Filtering Unwanted Traffic

fmatrine · ‎05-25-2005

Dear All,

We have a Datacenter Network with Central Site and Multiple remote sites. Central Site is hosting the servers which will be accessed from internet as well as intranet network.Our branches are connected to the central site over Channelized-E1 at central site.

We want to secure/filter unwanted traffic from our internet router as well as branch router.

Note:- We hv not configured any access-list on the central router since we are filtering the unwanted traffic at the branch itself....will this do.

Subnets are:- Internet Segment :- 210.210.210.176 255.255.255.248

Branch Site Segment:- 192.168.16.0

Central Site Segment :- 192.168.17.0

Branch Router:- Config.

interface FastEthernet1/0

ip address 192.168.16.1 255.255.255.0

no ip directed-broadcast

ip access-group filterZ in

interface Serial2/0

backup interface BRI3/0

backup always

ip address 172.16.1.46 255.255.255.252

no ip directed-broadcast

ip access-group filterX in

bandwidth 128

interface BRI3/0

ip address 172.18.1.46 255.255.255.252

no ip directed-broadcast

ip access-group filterY in

ppp authentication chap

ppp multilink

dialer string 22489100

dialer remote-name core2

dialer-group 1

ip access-list extended filterX

permit tcp 192.168.17.27 255.255.255.255 eq www 192.168.16.0 255.255.255.0 (We want to allow only http traffic from branch network to server 192.168.17.27)

ip access-list extended filterY

permit udp 192.168.17.27 255.255.255.255 eq www 192.168.16.0 255.255.255.0 (We want to allow only http traffic from branch network to server 192.168.17.27)

ip access-list extended filterZ

permit icmp any 192.168.16.1 255.255.255.255

permit icmp any 192.168.17.0 255.255.255.0

deny icmp any any

Internet Router :- Config

interface FastEthernet1/0

ip address 210.210.210.177 255.255.255.248

no ip directed-broadcast

!

interface Serial2/0

ip unnumbered FastEthernet1/0

no ip directed-broadcast

ip access-group filterT in

bandwidth 512

ip route default Serial2/0

ip access-list extended filterT

permit tcp any eq www 210.210.210.176 255.255.255.248

permit udp any 210.210.210.176 255.255.255.248

permit tcp any 210.210.210.180 255.255.255.255 eq www

permit tcp any 210.210.210.176 255.255.255.248 gt 1023 established

deny ip 0.0.0.0 255.255.255.255 any log

deny ip 192.168.249.0 255.255.255.0 any log

deny ip 210.210.210.176 255.255.255.248 any log

deny ip 172.16.0.0 255.240.0.0 any log

deny ip 10.0.0.0 255.0.0.0 any log

deny ip 127.0.0.0 255.0.0.0 any log

deny ip 255.0.0.0 255.0.0.0 any log

deny ip 224.0.0.0 248.0.0.0 any log

permit icmp any 210.212.203.176 255.255.255.248

deny ip any any log

Is this access-list enough to filter unwanted traffic or do we need few more entries.

Also is it OK as inbound in Internet and Branch router or do we need to Put it in Outbound direction also.

Kindly guide with the config.

Regards

spremkumar · ‎05-28-2005

hi

would suggest u to fine tune ur ACLs to block some worms,virus traffics which can be a potential loophole or which u can miss while hardening ur network..

do chek out this link to find out more abt the same..

http://www.cisco.com/en/US/partner/products/products_security_advisories_listing.html

regds

imnilesh · ‎05-29-2005

hi Prem kumar. the link you given have privieleged access but i am not cisco privilede user so can you copy past the usefull contain of the same to this forum or u can mail me the same, u can fine my mail id in my profile...

thanks in advance.....

clsalaza · ‎05-29-2005

just needed to remove partern from the url

http://www.cisco.com/en/US/products/products_security_advisories_listing.html

d.kratz · ‎05-30-2005

Hi fmatrine,

I have another advice for you.... Take special attention to log usage.

In an attack condiction (like worm for example), your router will trash many time processing log messages. Consider alternatives like netflow, ip accounting and nbar.

Another problem, if you use syslog server on the central site, Syslog messagem can flood your upstream link.

Regards,

Kratz