Solved: NTP & SNMP Traffic

zekebashi · ‎07-10-2018

Hello,

This should be a simple question. I am trying to create an extended ACL to deny NTP and SNMP traffic inbound (coming from the outside/Public to the inside/Private). There is an existing extended ACL, which denys several ip blocks (deny ip 0.0.0.0 0.255.255.255 any log-input, deny ip 10.0.0.0 0.255.255.255 any log-input, deny ip 1deny ip 127.0.0.0 0.255.255.255 any log-input, ....etc). However, our pen test came back showing that NTP and SNMP traffic to some addresses (public IP addresses assigned to some internal services) were accessible.

Would creating an extended ACL denying NTP and SNMP ports do the trick?

Thanks in advance.

~zK

chrihussey · ‎07-11-2018

Assuming the e0/1 interface id the one connecting to the internet, the a, b & c hosts are the internet NTP servers and the y.y.y.y being the router I believe it should look like:

!
!
access-list extended ALLOW_NTP_IN

! #### Allow NTP from the internet time servers (source port NTP)
    permit udp host a.a.a.a eq ntp host y.y.y.y
    permit udp host b.b.b.b eq ntp host y.y.y.y
    permit udp host c.c.c.c eq ntp host y.y.y.y

! #### Deny all other NTP from internet
deny udp any eq ntp any

! #### Deny anything to NTP (addresses the pen test findings)
deny udp any any eq ntp

! #### Permit all else
permit any any
!
!
interface e0/1
access-group ALLOW_NTP_IN in
!
!

This is because the internet NTP servers should be responding to NTP requests, so the source port from them would be 123 (NTP), then block any other packets coming in with source port NTP, then deny anything with destination port NTP to address the penetration test findings, then allow everything else.

Hope that makes sense and works for you.

Regards

View solution in original post

chrihussey · ‎07-10-2018

Yes that would be one possible solution.

There are multiple ways to skin a cat. If you know the ports on the internal servers that should be accessible from the Internet, you could allow just those and deny all else too.

In the end it all depends on what's easier to manage.

Regards

zekebashi · ‎07-10-2018

Thanks!

I need to allow just some NTP servers to access the edge router (3 specific IP addresses). The router is ASR1001-X. I was thinking about creating a simple extended ACL to permit only those public NTP servers through UDP port 123 and deny/block any UDP 123 traffic ingress. Is this the correct way of creating the ACL?

access-list extended ALLOW_NTP_IN

permit udp host a.a.a.a host y.y.y.y eq ntp

permit udp host b.b.b.b host y.y.y.y eq ntp

permit udp host c.c.c.c host y.y.y.y eq ntp

deny udp any host y.y.y.y eq ntp

permit any any

interface e0/1

access-group ALLOW_NTP_IN in

Thanks, ~zK

chrihussey · ‎07-11-2018

Assuming the e0/1 interface id the one connecting to the internet, the a, b & c hosts are the internet NTP servers and the y.y.y.y being the router I believe it should look like:

!
!
access-list extended ALLOW_NTP_IN

! #### Allow NTP from the internet time servers (source port NTP)
    permit udp host a.a.a.a eq ntp host y.y.y.y
    permit udp host b.b.b.b eq ntp host y.y.y.y
    permit udp host c.c.c.c eq ntp host y.y.y.y

! #### Deny all other NTP from internet
deny udp any eq ntp any

! #### Deny anything to NTP (addresses the pen test findings)
deny udp any any eq ntp

! #### Permit all else
permit any any
!
!
interface e0/1
access-group ALLOW_NTP_IN in
!
!

This is because the internet NTP servers should be responding to NTP requests, so the source port from them would be 123 (NTP), then block any other packets coming in with source port NTP, then deny anything with destination port NTP to address the penetration test findings, then allow everything else.

Hope that makes sense and works for you.

Regards

zekebashi · ‎07-11-2018

@chrihussey.. thank you, sir!

Yes, you're correct in your assumption.

That makes total sense.

Thanks, again.

Best, ~zK