Internet Network Filtering Part 2

The first part of this series covered ingress filtering on your organizations Internet router. The goal of ingress filtering was to filter illegitimate traffic hitting your firewall. The next part of this series will cover egress filtering on the Internet router.

Egress filtering is filtering traffic leaving an organizations network. For a more in-depth explanation of egress filtering please read the paper I authored titled Performing Egress Filtering.

To review the organization Internet architecture consists of the following equipment.

One Cisco IOS router
Serial (s0/0) Interface connecting a T-1 to the Internet
Ethernet (e0/0) Interface connecting to firewall outside interface
One Cisco ASA firewall

The first step implementing egress filtering is to determine all Internet connections into your organizations network. Create a list with each location and all address ranges in that location. In some organizations their Internet connection may consist of multiple address ranges and/or ISPs.

For these articles the IP address range assigned by our fake ISP is 5.1.2.0/24 and 5.2.3.0/24. These ranges are currently not allocated and are for demonstration purposes only.

As with the ingress filter, extended ACL’s are used for the egress filters. To create the ACL type these commands in:

Inetrt01(config)#access-list 101 permit ip 5.1.2.0 0.0.0.255 any
Inetrt01(config)#access-list 101 permit ip 5.2.3.0 0.0.0.255 any
Inetrt01(config)#access-list 101 permit ip any 5.1.2.0 0.0.0.255
Inetrt01(config)#access-list 101 permit ip any 5.2.3.0 0.0.0.255
Inetrt01(config)#access-list 101 deny ip any any log

The first two permit access control entries (ACE) allow traffic sourced from our public address space to access the Internet through the Internet router. The next two permitted ACE’s allow traffic on the Internet to access resources in the IP ranges of 5.1.2.0/24 and 5.2.3.0/24. The final ACE is used to identify systems using source address other than the ones assigned to our organization. Any system that hits on the deny ACE must be investigated. The two likely causes of the hits could be mis-configured or infected with malware.

To maintain direction consistency, easier management, and better system performance the ACL will be applied inbound on the Ethernet interface. Use the following commands to apply the ACL to e0/0

Inetrtr01(config)#interface e0/0
Inetrtr01(config-if)#ip access-group 101 in

Two test must be performed to ensure the egress filtering is working correctly. First make a connection to a website such as www.google.com. Review the ACL and hits should appear on your source range and traffic bound for your source range. Next make a connection to www.google.com, this time send traffic with a spoofed IP address of 1.1.1.1. Review the ACL and hits should appear on the deny statement. If you see other hits on this ACE you should investigate these hits.

Congratulations you have now successfully implemented egress filtering on your edge router. Next time I will start on filtering on the firewall.