Sunday, February 21, 2010

Internet Network Filtering part 1

The architecture for connecting organizations to the Internet typically comes in two flavors. The first architecture consist of a single device, usually a router but sometimes a firewall. The second architecture consist of multiple devices, typically a router and a firewall. No matter what architecture is chosen it is important the proper filtering is implemented. This is the first in a series discussing the implementation of proper filtering for an organizations Internet connection.

For this series of post the organization Internet architecture consist of the following equipment.

One Cisco IOS router
Serial (s0/0) Interface connecting a T-1 to the Internet
Ethernet (e0/0) Interface connecting to firewall outside interface
One Cisco ASA firewall

For a review of network ingress filtering review RFC 2827.

To properly implement ingress filtering begin by determining addresses currently allocated by IANA. To review the current address spaces allocated review the IANA website by following this link:

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

Review the list and note every prefix whose status is either unallocated or reserve. The unallocated status is for prefix's that IANA has not issued. The reserved status is for prefixes reserved for various reasons such as being used in RFC 1918 private address, multicast networks, research networks, etc. These prefixes have no legitimate reason for being routed on the Internet, and if seen entering the organization should be dropped.

With the list of prefix's to be dropped the next step is to build the access control list (ACL). Before building the ACL it is important to understand which traffic direction the list will be applied to.

Since the filtering decision is based only on address space simple IP ACL will be used. To create the ACL type these commands in:

inetrtr01(config)#access-list 10 deny 5.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 10.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 14.0.0.0 255.0.0.0
.
input omitted
.
inetrtr01(config)##access-list 10 deny 253.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 254.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 255.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 permit any any


The permit statement allows all traffic from valid prefix's to access the organization resources.

With the ACL built use the following commands to apply the ACL to the s0/0 interface

inetrtr01(config)#interface s0/0
inetrtr01(config-if)#ip access-group 10 in


Now test the ACL by sending traffic to the organization with spoofed source address of 10.0.0.1. After sending this traffic check the ACL and there should be hits on the line for 10.0.0.0/8 network. Once you are happy with the ACL save the configuration.

Congratulations you have now successfully implemented ingress filtering. Now all spoofed traffic from illegal sources will be dropped by the Internet router. Dropping this illegitimate traffic at the router reduces the workload on the firewall.

Next week I will cover egress filtering on the Internet router to ensure no spoofed traffic is leaving the organization.

1 comment:

  1. Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.
    Freevi

    ReplyDelete

 
Site Meter