Sidebar 2: Packet Filtering Tips and Resources
Need to check your filters? The first start should be a port scanner. Saint (http://www.wwdsi.com/saint/) is one of my favorite. Saint is actually better than many port scanners - it's database warns you of blatant security flaws.
A good place to browse firewall issues is the firewall mailing list archive maintained by Gnac at http://lists.gnac.net/firewalls/. This site also includes a link to the Internet Firewalls FAQ.
We did not specifically cover IP spoofing, but it is easy to stop with packet filtering. Basically in our example, any traffic arriving on the serial interface with a source address in the 192.168.1.0/24 or 10.0.0.0/10 networks should be dropped:
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
This rule should be placed at the top of list to make sure no later matches would allow the traffic through.
Access lists can be tough to troubleshoot. With the IOS command show access-lists, you can get a list of your access lists as well as the number of matches for each rule. You can also add the parameter log to the access list:
access-list 101 deny ip 192.168.1.0 0.0.0.255 any log
Then you can use show logging to get more information concerning the attempt.
The place to start for any Cisco information, is, of course, http://www.cisco.com. You should also check out their Increasing Security on IP Networks at http://www.cisco.com/warp/public/701/31.html for specific information concerning Cisco routers. The article also gives some good access list examples.
|