topic Re: What DOESN'T 'permit IP any any' allow? in Network Security

What DOESN'T 'permit IP any any' allow?

mprescher — Mon, 11 Mar 2019 12:58:31 GMT

A service provider customer wants to install a pair of fail-over multi-context firewalls in the least disruptive configuration (permit ip any any, inbound and outbound). Over time and according to a multi-phased plan, they will tighten the filtering, filtering that can impact many different customers.

The question is, what protocols won't pass a typical perimeter firewall with permit IP any any in place. I'm thinking of things like ESP. Any other common ones to consider?

Comments welcome.

Re: What DOESN'T 'permit IP any any' allow?

Farrukh Haroon — Thu, 12 Jun 2008 14:16:51 GMT

If you have permit ip any any on both interfaces , you make the firewall a fire-router. But having said that, they really have to be careful about the inspections/fixup/ALGs performed by most commercial firewalls now. So try to run a pilot version and try to test these inspected protocols e.g. FTP, TFTP, H.323, SIP, MGCP etc. These fixups end of breaking a lot of legitimate connections. For example a Polycom product would not work with the H.323 inspection of the ASA, a Nortel phone would not work with the SIP inspection enabled etc.

Regards

Farrukh

Re: What DOESN'T 'permit IP any any' allow?

mprescher — Thu, 12 Jun 2008 15:26:16 GMT

Good answers. Thanks.

Are you aware of any routing protocols that do some communicating not covered by IP?

Best regards,

Re: What DOESN'T 'permit IP any any' allow?

Farrukh Haroon — Thu, 12 Jun 2008 15:28:58 GMT

Alexander, can you please elucidate this question a little more:

"routing protocols that do some communicating not covered by IP"

Regards

Farrukh

Re: What DOESN'T 'permit IP any any' allow?

mprescher — Thu, 12 Jun 2008 15:32:47 GMT

I had some other responses from other information sources eluding to this. I'm going to guess this could perhaps be something like non-IP routing protocol security (not IPSec) used for peer validation for table exchanges or perhaps some updates.

Re: What DOESN'T 'permit IP any any' allow?

Farrukh Haroon — Thu, 12 Jun 2008 15:39:00 GMT

Perhaps the old NON-IP routing protocols, things related to IPX etc.?

Regards

Farrukh

Re: What DOESN'T 'permit IP any any' allow?

mprescher — Thu, 12 Jun 2008 15:47:26 GMT

Ah, yeah I suppose that's what the reference was about - that won't be an issue in my customer's case (and hopefully not for anyone else, at least on perimeter firewalls ;-}

Thanks for the responses.

Re: What DOESN'T 'permit IP any any' allow?

Richard Burts — Thu, 12 Jun 2008 15:57:03 GMT

Mike

The other protocol that fits the description of having its update traffic not carried in IP would be ISIS which sends its updates using CLNP (rather than IP).

HTH

Rick

Re: What DOESN'T 'permit IP any any' allow?

mprescher — Thu, 12 Jun 2008 16:09:15 GMT

Sweet! Good one.

Re: What DOESN'T 'permit IP any any' allow?

srue — Thu, 12 Jun 2008 16:48:24 GMT

this is from the documentation with what can go in the 'protocol' portion of the ACL:

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword. Some protocols allow further qualifiers described below.

......

so anything that is not IP/tcp/udp, you must explicitly specifiy.

this is for IOS, btw, not PIX/ASA. the ICMP part above doesn't apply to pix/asa.

....

you can use the protocol numbers or names in asa/pix:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ports.html#wpxref39421