Description
This article is from the Firewalls
FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum
mjr@nfr.com with numerous contributions by others.
28 Shortcomings (filtering rules for a Cisco)
* You cannot enforce strong access policies with router access lists.
Users can easily install backdoors to their systems to get over ``no
incoming telnet'' or ``no X'' rules. Also crackers install telnet
backdoors on systems where they break in.
* You can never be sure what services you have listening for connections
on high port numbers.
* Checking the source port on incoming FTP data connections is a weak
security method. It also breaks access to some FTP sites. It makes use
of the service more difficult for users without preventing bad guys
from scanning your systems.
Use at least Cisco version 9.21 so you can filter incoming packets and check
for address spoofing. It's still better to use 10.3, where you get some
extra features (like filtering on source port) and some improvements on
filter syntax.
You have still a few ways to make your setup stronger. Block all incoming
TCP-connections and tell users to use passive-FTP clients. You can also
block outgoing ICMP echo-reply and destination-unreachable messages to hide
your network and to prevent use of network scanners. Cisco.com use to have
an archive of examples for building firewalls using Cisco routers, but it
doesn't seem to be online anymore. There are some notes on Cisco access
control lists, at least, at
ftp://ftp.cisco.com/pub/mibs/app_notes/access-lists.
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, Internet, firewalls, ssl, port, protection, application layer, proxy server, packet screening, filtering rules, viruses, terms
