1 / 12

Network Security

Network Security. Router Based Rules David Funk Systems Administrator Computer Systems Support COE, University of Iowa. Router Filtering. Goals and Limitations Know your network topology Know your hardware’s characteristics Proper division of labor. Router Filtering.

griffin-gross
Download Presentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Security Router Based Rules David Funk Systems Administrator Computer Systems Support COE, University of Iowa

  2. Router Filtering • Goals and Limitations • Know your network topology • Know your hardware’s characteristics • Proper division of labor

  3. Router Filtering • Goals and Limitations • Protect resources • Easy stuff (IP packet spoof filter) • Harder (protect port 135/139) • Permit necessary access • Servers visible to outside world • Use proxies to protect “tender” resources • Use “tougher” machines for outside services

  4. Router Filtering • Know your network topology • Choose logical boundaries • Segregate hosts by class • Client only • Local servers • Global servers • Intranets

  5. Topology Border router Internal router Client net Server net

  6. Hardware • ACL limits • In VS Out filters • Statefull filters • TCP SYN packet for pseudo state • Protocol restrictions • Data rate limits • Fail over options?

  7. Division of Labor • Border VS Internal Routers • Filters on end Hosts • Add hardware where necessary • Fault tolerance?

  8. Details • Testing • Maintenance • Honeypot + sniffer logs • Software Updates • Documentation • Oddball stuff (DHCP)

  9. Details • access-list 103 deny ip 128.255.16.0 0.0.15.255 any log • access-list 103 deny ip 127.0.0.0 0.0.0.15 any log • access-list 103 deny ip 192.168.0.0 0.0.255.255 any log • access-list 103 permit ip host 128.255.1.3 any • access-list 103 permit ip host 128.255.64.3 any • access-list 103 deny ip any 128.255.18.12 0.0.1.1 log • access-list 103 deny ip any host 128.255.19.11 log • access-list 103 deny ip any 128.255.18.16 0.0.1.0 log • access-list 103 deny ip any 128.255.26.64 0.0.1.15 log • access-list 103 permit ip any 128.255.22.0 0.0.0.31 • access-list 103 permit udp any 128.255.16.40 0.0.3.7 eq 135 • access-list 103 permit tcp any 128.255.16.40 0.0.3.7 eq 135 • access-list 103 permit udp any 128.255.16.40 0.0.3.7 eq 139 • access-list 103 permit tcp any 128.255.16.40 0.0.3.7 eq 139

  10. Details • access-list 103 permit udp any 128.255.16.40 0.0.3.7 eq 135 • access-list 103 permit tcp any 128.255.16.40 0.0.3.7 eq 135 • access-list 103 permit udp any 128.255.16.40 0.0.3.7 eq 139 • access-list 103 permit tcp any 128.255.16.40 0.0.3.7 eq 139 • access-list 103 permit udp 128.255.0.0 1.0.255.255 128.255.23.0 0.0.0.255 eq 135 • access-list 103 permit tcp 128.255.0.0 1.0.255.255 128.255.23.0 0.0.0.255 eq 135 • access-list 103 permit udp any 128.255.23.0 0.0.0.255 eq 137 • access-list 103 permit udp any 128.255.23.0 0.0.0.255 eq 138 • access-list 103 permit tcp any 128.255.23.0 0.0.0.255 eq 139 • access-list 103 permit tcp any 128.255.23.0 0.0.0.255 eq 445 • access-list 103 permit udp any 128.255.23.0 0.0.0.255 eq 445 • access-list 103 deny udp any eq tftp 128.255.16.0 0.0.15.255 log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq tftp log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq 135 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 135 log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq 138 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 139 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 445 log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq 445 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 593 log • access-list 103 permit tcp any 128.255.16.0 0.0.15.255 established • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 6346 • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 4444 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 707 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 50000 log • access-list 103 permit ip any 128.255.23.0 0.0.0.255

  11. Details • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 5000 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 1900 log • access-list 103 deny tcp any 128.255.16.0 0.0.15.255 eq 1433 • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq 1434 • access-list 103 deny udp any 128.255.20.0 0.0.1.255 eq 111 log • access-list 103 deny udp any 128.255.16.0 0.0.15.255 eq snmp log • access-list 103 permit tcp any 128.255.20.0 0.0.1.255 eq 6000 • access-list 103 permit tcp any 128.255.20.0 0.0.1.255 eq ssh • access-list 103 permit tcp any eq 20 128.255.20.0 0.0.1.255 gt 1023 • access-list 103 deny tcp any 128.255.20.0 0.0.1.255 log

  12. Details • access-list 127 permit ip 128.255.27.0 0.0.0.255 any • access-list 127 permit udp any eq bootps any • access-list 127 permit udp any eq bootpc any • access-list 127 deny ip any any log

More Related