Solved: Is this ACL secure on the outside interface?

Suresh1986 · ‎08-13-2012

Hi All,

This is my first time on Cisco support. We have a number of customers that use Cisco 800 series routers as internet gateways/firewall. I had to work on a few of them and found an ACL config that I believe to be insecure (see below). Just to be sure I would like to ask an expert if it is secure or not.

This ACL is applied to the outside interface facing the Internet.

Extended IP access list 103

10 deny ip any host 255.255.255.255

20 permit ip any any

Outside interface

Ip access-group 103 in

My concern is the second ACL statement, permit ip any any. I believe this was created to allow all the static nat statements, but will this not make the router vulnerable to attacks? Would it be more secure to individually allow the necessary traffic through instead of allowing all traffic? See the more detailed config below.

interface ATM0

no ip address

no ip route-cache cef

no ip route-cache

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/33

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.1.254 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

load-interval 30

hold-queue 100 out

!

interface Vlan2

description WLAN-GASTEN

no ip address

!

interface Dialer0

ip address 1.1.1.1 255.255.255.248

ip access-group 103 in

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxxx password xxxxxx

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http secure-server

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.23 1062 1.1.1.1 1062 extendable

ip nat inside source static tcp 192.168.1.5 25 1.1.1.2 25 extendable

ip nat inside source static tcp 192.168.1.5 110 1.1.1.2 110 extendable

ip nat inside source static tcp 192.168.1.2 442 1.1.1.2 442 extendable

ip nat inside source static tcp 192.168.1.5 443 1.1.1.2 443 extendable

ip nat inside source static tcp 192.168.1.6 444 1.1.1.2 444 extendable

ip nat inside source static tcp 192.168.1.5 987 1.1.1.2 987 extendable

ip nat inside source static tcp 192.168.1.5 1723 1.1.1.2 1723 extendable

ip nat inside source static tcp 192.168.1.5 3389 1.1.1.2 3389 extendable

ip nat inside source static tcp 192.168.1.14 80 1.1.1.3 80 extendable

ip nat inside source static tcp 192.168.1.14 443 1.1.1.3 443 extendable

ip nat inside source static tcp 192.168.1.14 3389 1.1.1.3 3389 extendable

!

access-list 1 permit any

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 23 permit 3.3.3.3 0.0.0.63

access-list 23 permit 4.4.4.4 0.0.0.31

access-list 23 permit 85.5.5.5 0.0.0.63

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 103 remark Traffic allowed to enter the router from Internet

access-list 103 deny ip any host 255.255.255.255

access-list 103 permit ip any any

dialer-list 1 protocol ip permit

control-plane

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

password xxxxx

login local

transport input telnet ssh

Thanks in advance for any help.

Karsten Iwen · ‎08-14-2012

From the answers that I received, I concluded that the ACL config is secure. Is this correct?

I wouldn't say it that way. The ACL is highly insecure as it allowes any traffic entering to your router. You just move the security to NAT which helps you in this case but still it's not a secure practice.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎08-14-2012

Hi Bro

Just to share with you, this is how I would normally harden my Cisco Router's WAN Interface.

!

interface FastEthernet0/0

description ### Link to Internet ###

ip address 202.188.139.228 255.255.255.248

ip access-group NETWORK-ATTACKS in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

ip nat outside

no ip mroute-cache

load-interval 30

duplex full

speed 100

no cdp enable

hold-queue 50 in

!

ip access-list extended NETWORK-ATTACKS

deny ip any any fragments

deny ip any any option any-options

remark --- Smurf Attack ACL ----

deny icmp any host 8.67.0.255 echo log

deny icmp any host 255.255.255.255 echo log

deny udp any host 8.67.0.255 eq echo log

deny udp any host 255.255.255.255 eq echo log

deny icmp any any redirect log

deny ip 224.0.0.0 31.255.255.255 any log

deny ip host 0.0.0.0 any log

remark --- RFC 3330 ACL ----

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 14.0.0.0 0.255.255.255 any log

deny ip 24.0.0.0 0.255.255.255 any log

deny ip 39.0.0.0 0.255.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 128.0.0.0 0.0.255.255 any log

deny ip 169.254.0.0 0.0.255.255 any log

deny ip 172.16.0.0 0.0.255.255 any log

deny ip 191.255.0.0 0.0.255.255 any log

deny ip 192.0.0.0 0.0.0.255 any log

deny ip 192.0.2.0 0.0.0.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 198.18.0.0 0.0.255.255 any log

deny ip 223.255.255.0 0.0.0.255 any log

deny ip 224.0.0.0 0.0.0.255 any log

deny ip 240.0.0.0 0.0.0.255 any log

remark --- Permit All ----

permit ip any any

!

P/S: If you think this comment is useful, please do rate them nicely and select the option THIS QUESTION IS ANSWERED, so that the others could learn from you too...

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎08-13-2012

Hi Bro

I understand what you're trying to say but it's OK to have the permit ip any any on the last line. After all, you can't be expected to have a list of 1000 lines of deny end of the day, am I right? If you ask me, this is not practical.

Cisco do have couple of technologies that you could dwell into e.g. ZFW, IOS IPS, Control Plane Policing etc. However, what you could do right now is to ensure your Cisco Router is properly harden based on Cisco's best practises http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml, and you should be alright.

P/S: If you think this comment is useful, please do rate them nicely.

Warm regards,
Ramraj Sivagnanam Sivajanam

Suresh1986 · ‎08-13-2012

Thank you for your answer. I will check the link you sent. Could you explain the following statement,

deny ip any host 255.255.255.255.

I'm not quite sure what it actually does. Is it blocking all hosts?

Do you really need this statment? Would it be OK if it didn't have any ACL on the outside interface comming in? I know that NAT does not allow incomming connections unless it is initiated from the inside. Is using NAT and static NAT statements enough?

jp.senior · ‎08-13-2012

This particular ACE is blocking broadcast traffic, that is, traffic sent to the all-ones address 255.255.255.255

pduffany · ‎01-02-2018

I am not sure why this would be blocked since the router will not forward it anyway.

The broadcast will reach the router and the router will drop the traffic, but this ACL entry

only causes the router to drop it anyway.

Is there a reason that it should be used????

Suresh1986 · ‎08-14-2012

From the answers that I received, I concluded that the ACL config is secure. Is this correct?

Karsten Iwen · ‎08-14-2012

From the answers that I received, I concluded that the ACL config is secure. Is this correct?

I wouldn't say it that way. The ACL is highly insecure as it allowes any traffic entering to your router. You just move the security to NAT which helps you in this case but still it's not a secure practice.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Suresh1986 · ‎08-14-2012

I understand that, but I just wanted to make sure it isn't completely insecure. Thank you all for your help. I really appreciate it.

Karsten Iwen · ‎08-14-2012

But keep in mind that there are some dependencies. Your router for example is open to the internet for incoming HTTP. And then just remember the IOS-bug where an unauthenticated user was able to configure the router through HTTP. If a similar bug will be discovered in the future you are vulnerable.

Thats not at all the needed form of due diligance. Nevertheless it's very often to observe.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Suresh1986 · ‎08-14-2012

Will keep that in mind Karsten, thanks.

Ramraj Sivagnanam Sivajanam · ‎08-14-2012

Hi Bro

Just to share with you, this is how I would normally harden my Cisco Router's WAN Interface.

!

interface FastEthernet0/0

description ### Link to Internet ###

ip address 202.188.139.228 255.255.255.248

ip access-group NETWORK-ATTACKS in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

ip nat outside

no ip mroute-cache

load-interval 30

duplex full

speed 100

no cdp enable

hold-queue 50 in

!

ip access-list extended NETWORK-ATTACKS

deny ip any any fragments

deny ip any any option any-options

remark --- Smurf Attack ACL ----

deny icmp any host 8.67.0.255 echo log

deny icmp any host 255.255.255.255 echo log

deny udp any host 8.67.0.255 eq echo log

deny udp any host 255.255.255.255 eq echo log

deny icmp any any redirect log

deny ip 224.0.0.0 31.255.255.255 any log

deny ip host 0.0.0.0 any log

remark --- RFC 3330 ACL ----

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 14.0.0.0 0.255.255.255 any log

deny ip 24.0.0.0 0.255.255.255 any log

deny ip 39.0.0.0 0.255.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 128.0.0.0 0.0.255.255 any log

deny ip 169.254.0.0 0.0.255.255 any log

deny ip 172.16.0.0 0.0.255.255 any log

deny ip 191.255.0.0 0.0.255.255 any log

deny ip 192.0.0.0 0.0.0.255 any log

deny ip 192.0.2.0 0.0.0.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 198.18.0.0 0.0.255.255 any log

deny ip 223.255.255.0 0.0.0.255 any log

deny ip 224.0.0.0 0.0.0.255 any log

deny ip 240.0.0.0 0.0.0.255 any log

remark --- Permit All ----

permit ip any any

!

P/S: If you think this comment is useful, please do rate them nicely and select the option THIS QUESTION IS ANSWERED, so that the others could learn from you too...

Warm regards,
Ramraj Sivagnanam Sivajanam

Suresh1986 · ‎08-14-2012

Thanks. This information is very helpful.

Karsten Iwen · ‎08-14-2012

Hi Ramraj,

your baseline-ACL has some flaws and should be changed (some wrong masks, RFC3330 obsolet, removed bogons etc.). A cleaned up version could look like the following. I also removed smurf-stuff as it is not relevant in IOS anymore.

ip access-list extended PERIMETER-IN

deny ip 0.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 100.64.0.0 0.63.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 169.254.0.0 0.0.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.0.0.0 0.0.0.255 any

deny ip 192.0.2.0 0.0.0.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 198.18.0.0 0.1.255.255 any

deny ip 198.51.100.0 0.0.0.255 any

deny ip 203.0.113.0 0.0.0.255 any

deny ip 224.0.0.0 31.255.255.255 any

deny ip YOUR-OWN-NETWORK any

permit ...

And you don't need the "log" parameter as the source is spoofed anyway when you get a match.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Ramraj Sivagnanam Sivajanam · ‎08-15-2012

Thank you bro karsten.iwen for the advice. I'm learning new things every day. Much appreciated :-) I guess that's why you have a silver star, and I only have only a brown star :-(

Warm regards,
Ramraj Sivagnanam Sivajanam

Karsten Iwen · ‎08-15-2012

Come on, your star is not brown, it's bronze ... ;-) And I assume it will be silver soon!

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni