- Posts: 60
- Thank you received: 0
Use of ACL's to mitigate the risk of IP Spoofing
14 years 4 months ago #34705
by JamieP
Jamie Parks
Network Engineer, UK
Replied by JamieP on topic Re: Use of ACL's to mitigate the risk of IP Spoofing
It really depends on what you want to allow in, I work in a hosting environment, so we have a;
[code:1]permit tcp any <our ip range> <wildcard> eq 80
permit tcp any <our ip range> <wildcard> eq 443[/code:1]
Which allows people to access our websites, but it also means that someone could try to get in on port 80 from any address.
You could be really extreme and rather than a permit tcp any, you could us the IANA list of assign IP ranges to create permit statements for each range that is allocated - www.iana.org/assignments/ipv4-address-sp...v4-address-space.xml
But much easier to have half a dozen lines to block the internal (RFC1918) ranges from getting in.
as a point of interest, I have known companies to use the IANA list above to deny anything from ranges that are currently unallocated (as they should not be in use) which increases your security, but needs to be reviewed regularly as they are always getting updated.
[code:1]permit tcp any <our ip range> <wildcard> eq 80
permit tcp any <our ip range> <wildcard> eq 443[/code:1]
Which allows people to access our websites, but it also means that someone could try to get in on port 80 from any address.
You could be really extreme and rather than a permit tcp any, you could us the IANA list of assign IP ranges to create permit statements for each range that is allocated - www.iana.org/assignments/ipv4-address-sp...v4-address-space.xml
But much easier to have half a dozen lines to block the internal (RFC1918) ranges from getting in.
as a point of interest, I have known companies to use the IANA list above to deny anything from ranges that are currently unallocated (as they should not be in use) which increases your security, but needs to be reviewed regularly as they are always getting updated.
Jamie Parks
Network Engineer, UK
14 years 3 months ago #34799
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Use of ACL's to mitigate the risk of IP Spoofing
FlipRich,
Once you use an ACL on an outside port (in direction) you have to permit any (or permit some) after you deny, because if you don't, the implicit deny will block reply traffic (That was NATed from your inside). So your inside users won't see the internet. But this permit would usually allow every thing to pass including the private ranges you mentioned. Thats why admins deny those ranges one by one.
Shortly saying it, the implicit deny is just not effective to prevent private ranges, because it prevents every things else too.
Now if you don't use an ACL, all traffic will be allowed and you end up with that same problem (IP Spoofing).
Thats talking about routers. On the other hand, when using firewalls (Pix or ASA), those devices will allow reply (NATed) traffic even if the ACLs blocks it (except for ICMP replies). In this case the implicit deny WILL work to prevent IP spoofing.
Thats as far as I remember and my notes, if any one recalls better, please correct me.
Once you use an ACL on an outside port (in direction) you have to permit any (or permit some) after you deny, because if you don't, the implicit deny will block reply traffic (That was NATed from your inside). So your inside users won't see the internet. But this permit would usually allow every thing to pass including the private ranges you mentioned. Thats why admins deny those ranges one by one.
Shortly saying it, the implicit deny is just not effective to prevent private ranges, because it prevents every things else too.
Now if you don't use an ACL, all traffic will be allowed and you end up with that same problem (IP Spoofing).
Thats talking about routers. On the other hand, when using firewalls (Pix or ASA), those devices will allow reply (NATed) traffic even if the ACLs blocks it (except for ICMP replies). In this case the implicit deny WILL work to prevent IP spoofing.
Thats as far as I remember and my notes, if any one recalls better, please correct me.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.115 seconds