pac(et spoo%in)5 could help cripple such @o"*ies!
+t is also possi*le to set up %ilters that pre$ent tra%%ic %ro" lea$in) your net'or( %ro" speci%ied syste"s! 1or e.a"ple,
i"a)ine that you ha$e a top,secret %ile ser$er that has no +nternet access! &his syste" should only *e contacted %ro"
inside stations, and it should ne$er contact the outside 'orld or *e contacted %ro" the outside 'orld! Fou can place an
A#L on the inside router inter%ace, in*ound! +t could *e a part o% the sa"e access list that you used %or your e)ress
%ilter, *ut it 'ould ha$e to *e placed a*o$e the e)ress %ilter *ecause o% the i"portance o% rule order! +% the top,secret %ile
ser$er/s +- address 'as 172!1;8!100!?, here is ho' the entire e)ress list 'ould loo(:
!oute!(con'ig)&access-list 11 deny 1+2.1-8.100.. 0.0.0.0
!oute!(con'ig)&access-list 11 pe!"it 1+2.1-8.100.0 0.0.0.2,,
&he )i$en host/s pac(ets 'ould *e %iltered *e%ore the rule that allo's all other syste"s on the 172!1;8!100 net'or( to
enter the router! +t should *e noted that this 'ill deny all out*ound tra%%ic, so no +nternet security updates or do'nloadin)
o% the latest $irus,de%inition %ile directly to this ser$er!
Tracking #e+ected Tra**ic
hen creatin) #isco router access lists, one o% the )reatest do'n%alls o% the log (ey'ord is that it only records
"atches to the rule in 9uestion! &here%ore, i% the rule is a per"it rule, you lose the pro%oundly i"portant in%or"ation
a*out 'hich pac(ets are *ein) denied! &o trac( the tra%%ic that is *ein) %iltered *y an i"plicit deny, add a 2deny any2
A#L 'ith the log (ey'ord 4as seen in the %ollo'in) e.a"ple5 to the *otto" o% the list in 9uestion! 1unctionally, the
deny any log co""and does the sa"e thin) as the assu"ed i"plicit deny, *ut it %acilitates the lo))in) o% denied
tra%%ic! 3ne )ood application o% this concept is to trac( a*nor"al tra%%ic that is *ein) %iltered *y the i"plicit deny at the
end o% an e)ress %ilter access list! Bsin) this "ethod allo's a "eans to trac( all out*ound tra%%ic that has a source
address other than that o% your net'or(! &his is a )reat 'ay to (eep a handle on any stran)e thin)s that "i)ht *e tryin)
to snea( out o% your net'or(H :ere is a si"ple e.a"ple o% ho' you 'ould tell the router to lo) *loc(ed tra%%ic:
access-list 11 deny any log
Filtering ,y Port and Destination $ddress: T!e Cisco )-tended
$C&
Another po'er%ul use o% pac(et,%ilterin) technolo)y in$ol$es %ilterin) on pac(et header in%or"ation and port nu"*ers!
&hese e.a"ples can *e applied in the %or" o% speci%ic 2conduits2 that allo' one syste" to access another 4e.tranets5,
allo' access to a speci%ic pu*lic access syste" 4'e* or DNS ser$er5, or allo' a speci%ic type o% tra%%ic into the net'or(
4+#C- pac0et-too-%ig unreacha*les5! &his %unctionality is ena*led on a #isco router usin) the e.tended access
list!
T!e Cisco )-tended $C&
&he #isco e.tended A#L o%%ers additional %eatures that allo' "ore control o% net'or( tra%%ic %lo'! +nstead o% only *ein)
a*le to %ilter on source address, 'e ha$e the additional %le.i*ility o% destination address %ilterin), %ilterin) *ased on
protocol type, %ilterin) on speci%ic layer 6 port nu"*er in%or"ation, %la)s, and "ore! ith this additional )ranularity, the
e%%ecti$eness o% the #isco router as a pac(et %ilter is )reatly increased, "a(in) it $ia*le %or "any security concerns!
&he e.tended access list synta. is as %ollo's:
access-list number 100-199 or 2000-2699 pe!"it#deny protocol source
source-mask source-port destination destination-mask
destination port log#log-input options
Fou should reco)ni@e the %irst entries in the synta. %ro" the standard access list, up to the p!otocol (ey'ord! &his is
'here you 'ould speci%y the protocol you are interested in %ilterin)! -ossi*le selections are +-, &#-, BD-, and +#C-!
Because &#-, BD-, and +#C- are all %or"s o% +-,*ased tra%%ic, 'hen you use +- as the protocol on an access list, it
per"its or denies any o% the other three tra%%ic types! +% 'e had used an e.tended access list to su*stitute %or one o% the
standard access lists %ro" the pre$ious section, +- 'ould ha$e *een the appropriate choice *ecause it 'ould ha$e
*loc(ed all +- tra%%ic types 4BD-, &#-, and +#C-5!
Re"e"*er the i"portance o% rule order! >ach inco"in) pac(et is chec(ed *y each access list in order %ro" top to
*otto"! hen a pac(et "atches the criteria in any one o% the access lists, an action is per%or"ed! +% it is a per"it %ilter,
the pac(et is %or'ardedE i% it is a deny %ilter, the pac(et is dropped! No rules test the pac(et *eyond the rule that the
pac(et "atched! Bse the %ollo'in) code to allo' a particular pac(et in 4let/s say that its +- address is 205!205!205!15 i% it
is &#- *ut to deny it entry i% it uses any other +- protocol:
access-list 111 deny ip host 20,.20,.20,.1 any
access-list 111 pe!"it tcp host 20,.20,.20,.1 any
&he %irst rule 'ould test true %or a &#- pac(et o% address 205!205!205!1! Because it is a 2deny2 rule, the pac(et 'ould
*e dropped! &he pac(et 'ould ne$er )et to *e tested *y the second rule! +% the t'o rules 'ere re$ersed in order, 'ith
the &#- rule %irst, the %ilter 'ould 'or( correctly!
+n the e.tended access list/s synta., the source address and "as( should loo( %a"iliarE the destination address and
"as( %ollo' the sa"e %or"at, and si"ply "ean 2'here it is )oin)2 instead o% 2'here it is %ro"!2 &he (ey'ord any can
*e used to represent the nu"erical ran)e 0!0!0!0I255!255!255!255, or all addresses!
&his is the %irst ti"e you see ports listed as part o% an access list! As "entioned pre$iously, ports are an i"portant part
o% &#-0+- and the access lists! &he source port or destination port entry can speci%y the type o% tra%%ic you
'ant to allo' or disallo'! hen speci%yin) a port nu"*er or na"e, you "ust also include an operator, such as eq
4"eanin) e9ual to this port nu"*er5, gt 4%or any port a*o$e this nu"*er5, lt 4%or any port less than this nu"*er5, or
"y %a$orite !ange 4to list an entire conti)uous ran)e o% port nu"*ersE use the synta. !ange port1 port2, 'here
port1 is the %irst port in the ran)e and port2 is the last5!
>.tended access lists are con%i)ured and applied Gust li(e standard access lists, includin) the association o% an access
)roup to an inter%ace! Cany options can *e added to the end o% the access list, such as log 4as "entioned in the
standard access list5 or log-input 4'hich also displays the input inter%ace and source CA# address5, %la)s to chec(
%or, and the esta%lished (ey'ord!
&'riendl$ Net& (e)isited
As "entioned pre$iously, allo'in) access to a )i$en +- address is not a %a$ored practice! &he "ain reason %or this is
lac( o% control and the dan)ers o% spoo%in)! Bsin) a standard A#L to allo' access is a pro*le" *ecause the only thin)
'e ha$e control o$er is 'hich +- address 4or ran)e5 can access the entire inside net'or(! &his "eans that not only can
the host or ran)e o% hosts speci%ied access any station on the inside, *ut it also can do so on any port nu"*er! &his is
not )ood! >.tended access lists can at least help ti)hten up that control! e can speci%y the destination host 4or ran)e5
to 'hich the host can connect, as 'ell as the port on 'hich they can co""unicate! &his 'ay, 'e can allo' an outside
trusted host to access our 'e* ser$er 4only5 on port 80 4only5! &a(e a loo( at this e.a"ple:
access-list 111 pe!"it tcp host 100.100.100.1 gt 1023 host
200.200.200.2 eq 80 log
&his e.a"ple assu"es that the trusted host is at address 100!100!100!1 and our tar)et 'e* ser$er is at address
200!200!200!2! e only allo' tra%%ic %ro" the trusted host on ephe"eral ports, and only to port 80 on our 'e* ser$er!
e add the log (ey'ord to trac( tra%%ic that is passin) this rule!
&his is not secure! All this )uarantees is that 'e ha$e control o$er those speci%ied ite"s, helpin) to lessen the a*ility o%
outsiders to e.ploit our de%ense! &his A#L can *e su*$erted in other 'ays!
3nly allo'in) port 80 tra%%ic doesn/t ensure that only 'e* tra%%ic 'ill transpire %ro" the outside host to our 'e* ser$er! As
a "atter o% %act, i% a %la' e.ists to *e e.ploited in our 'e* ser$er, and an attac(er can )et a &elnet pro)ra" or other
*ac(door runnin) on our 'e* ser$er on port 80, the ser$er "i)ht as 'ell *e 'ide open! +% this syste" is on a pri$ate
net'or( and not on a separate screened su*net, 'e are Gust a %e' leaps a'ay %ro" *ein) %ully co"pro"ised, especially
i% the 'e* ser$er has a trust relationship 'ith any other "ission,critical ser$ers on our net'or(!
Be sure to ti)htly harden the syste" i% you elect to control access to its resources solely throu)h the use o% pac(et
%ilters, 'ithout %urther authentication! +% possi*le, run a "ultiple inter%ace router 4or pac(et,%ilterin) de$ice5 or "ultiple
le$els o% pac(et,%ilterin) de$ices 'here you can structure a separate su*net %or pu*lic access syste"s!
'ilterin! TCP and *DP Ports and ICMP T$pes
Another handy %unction o% the e.tended access list is the %ilterin) o% certain types o% tra%%ic! Fou can control the types o%
tra%%ic that lea$e your net'or(, in e%%ect en%orcin) your security policy! Fou can allo' or disallo' certain types o% tra%%ic
that enter your net'or(! Denyin) tra%%ic to a list o% popular &roGan pro)ra" ports or to ports that pro)ra"s use that
con%lict 'ith your +nternet usa)e or security policies 4+R#, Ka@aa, instant "essa)in) pro)ra"s, and so on5 can also *e
an e.tra layer o% de%ense! As stated pre$iously, it "a(es "ore sense to only allo' 'hat you need! A "ore co""on use
o% port %ilterin) is allo'in) tra%%ic types that can enter or lea$e your net'or(, li(e the e.a"ple in the pre$ious section! 1or
a list o% "ission,critical ports that any en$iron"ent should consider de%endin), see Appendi. A o% the SANS &op 20
Qulnera*ilities, a$aila*le at http:00'''!sans!or)0top20!
Another use %or this type o% %ilterin) is to allo' or disallo' certain in%or"ati$e +#C- "essa)es entrance to your net'or(!
+#C- is one o% the "ost e.ploited o% the protocols! +t is *ein) used %or reconnaissance, denial o% ser$ice attac(s 4such
as s"u!'5, and "ore! +t is reco""ended that you *loc( inco"in) echo re9uests 4pin) and indo's traceroute5, *loc(
any out)oin) echo replies, and *loc( ti"e e.ceeded, %or "a.i"u" security! All the +#C- tra%%ic types can *e *loc(ed
'ith e.tended A#Ls! &he use o% any +#C- *loc(in) %ilters could a%%ect net'or( tra%%ic control!
+#C- doesn/t 'or( li(e the other protocols! +nstead o% ha$in) port nu"*ers, it uses type and code identi%iers! +t is
*asically set up to send error "essa)es %or protocols that can/t 4such as BD- and +-5 and to send in%or"ational
"essa)es 4such as router error "essa)es tellin) that a host is unreacha*le5! +#C- is used *y popular end,to,end
trou*leshootin) utilities such as pin) and traceroute! +#C- can *e controlled *y usin) #isco access lists 'ith special
+#C- (ey'ords or +#C- type nu"*ers, instead o% port nu"*ers such as &#- and BD- access lists!
&o *loc( +#C- echo re9uests 4+#C- type 85, 'e could use a line in an e.tended access list such as this:
!oute!(con'ig)&access-list 111 deny ic"p any any echo-!equest
&he "ain di%%erence *et'een this access list and others 'e ha$e loo(ed at is the (ey'ord at the end o% the line! &his
(ey'ord represents the +#C- type and code %or echo re9uests! +t "eans, 2deny any +#C- tra%%ic %ro" any'here to
any'here 'ith the type and code set to echo-!equest!2 &his %ilter 'ould *e applied on the e.ternal router inter%ace
to the +nternet! 3ther +#C- tra%%ic types can *e %iltered in the sa"e 'ay usin) their type,o%,ser$ice (ey'ords!
A *etter 'ay to handle the +#C- *loc(in) 'ould *e to allo' only the types o% tra%%ic that you 'ant and then deny the
rest! 1or e.a"ple, one i"portant +#C- pac(et type to allo' in is the pac0et-too-%ig +#C- unreacha*le
"essa)es 4type =, code 65! &his is *ecause 'ithout this "essa)e, you could ha$e "aGor co""unications issues! hat
i% a host can/t recei$e a pac(et *ecause it is too lar)e %or the router to handle and the router isn/t allo'ed to return
in%or"ation to the host tellin) it that the pac(et is too lar)eO :o' 'ill the sender e$er %ind out 'hat is 'ron) and
success%ully co""unicate 'ith the hostO Luc(ily, in this e.a"ple, #isco has an +#C- (ey'ord %or the pac0et-too-
%ig "essa)e! &his (ey'ord could *e applied as %ollo's, per"ittin) the pac0et-too-%ig "essa)es, *ut denyin)
all other +#C- "essa)es:
!oute!(con'ig)&access-list 111 pe!"it ic"p any any pac0et-too-%ig
!oute!(con'ig)&access-list 111 deny ic"p any any
&he %ilter 'ould *e applied as usual 'ith an ip access-g!oup 111 in co""and!
Pro,lems wit! Packet Filters
Despite the "any positi$e uses o% pac(et %ilters, pro*le"s e.ist due to inherent li"itations in the 'ay pac(et %ilters 'or(!
Spoo%ed and %ra)"ented tra%%ic can *ypass the pac(et %ilter i% protections aren/t properly i"ple"ented! +n addition,
*ecause o% the al'ays,open nature o% a 2per"it2 static pac(et %ilter, issues e.ist 'ith openin) such a 2hole!2 1inally,
allo'in) return tra%%ic can *e di%%icult usin) a technolo)y that lac(s the a*ility to trac( the state o% the current tra%%ic %lo'!
&o success%ully de%end a net'or( 'ith pac(et %ilterin), these 'ea(nesses "ust *e understood!
S.oo*ing and Source #outing
Spoofing "eans sendin) a pac(et that is addressed 'ith %alse in%or"ation, so it appears to co"e %ro" so"e'here
other than 'here it did! A pac(et can *e addressed as i% it ca"e %ro" an internal host on the tar)et net'or(, one o% the
pri$ate address ran)es, or e$en another net'or( entirely! 3% course, a pac(et doesn/t do this on its o'nE the pac(et has
to *e cra%ted or created 'ith special pac(et,cra%tin) so%t'are!
+% your de%ense isn/t set up correctly and the pac(et )ets throu)h, it/s possi*le that an internal host could *elie$e the
pac(et ca"e %ro" a 2trusted2 host that has ri)hts to pri$ate in%or"ation, and could in turn reply to the spoo%ed addressH
Fou "i)ht *e as(in) yoursel%, 2+% the pac(et appeared to co"e %ro" a station other than the one that sent it, 'here 'ill
the response )oO2 ell, the ans'er in typical &#-0+- co""unication is to the real host, 'hich 'ouldn/t (no' 'hat to do
'ith the pac(et, and 'ould drop it and send a reset to the ori)inator! :o'e$er, i% source routin) is ena*led, the i"poster
pac(et could carry source,routin) in%or"ation that 'ould allo' it to tell the station 'here it needs to *e sent to )o ho"e!
Source routin) allo's a pac(et to carry in%or"ation that tells a router the 2correct2 or a *etter 'ay %or it to )et *ac( to
'here it ca"e %ro", allo'in) it to o$erride the router/s prescri*ed routin) rules %or the pac(et! &his could allo' a
de$ious user to )uide return tra%%ic 'here$er he 'ants! 1or this reason, it is i"perati$e to ha$e source routin) disa*led!
+t is easily disa*led in a #isco router 'ith the %ollo'in) co""and typed at the )lo*al con%i)uration pro"pt:
!oute!(con'ig)&no ip sou!ce-!oute
:o'e$er, *y *loc(in) any pac(et that clai"s to ha$e an unusa*le address *e%ore it can enter, 'e can help re"o$e the
pro*le"! &his is 'here in)ress %ilters co"e into play! &he *est place to cut o%% pac(ets li(e these is 'here they enter: on
the peri"eter router/s inter%ace that connects your net'or( to the +nternet!
Fragments
Cany o% the )reat %ra)"entin) attac(s 'ere ori)inally desi)ned to de%eat pac(et,%ilterin) technolo)y! 3ri)inally, so"e
pac(et,%ilterin) technolo)ies allo'ed all %ra)"ents to pass, 'hich 'asn/t )ood! A%ter this 'as reco)ni@ed as a security
concern, "any syste"s *e)an chec(in) the %irst %ra)"ent to $eri%y that the header in%or"ation passed the tests set
%orth *y the A#Ls! +% this initial %ra)"ent %ailed the test and didn/t pass throu)h the router, the rest o% the %ra)"ents could
ne$er *e re%or"ed at the other side, in theory sol$in) the pro*le"!
1
Because o% the 'ay pac(et %ilterin) e.a"ines the header in%or"ation, it could *e de%eated *y splittin) up the pac(et into
such s"all pieces that the header containin) &#- or BD- port in%or"ation 'as di$ided! Because the %irst %ra)"ent 'as
o%ten the only %ra)"ent that "any popular pac(et,%ilterin) syste"s chec(ed and that the +- address in%or"ation 'ould
pass, the entire reasse"*led pac(et 'ould *e passed! +n addition, pac(et %ilterin) 'as disco$ered to *e $ulnera*le to
other %ra)"entin) attac(s, includin) attac(s that allo'ed a second %ra)"ent to o$erlap a see"in)ly har"less &#- or
BD- port in the initial %ra)"ent 'ith de$iously chosen port in%or"ation!
2
Cany cle$er 'ays 'ere deter"ined that could
*ypass the pac(et %ilter/s inspection capa*ilities!
As ti"e 'ent *y, pac(et,%ilterin) product "anu%acturers ad$anced their technolo)y, and solutions 'ere proposed to
"any o% the co""on %ra)"ent attac( "ethods! R1# 1858 de%ined "ethods to deter %ra)"ent %lo', includin) droppin)
initial %ra)"ents that 'ere s"aller than a de%ined si@e or droppin) a second %ra)"ent *ased on in%or"ation %ound in it!
=
&he "ost i"portant point on usin) a pac(et,%ilterin) de%ense to protect your net'or( %ro" %ra)"ent attac(s is to $eri%y
that you ha$e the latest %ir"'are and security patches 4or in the case o% #isco routers, the latest +3S so%t'are5! &hese
updates re%lect the chan)es "ade to de%end a)ainst %ra)"ent attac(s such as those "entioned! 1or "ore co"plete
%ra)"ent protection, so"e %ire'all technolo)ies include "ethods such as %ra)"ent reasse"*ly *e%ore pac(ets are ruled
on, the %or"in) o% ta*les that trac( decisions re)ardin) initial %ra)"ents, and the *asin) o% outco"e o% noninitial
%ra)"ents on their predecessors! &hese technolo)ies are not inherent in pac(et,%ilterin) syste"s, and they "ust *e
chec(ed %or 'hen purchasin) an indi$idual product!
#isco access lists can disallo' %ra)"ented tra%%ic usin) the %ollo'in) access list as the %irst in an A#L series:
!oute!(con'ig)& access-list 111 deny ip any any '!ag"ents
&his access list disallo's any noninitial %ra)"ents that ha$e "atchin) +- address in%or"ation, *ut it allo's non,
%ra)"ents or initial %ra)"ents to continue to the ne.t access list entry *ecause o% the '!ag"ents (ey'ord at the end
o% the A#L! &he initial %ra)"ents or non,%ra)"ents are denied or allo'ed *ased on the access lists that %ollo' the
precedin) e.a"ple! :o'e$er, %ra)"ented tra%%ic is a nor"al part o% so"e en$iron"ents, and a state"ent li(e the
pre$ious e.a"ple 'ould deny this nor"al tra%%ic, as 'ell as "aliciously %ra)"ented tra%%ic! &his e.a"ple 'ould only *e
used in an en$iron"ent that 'arrants the hi)hest security to %ra)"entation attac(s, 'ithout %ear o% the loss o% potential
usa*ility!
'.ening a /Hole/ in a Static Packet Filter
3ne o% the )reat %la's o% static pac(et %ilterin) is that to allo' a protocol into a net'or(, you need to open a 2hole!2 +t is
re%erred to as a hole *ecause no additional chec(in) ta(es place o% the type o% tra%%ic allo'ed in or out *ased on "ore
intelli)ent "ethods o% detection! All you can do is open an indi$idual port on your protecti$e 'allE as 'ith a *ullet hole
throu)h a three,%oot 'all, you can/t shoot any'here else on the other side, *ut you can %ire strai)ht throu)h the e.istin)
hole repeatedly! &he i"portance o% this analo)y is that so"ethin) "ust *e on the other side at the port in 9uestionE
other'ise, you 'on/t *e a*le to hit it!
+t is reco""ended 'hen openin) a port usin) an access list o% this type that you li"it the tar)et hosts as "uch as
possi*le 'ith the access list! &hen, i% you ha$e a secured ser$er 'ith all patches and no $ulnera*ilities 4%ound as o%ten
as el$es and %our lea% clo$ers5 that you are allo'in) to ser$ice this port, this isn/t such a *ad thin)! :o'e$er, i% your host
syste" is e.ploita*le throu)h 'hate$er port nu"*er you ha$e open, it is possi*le that any tra%%ic can *e sent throu)h
that 2hole,2 not Gust the protocol that 'as runnin) on the host inside!
Two"way Tra**ic and t!e established 0eyword
hen 'e co""unicate 'ith another host, it/s not Gust us connectin) to the host, *ut also the host connectin) to usDa
t'o,'ay connection! &his presents a pro*le" 'hen it co"es to pre$entin) un'anted access 'ith a pac(et %ilter! +% 'e
try to *loc( all inco"in) tra%%ic, 'e pre$ent the return connection %ro" hosts 'e are tryin) to contact!
:o' can 'e allo' only return tra%%icO &he ori)inal ans'er that #isco ca"e up 'ith 'as the esta%lished (ey'ord %or
e.tended access lists! ith the 'ord esta%lished added to an access list, any tra%%ic, other than return tra%%ic, is
*loc(ed, theoretically! &he esta%lished (ey'ord chec(s to see 'hich %la)s are set on inco"in) pac(ets! -ac(ets
'ith the A#K %la) set 4or RS& %la)5 'ould pass, and only response tra%%ic o% the type speci%ied could e$er )et throu)h,
ri)htO ron)H &he co"*ination o% certain pieces o% so%t'are and snea(y, ne%arious users results in 'hat/s (no'n as a
crafted packet, 'hich is a pac(et that the co""unicatin) host does not create in the nor"al 'ay, *ut *uilds
1ran(enstein,style %ro" so%t'are residin) on a host! Bsers can set any %la) they 'ant!
hat happens i% a pac(et that 'as cra%ted 'ith "alicious intent appears 'ith the A#K %la) set in an atte"pt to snea( *y
the router/s %iltersO &he esta%lished (ey'ord access list lets it )o throu)h, 'hich isn/t )ood! &he )ood ne's is that
an internal syste" that is listenin) %or a ne' connection 4initiated *y a SFN pac(et5 'ould not accept the A#K pac(et
that is passed! +t 'ould *e so o%%ended *y the pac(et that it 'ould send a reset *ac( to the ori)inator, tellin) it to try
a)ain!
&his sounds li(e a )ood thin), *ut it has t'o %la's! 1irst, it pro$es that a station e.ists at the address to 'hich the
pac(et 'as sent! +% a station didn/t e.ist there, a reset pac(et 'ouldn/t *e returned! &his scannin) techni9ue 'or(s and
is pretty stealthy as 'ell! Second, *ecause it is elicitin) a response %ro" a pri$ate syste", this techni9ue "i)ht *e used
success%ully %or a denial o% ser$ice attac(! +nternal syste"s could *e repeatedly hit 'ith scores o% A#K pac(ets, causin)
those syste"s to atte"pt reply a%ter reply 'ith RS& pac(ets! &his is %urther accentuated *y spoo%in) the source address
on the A#K pac(ets, so the tar)eted net'or( 'ould *e %e$erishly %irin) resets *ac( to another innocent net'or(!
1ortunately, the innocent net'or( does not respond to the resets, pre$entin) a second $olley %ro" *ein) thro'n at the
tar)et net'or(!
Despite the dra'*ac(s o% the esta%lished (ey'ord, it is one o% the only static "eans *y 'hich a #isco router can
allo' only return tra%%ic *ac( in to your net'or(! &he %ollo'in) is an e.a"ple o% an esta*lished access list:
!oute!(con'ig)&access-list 101 pe!"it tcp any any est log
&his *asic e.tended access list allo's any &#- tra%%ic that has the A#K *it set, "eanin) that it allo's only return tra%%ic
to pass! +t is applied in*ound on the outside router inter%ace, and it can lo) "atches 'ith the appended log (ey'ord! +t
also allo's RS& pac(ets to enter 4*y de%inition5 to help %acilitate proper &#- co""unication! A "ore secure $ersion o%
this sa"e list 'ould *e this:
!oute!(con'ig)&access-list 101 pe!"it tcp any eq 80
1+2.1-8.1.0 0.0.0.2,, gt 1023 est log
!oute!(con'ig)&access-list 101 pe!"it tcp any eq 23
1+2.1-8.1.0 0.0.0.2,, gt 1023 est log
!oute!(con'ig)&access-list 101 pe!"it tcp any eq 2,
1+2.1-8.1.0 0.0.0.2,, gt 1023 est log
!oute!(con'ig)&access-list 101 pe!"it tcp any eq 110
1+2.1-8.1.0 0.0.0.2,, gt 1023 est log
+n this case, the inside net'or( address is 172!1;8!1!0I255! &hese access lists are applied in*ound on the e.ternal
router inter%ace! By 'ritin) your access list this 'ay, you allo' tra%%ic only %ro" appro$ed protocol port nu"*ers 4'e*
tra%%ic, &elnet, e"ail, and so on5 to your internal net'or( addresses, and only to ephe"eral ports on your syste"s!
:o'e$er, an access list o% this type still has pro*le"s! +t 'ould not support 1&- %or reasons 'e 'ill )o o$er in an
upco"in) section, and it only handles &#- tra%%ic!
The established +e$%ord and the Pro,le- of DN#
Re"e"*er that the pre$ious A#L did not allo' BD- tra%%ic or +#C- tra%%ic! &he esta%lished 4or est5 (ey'ord is
only $alid %or &#- access lists! Access lists allo' needed +#C- and BD- tra%%ic, 'hich 'ould ha$e to *e included alon)
side o% this esta%lished access list, to %or" a co"prehensi$e %ilter set! ithout BD-, outside DNS is a real
pro*le", disa*lin) +nternet %unctionality! &his sho's one o% the *i))est %la's o% the est (ey'ord as an e%%ecti$e
de%ense "echanis"! &o %acilitate +nternet access 'ith the est (ey'ord, a BD- access list "ust *e included, allo'in)
any DNS return tra%%ic! Re"e"*er that return tra%%ic is co"in) to a rando"ly chosen port a*o$e 102=, 'hich "eans that
to e%%ecti$ely allo' any DNS responses, you need an access list li(e this:
access-list 101 pe!"it udp host 1+2.1-8.1.1 eq ,3
1.2.1-.100.0 0.0.0.2,, gt 1023 log
&his A#L assu"es that the e.ternal DNS ser$er/s address is 172!1;8!1!1 and that your internal net'or( is
1?2!1;!100!0I255! By addin) this line to your e.istin) access list 101, you allo' DNS responses to your net'or(!
:o'e$er, you also lea$e yoursel% open to outside access on ports )reater than 102= %ro" that e.ternal DNS ser$er!
Four security red alert should *e )oin) o%% a*out no'H &his 'ould *e a )reat ar)u"ent %or *rin)in) DNS inside your
peri"eterE ho'e$er, that DNS ser$er 'ould then need to *e a*le to access outside DNS ser$ers %or 9ueries and @one
trans%ers! &o allo' the DNS ser$er to "a(e out*ound DNS 9ueries, a si"ilar access list 'ould need to *e added to the
router:
access-list 101 pe!"it tcp any host 1.2.1-.100.3 eq ,3
access-list 101 pe!"it udp any host 1.2.1-.100.3 eq ,3
&his allo's all tra%%ic throu)h port 5= to your inside 4and hope%ully 'ell,hardened5 DNS ser$er! +deally, such a pu*lic
access ser$er 'ould *e on a separate screened su*net %or "a.i"u" security!
Re"e"*er that neither solution pro$ides %or additional BD- or +#C- support! +% access to either is needed in your
speci%ic en$iron"ent, "ore 2holes2 ha$e to *e opened!
Protocol Pro,lems: )-tended $ccess &ists and FTP
1ile &rans%er -rotocol 41&-5 is a popular "eans to "o$e %iles *ac( and %orth *et'een re"ote syste"s! Fou need to *e
care%ul o% outside 1&- access *ecause it could allo' a "alicious user to pull co"pany in%or"ation or ser$er in%or"ation
4includin) pass'ord %iles5 %ro" inside ser$ers! A user could upload %iles in an atte"pt to %ill a hard dri$e and crash a
ser$er, upload a &roGan, or o$er'rite i"portant ser$er con%i)uration %iles 'ith ones that allo' co"pro"ise o% the ser$er!
1&- is also one o% the "ore co"plicated ser$ices to secure *ecause o% the 'ay it 'or(s! Securin) 4or *loc(in)5 an
inco"in) connection is relati$ely easy, *ut securin) out)oin) 1&- connections is considera*ly "ore di%%icult! Let/s ta(e
a loo( at a trace that sho's standard 1&- co""unication *et'een a client and a ser$er!
1irst is the out)oin) connection 'ith &#-0+-/s three,'ay handsha(e:
client.co"./,-. $ se!1e!.co".212 3 123/,-.8+02123/,-.8+0(0)
se!1e!.co".21 $ client.co"./,-.2 3 32/2/,-.8+232/2/,-.8+(0) ac0 123/,-.8+0
client.co"./,-. $ se!1e!.co".212 . ac0 1
Ne.t is the inco"in) connection 'hen esta*lishin) data channel:
se!1e!.co".20 $ client.co"./,-82 3 3-122//8+-23-122//8+-(0)
client.co"./,-8 $ se!1e!.co".202 3 18101-++11218101-++11(0) ac0 3-122//8+-
se!1e!.co".20 $ client.co"./,-82 . ac0 1
&he %irst part o% the co""unication is a nor"al three,'ay handsha(e, *ut 'hen the data channel is esta*lished, thin)s
*eco"e co"plicated! &he ser$er starts a connection session %ro" a di%%erent port 4&#- 205 than the one the client
ori)inally contacted 4&#- 215, to a port )reater than 102= port on the client that di%%ers %ro" the one the client ori)inally
used! Because the ser$er starts the connection, it is not considered return tra%%ic and 'on/t pass throu)h e.tended
access lists 'ith the esta%lished (ey'ord or dyna"ic re%le.i$e access lists! +n turn, to open the router %or standard
1&-, you "ust allo' any tra%%ic 'ith a destination &#- port )reater than 102= and a source port o% 20, 'hich is a
si)ni%icant security hole!
3ne 'ay to )et around this pro*le" is to use passi$e 4-ASQ5 1&-! -ASQ 1&- 'or(s li(e standard 1&- until the data
connection! +nstead o% connectin) to the client %ro" port 20 to a rando" port )reater than 102=, the 1&- ser$er tells the
client 4throu)h the port that the client last used to connect to it5 'hat )reater,than 102= port it 'ants to use to trans%er
data! ith this port nu"*er, the client esta*lishes a connection *ac( to the 1&- ser$er! No' let/s loo( at a trace o% our
pre$ious e.a"ple/s data connection, this ti"e usin) -ASQ 1&-:
client.co"./,-8 $ se!1e!.co".3/,-2 3 18101-++112 18101-++11(0)
se!1e!.co".3/,- $ client.co"./,-82 3 3-122//8+-23-122//8+-(0) ac0 18101-++11
client.co"./,-8 $ se!1e!.co".3/,-2 . ac0 1
All tra%%ic that co"es %ro" the ser$er is esta*lished tra%%ic, per"ittin) e.tended lists 'ith the esta%lished (ey'ord to
%unction correctly! Bsin) -ASQ "ode 1&- re9uires *oth the 1&- ser$er and client to support -ASQ "ode trans%ers!
#han)in) to passi$e 1&- clients isn/t a pro*le" %or "ost sites *ecause "ost popular 1&- clients support -ASQ "ode!
Cost o% the "aGor 'e* *ro'sers support -ASQ "ode 1&- as 'ellE ho'e$er, this "i)ht re9uire so"e "inor setup, such
as )oin) to a pre%erences section and selectin) -ASQ or passi$e 1&- "ode support! Bsin) an A#L li(e the %ollo'in)
e.a"ple 'ould *e one 'ay to handle in*ound return -ASQ 1&- tra%%ic:
!oute!(con'ig)&access-list 101 pe!"it tcp any gt 1023 1+2.1-8.1.0
0.0.0.2,, gt 1023 est log
The Case of the Co)ert Channel
As a youn) security practitioner, + had the scare o% "y li%e! + rando"ly )ra**ed so"e lo) %iles and started loo(in)
throu)h the", Gust )i$in) a rando" spot chec( %or anythin) that see"ed out o% the ordinary! A*out hal%'ay throu)h, +
ran into a con$ersation *et'een one o% "y net'or( stations 'ith an outside, unreco)ni@ed +- address!
&he ports in 9uestion 'ere disconcertin)! &he inside station 'as usin) &#- port 1?61, and the outside port 'as "uch
hi)her, in the =000s! &he hi)her nu"*er 'as an unde%ined port, *ut 'ith a 9uic( chec( o% so"e port listin)s, + %ound that
port 1?61 happened to *e de%ined as 2#isco net "ana)e"ent!2 + 'asn/t %a"iliar 'ith this, *ut 'e 'ere in a #isco
en$iron"ent! &he terrorH &he =000 ran)e port "ust ha$e *een a )enerated port, and the outside entity 'as contactin)
"e on port 1?61!
&his lo) %ile cau)ht the "iddle o% the con$ersation, so + couldn/t loo( at the *e)innin) to $eri%y that "y theory 'as
sound! + needed "ore in%or"ation, so + 'ent to "y pro.y lo) to chec( speci%ics on the connection! &he outside entity
appeared to *e uploadin) so"e (ind o% 1&- pro)ra" to the station in 9uestion! &his 'as )ettin) 'orse instead o%
*etter!
+ did "ore research to %ind out 'hose station had the D:#- assi)ned address in 9uestion durin) the trans%er! &he
2"alicious2 +- address *elon)ed to an 1&- ser$er! A tiny li)ht *ul* 'ent o%% in "y head! + 'ent to the user and as(ed i%
he had *een doin) any 1&- do'nloads at the ti"e in 9uestion! :e concurred! :e had *een do'nloadin) a ne' $ersion
o% an 1&- client! Because 'e used -ASQ 1&-, the data channel port nu"*er 'as not the de%ault port 20, *ut a hi)h,
nu"*ered port deter"ined as pre$iously stated!
+% you choose -ASQ 1&-, *e a'are o% %alse alar"s re)ardin) co$ert channelsH
&his A#L assu"es that our internal net'or( addresses are 172!1;8!1!0I255 and that they are part o% a "ore co"plete
access list allo'in) other, "ore standard tra%%ic types! &he pro*le" 'ith this access list is that despite the %act that only
return tra%%ic is allo'ed 4in theory5, you "ust lea$e open all )reater,than 102= &#- ports %or return access *ecause you
don/t (no' 'hat data channel port the 1&- ser$er you are contactin) 'ill choose! Althou)h this A#L is "ore secure
than so"e o% the pre$ious options, it still isn/t a stron) security stance! ouldn/t it *e nice i% it 'ere possi*le to %ind out
'hat port nu"*er you 'ere usin) to contact the -ASQ 1&- ser$er e$ery ti"e, and use that in%or"ation to allo' the
tra%%ic *ac( inO
Dynamic Packet Filtering and t!e #e*le-i%e $ccess &ist
Cany o% the pro*le"s that %ace static pac(et %ilterin), the #isco standard, and e.tended access lists can *e alle$iated
*y dyna"ic pac(et,%ilterin) technolo)y! &he concept is that %ilters are *uilt on,the,%ly as needed and torn do'n a%ter
connections are *ro(en!
Re%le.i$e access lists are e.a"ples o% dyna"ic pac(et,%ilterin) technolo)y! A criterion is set up on the out*ound
inter%ace that 'atches de%ined connection types to the outside 'orld! hen the tra%%ic returns, it is co"pared to an
access list that 'as dyna"ically created as the out)oin) tra%%ic le%t the net'or(!
1or e.a"ple, perhaps you ha$e a client that has an +- address o% 172!1;8!100!2 and ha$e set up a re%le.i$e access list
to chec( %or &#- tra%%ic usin) the &elnet port! &he re%le.i$e access list 'ould see the client sendin) the &elnet pac(et
out the )reater than 102= port 4let/s say 10?2 'as rando"ly pic(ed5 to port 2= on so"e +- address 4let/s say
100!100!100!15 o% a &elnet ser$er! &he re%le.i$e access list 'ould then )enerate an inco"in) access list *ased on this
out)oin) connection! +t 'ould ta(e the out)oin) connection
4lient 1+2.1-8.100.2.10.2 $ telnet se!1e! 100.100.100.1.23
and re$erse it into an inco"in) access list that per"its tra%%ic %ro" 100!100!100!1 on port 2=, to client 172!1;8!100!2 on
port 10?2, li(e this:
pe!"it tcp host 100.100.100.1 eq 23 1+2.1-8.100.2 eq 10.2
&his dyna"ically )enerated list 'ould *e deleted a%ter the connection 'as ended 4a )race%ul 1+N e.chan)e or RS&
pac(et 'as sent5! Because this access list type doesn/t rely on the &#- %la) *its set, it 'or(s 'ith BD- and +#C- tra%%ic
as 'ell! 1or non,&#- tra%%ic, the connection is torn do'n a%ter a ti"eout $alue e.pires! &he ti"eout can *e set per
access list, or it can de%ault to the )lo*al ti"eout o% =00 seconds! &his %eature allo's "a.i"u" security %or return tra%%ic
*ecause lists are created and re"o$ed %or indi$idual co""unication sessions! &his capa*ility to (eep trac( o%
connections "a(es the re%le.i$e access list the sa%est o% the three access list types, *ut also the slo'est!
Syntactically, re%le.i$e access lists are *asically a su*set o% e.tended access listsDspeci%ically, 2na"ed2 e.tended
access lists! Na"ed lists 'ere created in #isco +3S $ersion 11!2 %or t'o "ain reasons! 1irst, lar)e enterprises could run
out o% nu"*ers %or access lists usin) the old "ethod! Second, its na"e could e.plain %or 'hat purpose the list 'as
*ein) used!
#e./ence and the Na-ed Access List
3ne o% the *est %eatures o% the na"ed access list is that indi$idual entries can *e added or deleted 'ithout the list
ha$in) to *e co"pletely re,created! Fou si"ply enter the access list con%i)uration "ode *y typin)
ip access-list e*tended na"e
'here name is the na"e o% the access list you 'ant to edit! &he pro"pt 'ill chan)e to loo( li(e this:
!oute!(con'ig-e*t-nacl)&
At this point, you can delete entries *y typin) an e.istin) entry preceded *y no, or you can enter additional entries that
'ill auto"atically *e added to the end o% the list! &he %act that entries are added to the end o% the list can *e an issue,
due to the pro*le"s 'ith rule order! +n pre$ious $ersions o% +3S, the only 'ay this could *e corrected 'as *y re,creatin)
the entire list or *y deletin) all the co""ands at the end o% the list that you 'ant the ne' entry to *e placed *e%ore and
then re,addin) the" *ac( in a%ter addin) the ne' entry! Anyone 'ho has done this (no's it is a "aGor hassle!
No' in $ersions 12!24155& and 12!=425& and later, the se9uence %eature has *een introduced! Be%ore enterin) the
pe!"it or deny (ey'ord, you can add a se9uence nu"*er, ena*lin) the place"ent o% a ne' access list entry
any'here in an access list! &o de"onstrate this %eature, let/s loo( at the %ollo'in) access list:
ip access-list e*tended test
10 pe!"it tcp any any
20 pe!"it ip any any log
+n the past, a ne' entry 'ould *e placed a%ter the last listed entry! :o'e$er, 'ith the se9uence %eature, 'e can choose
a $alue *elo' 10 to place the entry at the *e)innin) o% this list, *et'een 10 and 20 to put the entry *et'een the t'o
listed entries, or )reater than 20 to add it to the end o% the list! +% an initial se9uence nu"*er is not speci%ied 'hen you
create an entry, nu"*ers 'ill auto"atically *e assi)ned 4startin) 'ith the nu"*er 105! &he auto,nu"*erin) then
incre"ents *y 10 %or each additional entry added!
e start *y de%inin) the list 'ith ip access-list e*tended name, 'here name is the descripti$e na"e used
to de%ine the access list! e %ollo' this line 'ith pe!"it and deny lines, as sho'n ne.t! &hey %ollo' si"ilar lo)ic to
nu"*ered e.tended access lists! &o "o$e to a re%le.i$e access list, all 'e ha$e to do is add the !e'lect (ey'ord to
the end, %ollo'ed *y a na"e %or the re%le.i$e access list:
!oute!(con'ig)&ip access-list e*tended out'ilte!
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq 80 !e'lect "ypac0ets
!oute!(con'ig-i')&ip access-g!oup out'ilte! out
Notice the 'ay that the pro"pt chan)es a%ter enterin) the initial co""and, 'hich sho's that 'e are no' enterin)
speci%ic in%or"ation into the na"ed access list! +n the per"it line, 'e ha$e the !e'lect (ey'ord and the na"e o% the
re%le.i$e access list 'ith 'hich 'e 'ill *e (eepin) trac( o% our pac(et/s connection in%or"ation! 3% course, the last line
applies the list to the net'or( inter%ace, Gust li(e all pre$ious e.a"ples, *ut no' 'e do it *y na"e! Fou "i)ht re"e"*er
%ro" the e.planation o% re%le.i$e access lists that e$ery connection has a dyna"ically created access list! &hese
dyna"ic lists are created *ased on an access list li(e the one in the pre$ious e.a"ple! :o'e$er, 'e need a co"ponent
in the re$erse direction to e.a"ine the pac(ets 'hen they co"e *ac( in! &a(e a loo( at a sa"ple in*ound %ilter:
!oute!(con'ig)&ip access-list e*tended in'ilte!
!oute!(con'ig-e*t-nacl)&e1aluate "ypac0ets
!oute!(con'ig-i')&ip access-g!oup in'ilte! in
&his access list should loo( %a"iliar, e.cept %or the second line! &he e1aluate line chec(s the inco"in) pac(et %lo'
$ersus the re%le.i$e access list in%or"ation 4in this case, "ypac0ets5 to see i% it 'ill pass the test o% one o% its
dyna"ically created lists! e no' ha$e a co"plete re%le.i$e access list 'ith all its co"ponentsH
FTP Pro,lems #e%isited wit! t!e #e*le-i%e $ccess &ist
1ollo'in) is an e.a"ple o% a re%le.i$e "ode 1&- %ilter that *loc(s inco"in) 1&- tra%%ic *ut allo's out)oin) passi$e 1&-,
alon) 'ith any $alid &#- tra%%ic! &his is a popular use o% the re%le.i$e access listDto allo' anythin) out*ound and to
allo' return 4or response5 tra%%ic in*ound!
!oute!(con'ig)&ip access-list e*tended 'ilte!out
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it udp any any !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it ic"p any any !e'lect pac0ets
!oute!(con'ig)&ip access-list e*tended 'ilte!in
!oute!(con'ig-e*t-nacl)&e1aluate pac0ets
!oute!(con'ig-i')&ip access-g!oup 'ilte!in in
!oute!(con'ig-i')&ip access-g!oup 'ilte!out out
&he 'ilte!out on this list per"its all types o% tra%%ic out! 3nly &#- is necessary %or 1&-, *ut the others are added to
de"onstrate a popular con%i)uration selection used 'ith re%le.i$e access lists, as "entioned pre$iously! &he
'ilte!in e$aluates the return tra%%ic o% the pre$ious out*ound %ilter, and *y the i"plied 2deny all,2 it drops non,return
1&- tra%%ic 4and any other non,return tra%%ic5! &he last )roup sho's the application o% the 'ilte!in in*ound and
'ilte!out out*ound on the appropriate internal and e.ternal ports! 1ilter order isn/t an issue, as the e.a"ple
appears here! +t is possi*le to add other per"it and deny access lists into this %ilter, *ein) care%ul to ensure that nothin)
per"ittin) &#- port 21 tra%%ic co"es *e%ore the rule in 'ilte!in and that the e1aluate line ter"inates the list! &he
e1aluate line "ust al'ays ter"inate the list!
Fou can test the e%%ecti$eness o% this %ilter usin) a properly i"ple"ented -ASQ 1&- client! &his %ilter, thou)h the "ost
secure o% the 1&- options you ha$e seen so %ar, still only 'or(s 'ith -ASQ 1&-! &he only 'ay to securely allo'
standard 1&- out*ound throu)h a #isco router is *y usin) a part o% the #isco Secure +nte)rated So%t'are 4%or"erly the
1ire'all 1eature Set5 called contet-!ased access control (C"AC), 'hich inspects tra%%ic and 'atches %or in*ound
connections *ased on co""on *eha$iors o% (no'n protocols! &here%ore, i% you ha$e to do secured out*ound standard
1&- on a #isco router, consider the #isco Secure +nte)rated So%t'are!
#e*le-i%e $C&s wit! UDP and IC1P Tra**ic: Clearing U. DNS
Issues
3ne o% the )reatest ad$anta)es o% re%le.i$e A#Ls o$er e.tended A#Ls 'ith the esta%lished (ey'ord is that
re%le.i$e access lists can handle BD- and +#C- tra%%ic! 3ne place that this is help%ul is 'ith DNS tra%%ic!
As pre$iously "entioned, inco"in) BD- DNS return tra%%ic is an issue *ecause it can/t *e trac(ed *y the
esta%lished co""andE there%ore, a speci%ic access list "ust *e "ade to allo' DNS return tra%%ic! ith the re%le.i$e
access list, this is no lon)er necessary! Bsin) the sa"e access list used in the 21&- -ro*le"s Re$isited 'ith the
Re%le.i$e Access List2 section, DNS return tra%%ic is handled dyna"ically! Because the out)oin) connection is a'are o%
the ephe"eral port that the DNS re9uest is usin), the dyna"ically created A#L can re%lect 4pardon the pun5 that
in%or"ation, "a(in) a "uch "ore secure access control list!
Trou,le in Paradise: Pro,lems wit! #e*le-i%e $ccess &ists
Fes, Gust 'hen you thou)ht you had %ound the panacea o% pac(et %ilterin), the disclai"er co"es a*out! >$en re%le.i$e
access lists aren/t per%ect! :o'e$er, due to the dyna"ic nature *y 'hich they are created and deleted, they are "uch
"ore di%%icult to pass than other pac(et %ilters! 3ne reset pac(et is all that is re9uired to entirely re"o$e a re%le.i$ely
)enerated A#L!
Another issue 'ith re%le.i$e access lists is that they (eep no record o% &#- %la)s, so initial tra%%ic could %lo' in 'ithout an
alar" *ein) sounded! :o' %easi*le is thisO Loo( at the %ollo'in) e.a"ple:
pe!"it tcp host 100.100.100.1 eq 23 1+2.1-8.100.2 eq 10.2
&his is a dyna"ically )enerated re%le.i$e access list e.a"ple %ro" a pre$ious section! 1or so"eone to *e a*le to use
this access list as a conduit throu)h to your internal net'or(, the %ollo'in) 'ould ha$e to transpire:
1! So"eone 'ould ha$e to (no' that this access list e.ists!
2! &his access list 'ould ha$e to *e created *y an internal host contactin) an outside entity!
=! 3nly a host at 100!100!100!1 usin) port 2= could start a $ia*le co""unications channel throu)h this access
list!
6! &he only host that could *e contacted 'ould *e at address 172!1;8!100!2!
5! &he contacted host 'ould ha$e to *e listenin) on the ephe"eral port 10?2!
;! &he sendin) host 'ould ha$e to (no' e.actly 'hat sta)e o% co""unication the contacted host 'ould *e
e.pectin) to (eep it %ro" tearin) do'n the dyna"ic access list!
?! &his 'ould all ha$e to transpire *e%ore the )enerated access list 'as torn do'n!
+% so"eone is this in,tune 'ith your net'or( and security structure and you don/t ha$e the reconnaissance capa*ilities
to reco)ni@e that this person is 'atchin) you, you "i)ht *e $ulnera*le on "ore le$els than this one!
3ne thin) can 'al( ri)ht throu)h re%le.i$e access lists: out*ound tra%%ic! +% a $irus or &roGan is on the internal net'or(
and 'ants to contact a "alicious outside entity, the re%le.i$e access list 'ould let the tra%%ic out and the return tra%%ic
%ro" the con$ersation *ac( in! &he only 'ay to de%end a)ainst this 'ith pac(et %ilterin) is *y li"itin) out*ound access
'ith an access list li(e the %ollo'in) 4%or an e$en stron)er security stance, replace the second any 'ith your internal
net'or( nu"*er5:
!oute!(con'ig)&ip access-list e*tended 'ilte!out
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq 21 !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq 22 !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq 23 !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq 2, !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq ,3 !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq 80 !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq 110 !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq 11+ !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq 1/3 !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it tcp any any eq //3 !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it udp any any eq ,3 !e'lect pac0ets
!oute!(con'ig-e*t-nacl)&pe!"it ic"p any any pac0et-too-%ig
!oute!(con'ig-e*t-nacl)&deny ip any any log-input
!oute!(con'ig)&ip access-list e*tended 'ilte!in
!oute!(con'ig-e*t-nacl)&e1aluate pac0ets
!oute!(con'ig-i')&ip access-g!oup 'ilte!in in
!oute!(con'ig-i')&ip access-g!oup 'ilte!out out
&his 'ay, controls e.ist %or the types o% tra%%ic lea$in) the net'or(! :o'e$er, i% the $irus or &roGan happens to use one o%
these popular tra%%ic types, you are Gust as $ulnera*le! &his is 'hy it is i"portant to deploy e.tra layers o% de%ense, such
as $irus chec(ers and host %ire'all de%enses! Despite the %act that re%le.i$e A#Ls can *e a "ore e%%ecti$e "eans to
de%end your net'or( usin) dyna"ically )enerated host and port access lists, they still ha$e the inherent li"itations o%
pac(et,%ilterin) technolo)y that need to *e considered *e%ore choosin) the" as your protection "ethod o% choice! &hey
also put "ore o% a *urden on your router than static A#Ls, so i"ple"ent the" 'ith caution!
1or t'o co"plete e.a"ples o% re%le.i$e access lists, re%er to Appendi. A, 2#isco Access List Sa"ple #on%i)urations!2
Cisco IP%2 $ccess &ists
ith the ad$ent o% +- $ersion ;, #isco access lists ha$e chan)ed! +-$; e.tended access list support started to *e
acco""odated %or in +3S $ersions 12!042=5S and 12!241=5& or later! -re$iously there 'ere li"ited +3S $ersions that
supported %eatures si"ilar to standard access list %unctionality %or +-$;, only allo'in) %ilterin) *ased on source
addressin)! &he +-$; e.tended access lists, thou)h si"ilar to their +-$6 predecessors, re9uire sli)htly di%%erent
co""ands! Because +-$; is not *ac('ard co"pati*le 'ith +-$6, ne' co""ands needed to *e created %or +-$;,related
%unctions!
Access lists are still created in con%i) "ode, *ut the process o% creatin) an +-$; access list is instead started 'ith the
%ollo'in) co""and:
5oute!(con'ig)&ip1- access-list name
:ere, name is so"e descripti$e na"e %or the +-$; access list! &his 'ill place you into +-$; access,list con%i)uration
"ode! &he pro"pt 'ill chan)e to loo( li(e this:
5oute!(con'ig-ip1--acl)&
No' per"it or deny access list state"ents can *e added! :ere is an e.a"ple o% a pe!"it state"ent %or this access
list:
5oute!(con'ig-ip1--acl)&pe!"it ip1- any A2%22A213222123//-/ log
+t %ollo's the sa"e %or"at as +-$6 e.tended access listsDpe!"it or deny, %ollo'ed *y protocol identi%ier! Supported
(ey'ords include ip1- %or layer = access lists usin) +-$; addressin), alon) 'ith protocol identi%iers ahp, esp, tcp,
udp, pcp, stcp, and ic"p! &his is %ollo'ed *y the source and destination address in +-$; %or"at, and the any and
host (ey'ords can still also *e used! &his $ersion o% access list can acco""odate the dou*le,colon a**re$iation, as
sho'n in the e.a"ple! 3ne "inor di%%erence in the source and destination address notation is the ne' 'ay the su*net
"as( is entered! +nstead o% listin) out the $alue o% the su*net "as(, as 'as co""only done 'ith +-$6, it is no' sho'n
as /*** 'here *** is so"e nu"*er *et'een 0 and 128! &his nu"*er represents the nu"*er o% *its in the su*net
"as(! &he entry can *e ended 'ith a trailin) (ey'ord! +t can *e any o% the trailin) (ey'ords used in +-$6, 'ith the
e.ception o% (ey'ords that only re%er to +-$6 %eatures 4tos and p!ecedence5! Also, there are se$eral ne' (ey'ords
to acco""odate +-$; %eatures! +-$; e.tension header in%or"ation can *e %iltered 'ith the 'lo6-la%el and
!outing (ey'ords! Also, the sequence (ey'ord allo's si"ilar %unctionality to the +-$6 na"ed access list %eature o%
the sa"e na"e! :o'e$er, in +-$; lists, the sequence (ey'ord is added a%ter the list instead o% at the *e)innin):
pe!"it tcp any any sequence ,
+-$; e.tended access lists also ha$e support %or re%le.i$e access list capa*ility 'ith the use o% the !e'lect (ey'ord!
&his %unctionality is identical to +-$6 re%le.i$e access lists!
+-$; access lists are displayed usin) the %ollo'in) co""and:
5oute!& sh ip1- access-list name
&he name option can *e le%t o%% to display all +-$; access lists!
As +-$; continues to *e "ore and "ore supported throu)hout the +nternet, understandin) +-$; access list %eatures 'ill
*eco"e a crucial part o% securin) your net'or( en$iron"ent!
Summary
&hrou)hout this chapter, 'e/$e discussed the "any 'ays that pac(et %ilterin) can *e used as a "eans to secure the
peri"eter! e discussed the positi$e and ne)ati$e points o% usin) a pac(et %ilter as the "eans to control tra%%ic %lo'
*ased on address and port, and the 'ea(nesses o% the pac(et,%ilterin) technolo)y! e also discussed the i"pro$e"ent
o% pac(et,%ilterin) technolo)y throu)h the use o% dyna"ic pac(et %ilters!
Despite 'ea(nesses in the pac(et %ilter/s capa*ility to trac( in%or"ation and understand 'hat it is trac(in), it still has
"any uses that can "a(e it a $alua*le part o% your peri"eter de%ense! 1ilters can *e utili@ed to screen out un'anted
tra%%ic at the peri"eter, to pre$ent possi*ly dan)erous tra%%ic %ro" lea$in) your net'or(, and e$en to tailor inco"in)
tra%%ic that is allo'ed!
-ac(et %ilters can *e used in conGunction 'ith other %ire'alls as a layer o% an intricate de%ense,in,depth posture or as a
standalone solution in lo'er,ris( areas or 'here *ud)ets are ti)ht! A%ter all, protection o% in%or"ation is a *alancin) act
*et'een the $alue o% the data and the cost to protect it!
-ac(et,%ilterin) technolo)y can *e a use%ul "eans to protect your net'or( as lon) as you i"ple"ent it 'ith due
consideration to its stren)ths and 'ea(nesses!
#e*erences
1! 2Access #ontrol Lists and +- 1ra)"ents!2 #isco Syste"s, +nc!
http:00'''!cisco!co"0'arp0pu*lic01050aclR'p!ht"l! Dece"*er 2001!
2! 2Access #ontrol Lists and +- 1ra)"ents!2 #isco Syste"s, +nc!
http:00'''!cisco!co"0'arp0pu*lic01050aclR'p!ht"l! Dece"*er 2001!
=! 1# 1858 2Security #onsiderations %or +- 1ra)"ent 1ilterin)!2 http:00'''!iet%!or)0r%c0r%c1858!t.t! 3cto*er 1775!
S 2005 -earson >ducation, +nc! +n%or"+&! All ri)hts reser$ed!
800 >ast 7;th Street +ndianapolis, +ndiana 6;260