Tuesday, January 20, 2009

Cisco's $7 Million Investment in Xobni

Information Week article discussing Cisco's $7 Million investment in Xobni.

It will be interesting to see where this posturing goes.

Read more.

Cisco Plans Big Push Into Server Market

The New York Times published an article yesterday helping to announce Cisco's move into the server market with a virtualized server appliance.

It will be interesting to see how this progresses. Will Cisco buy VMware?

Read more at http://tinyurl.com/8vrhen.

Tuesday, January 6, 2009

Securing the Internet router - Interface ACL

When it comes to securing the perimeter, the Internet gateway routers should be configured to protect the firewall. And, the firewall should protect the DMZ and internal networks.

One of the easiest ways to do this is to block unnecessary Internet noise at the router, using a simple interface access control list.

Here is the ACL template I use on my Internet routers.

interface GigabitEthernet0/0
description To Internet Service Provider
ip address 10.0.0.1 255.255.255.0
ip access-group iACL-external in
!
ip access-list extended iACL-external
deny tcp any 10.0.0.0 0.0.0.255 log fragments
deny udp any 10.0.0.0 0.0.0.255 log fragments
deny icmp any 10.0.0.0 0.0.0.255 log fragments
deny ip any 10.0.0.0 0.0.0.255 log fragments
deny ip 10.0.0.0 0.0.0.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 14.0.0.0 0.255.255.255 any
deny ip 24.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 128.0.0.0 0.0.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.31.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip any 224.0.0.0 0.0.0.255
deny ip 224.0.0.0 0.0.0.255 any
deny tcp any 10.0.0.0 0.0.0.255 eq telnet
! Limit SMTP to mail gateway only
permit tcp any host 10.0.0.10 eq smtp
permit tcp any 10.0.0.0 0.0.0.255 eq www
permit tcp any 10.0.0.0 0.0.0.255 eq 443
permit tcp any eq ftp-data 10.0.0.0 0.0.0.255 gt 1023
permit tcp any 10.0.0.0 0.0.0.255 eq ftp
permit tcp any 10.0.0.0 0.0.0.255 eq 22
permit udp any eq domain 10.0.0.0 0.0.0.255 gt 1023
permit udp any eq ntp 10.0.0.0 0.0.0.255 log
permit tcp any 10.0.0.0 0.0.0.255 established
permit icmp any 10.0.0.0 0.0.0.255 echo-reply
permit icmp any 10.0.0.0 0.0.0.255 ttl-exceeded
permit icmp any 10.0.0.0 0.0.0.255 port-unreachable
permit icmp any 10.0.0.0 0.0.0.255 protocol-unreachable
permit icmp any 10.0.0.0 0.0.0.255 packet-too-big
permit icmp any host 10.0.0.1 echo-reply
permit icmp any host 10.0.0.1 ttl-exceeded
permit icmp any host 10.0.0.1 port-unreachable
permit icmp any host 10.0.0.1 protocol-unreachable
permit icmp any host 10.0.0.1 packet-too-big
deny ip any any

Now, I've got a reputation for being a stickler for pretty tight router configurations. So, in many cases, I've had to loosen my choke hold on the traffic coming through. So, test these recommendations, before you deploy them at your data center.

Do you have a script you like to use? If you feel like sharing, send me a copy, I may add it to this post.

In an upcoming post, I will share some other things you can do to protect your Internet routers.