Tuesday, January 6, 2009

Securing the Internet router - Interface ACL

When it comes to securing the perimeter, the Internet gateway routers should be configured to protect the firewall. And, the firewall should protect the DMZ and internal networks.

One of the easiest ways to do this is to block unnecessary Internet noise at the router, using a simple interface access control list.

Here is the ACL template I use on my Internet routers.

interface GigabitEthernet0/0
description To Internet Service Provider
ip address
ip access-group iACL-external in
ip access-list extended iACL-external
deny tcp any log fragments
deny udp any log fragments
deny icmp any log fragments
deny ip any log fragments
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny tcp any eq telnet
! Limit SMTP to mail gateway only
permit tcp any host eq smtp
permit tcp any eq www
permit tcp any eq 443
permit tcp any eq ftp-data gt 1023
permit tcp any eq ftp
permit tcp any eq 22
permit udp any eq domain gt 1023
permit udp any eq ntp log
permit tcp any established
permit icmp any echo-reply
permit icmp any ttl-exceeded
permit icmp any port-unreachable
permit icmp any protocol-unreachable
permit icmp any packet-too-big
permit icmp any host echo-reply
permit icmp any host ttl-exceeded
permit icmp any host port-unreachable
permit icmp any host protocol-unreachable
permit icmp any host packet-too-big
deny ip any any

Now, I've got a reputation for being a stickler for pretty tight router configurations. So, in many cases, I've had to loosen my choke hold on the traffic coming through. So, test these recommendations, before you deploy them at your data center.

Do you have a script you like to use? If you feel like sharing, send me a copy, I may add it to this post.

In an upcoming post, I will share some other things you can do to protect your Internet routers.

No comments: