[1830] in WWW Security List Archive
Re: Cisco access control
daemon@ATHENA.MIT.EDU (Daniel W. Woycke)
Tue Apr 16 10:42:01 1996
Date: Tue, 16 Apr 1996 08:19:41 -0400
To: "Brian W. Spolarich" <briansp@ans.net>
From: woycke@mitre.org (Daniel W. Woycke)
Cc: "Deloach, Scott D. SSgt" <DeloachS@emh.aon.af.mil>,
www-security <www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
At 12:48 AM 4/16/96, Brian W. Spolarich wrote:
>On Mon, 15 Apr 1996, Deloach, Scott D. SSgt wrote:
>
>> Can Anyone give me an example of what a Cisco access list would look like
>> to give incoming access to SMTP access to a single IP and HTTP access to
>> another IP and deny everthing else?
>
>You'd need at least this for an inbound access list. I've found that you
>want to be careful of such a strict policy. I myself prefer the "block
>everything bad you know about and allow everything else", otherwise you
>spend lots of time figuring out why something is broken, and/or
>maintaining huge access lists and scratching your head all the time.
>
>This is also something of a philosophical discussion, though, and a
>religious debate. God grant thee wisdom, my son.
>
>Cisco access lists are evaluated in the order they appear. The first
>rule that applies to the packet is applied. This list also assumes
>you're using standard 24-bit netmasking (i.e. 255.255.255.0)
>
>! Allow ping packets
>access-list 141 permit icmp any any
>! Permit established sessions to continue
>access-list 141 permit tcp any any established
The establish keyword used above has been a problem for Cisco. It is
probably difficult to get the implementation right. There was a CERT
advisory against using it because it doesn't always work. I don't know if
this is true in the latest release of IOS or not, but it is a known
problem. Usually the solution is to not use the established keyword.
> -brian
>
>--
>Brian W. Spolarich - ANS CO+RE Systems - briansp@ans.net - (313)677-7311
> We're Starfleet officers...weird is part of the job.
-----
Thank You,
Daniel W. Woycke, Senior INFOSEC Engineer (703) 883-1362
Network Security Engineering
NIDR & Firewall Applications
The MITRE Corporation
"The mixed up things are, the better the solution." -- Ms. Frizzle
