IOS access-lists for security

jgunning · ‎07-18-2002

Some sample access-lists that I have seen show an output like the one below. My question …….is it necessary to have the deny for tcp and udp specific port numbers? It is my understanding that the implicit deny at the end will block these. The specific ports I speak about are known ports which have been used for various attacks on networks.

Deny rfc 1918 addresses log

Deny resevered/multicast/broadcast addresses log

Permit tcp any to trusted LAN if established

Permit tcp any eq 20 to trusted LAN if greater than 1023 log

Deny tcp any any eq port # log

Deny tcp any any range of port # log

Deny udp any any eq port # log

Deny udp any any range of port # log

Permit udp any eq 53 to trusted LAN if greater than 1023 log

Deny tcp any range 0 65535 any range 0 65535 log

Deny udp any range 0 65535 any range 0 65535 log

Deny ip any any log

Will this config achieve the same secure results??

Deny rfc 1918 addresses log

Deny resevered/multicast/broadcast addresses log

Permit tcp any to trusted LAN if established log

Permit tcp any eq 20 to trusted LAN if greater than 1023 log

Permit udp any eq 53 to trusted LAN if greater than 1023 log

Deny tcp any range 0 65535 any range 0 65535 log

Deny udp any range 0 65535 any range 0 65535 log

Deny ip any any log

edadios · ‎07-18-2002

You are correct, there is always an explicit deny on the end. Whatever has not been listed on the permit is denied.

The samples you see is more for illustration.

Regards,

jgunning · ‎07-19-2002

Thank you for confirming my understanding on this. With some of these configs it did appear pointless to deny specific ports and yet have the 'catch all' deny at the end. O.k. there may be a situation where you need specific denies, but generally speaking it appears to me that if you intend to 'deny most', then an access-list should consist of permits for your actual requirements and let everything else be caught by the deny rule.

Thanks again.