11-22-2001 07:26 AM - edited 02-20-2020 09:16 PM
Anyone got a good example of an access list that will block all or the required ports in to make a cisco route look invisible to an ISP (ie for dialup).
ie block / hide ports and the connected router.
Any help would be great.
11-25-2001 01:26 AM
For anyone who's interested, the following access list will sercure a perimeter router in accordance with the SANS institute.
The access list is to be applied to the interface facing the the ISP and applied as an inbound filter.
For those interested here is the SANS institute link
http://www.sans.org/infosecFAQ/firewall/router.htm
access-list 101 deny tcp any any eq ftp-data
access-list 101 deny tcp any any eq ftp
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq smtp
access-list 101 deny tcp any any eq telnet
access-list 101 deny tcp any any eq 37
access-list 101 deny udp any any eq time
access-list 101 deny tcp any any eq domain
access-list 101 deny udp any any eq domain
access-list 101 deny udp any any eq bootps
access-list 101 deny udp any any eq bootpc
access-list 101 deny tcp any any eq finger
access-list 101 deny tcp any any eq www
access-list 101 deny tcp any any eq pop2
access-list 101 deny tcp any any eq pop3
access-list 101 deny tcp any any eq ident
access-list 101 deny tcp any any eq nntp
access-list 101 deny udp any any eq ntp
access-list 101 deny tcp any any eq 135
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny tcp any any eq 139
access-list 101 deny tcp any any eq 143
access-list 101 deny tcp any any eq 161
access-list 101 deny udp any any eq snmp
access-list 101 deny tcp any any eq 162
access-list 101 deny udp any any eq snmptrap
access-list 101 deny tcp any any eq 443
access-list 101 deny udp any any eq 443
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 deny icmp any any timestamp-request
access-list 101 permit ip any any
12-06-2001 12:46 PM
I've spent a decent amount of time hardening cisco routers and switches and I have never been able to fool nmap. Even when the router/switch is locked down as much as possible, nmap will fingerprint it every time. All I do is not answer pings, which probably gets most script-kiddies off my back.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide