5. RIP isusedforthe routercommunication.Below are the commandsshowingthe implementation
whichisappliedonbothrouters:
Border_Router(config)#routerrip
Border_Router(config-router)#network1.0.0.0
Border_Router(config-router)#network136.201.0.0
Border_Router(config-router)#exit
Internal_Router(config)#routerrip
Internal _Router(config-router)#network1.0.0.0
Internal_Router(config-router)#network136.201.0.0
Internal _Router(config-router)#exit
ICMP protocol policy:
ICMP messagescanhelpattackersto exploitthe protocol throughnetworkscansetc.Many network
mappingtoolsuse the ICMP as the protocol to trace the networkcomponents(eg:Traceroute,
Cheops-ngetc)
The bestdefense istoprepare the networkforsuchattack by blockingthe unwantedICMPpackets.
Some of the defensivetechniquesare asbelow:
Coulddisable incomingICMPechorequest.
Drawback: Userscouldn'tpingina network.
Coulddisable the outgoingICMPreplypackets.
Coulddisable outgoingICMPTime Exceededmessages.
But userscouldn'ttraceroute all the wayto Internal Network.
In thisassignment,Ihave definedthe ACLssuchasto blockICMP echo,echo-replyandttl exceed
messagesonthe network
Commands Used:
6. access-listdenyicmpanyanyecho
access-listdenyicmpanyanyecho-reply
access-listdenyicmpanyanyttl-exceeded
access-listpermiticmpanyany
Description of the Security policy implementation:
All the belowACL rules are implementedonthe border router and on interfaceFE0/0
whichis connected to the Cloud(internet).They are appliedon thisinterface in the
directionIN.
Ingress and Egress filtering
Has beenshownwhile applyingthe ACLs onto all the interfaces.
All devices from EvilGroup are denied access to any machine in the corporate network.
access-list100 deny ip66.60.0.0 0.0.255.255 any
Everybody else can use the FTP server 136.201.5.10 to upload/download files.
access-list100 permit tcp any gt 1023 host 136.201.5.10 eqftp
access-list100 permit tcp any gt 1023 host 136.201.5.10 eqftp-data
Everybody else can access the Web server 136.201.5.20 at port 80 – make sure the client
cannot use any server port (1-1023)
access-list100 permit tcp any gt 1023 host 136.201.5.20 eqwww
Internal DNS server can be accessed by any machine on ports TCP/53 and UDP/53.
access-list100 permit tcp any gt 1023 host 136.201.10.10 eq 53
access-list100 permit udp any gt 1023 host 136.201.10.10 eq53
Any machine can access Mail Server via SMTP (on port TCP/25).
access-list100 permit tcp any gt 1023 host 136.201.10.20 eq 25
7. DataBase Server is accessed by business partner (20.0.0.0/8) for SQLqueries
(TCP/1433).
access-list100 permit tcp 20.0.0.0 0.255.255.255 gt 1023 host 136.201.10.30 eq1433
Disable incoming ICMP echo request.
access-list100 deny icmpany any echo
Disable the outgoing ICMP reply packets
access-list100 deny icmpany any echo-reply
Disable outgoing ICMP Time Exceeded messages.
access-list100 deny icmpany any ttl-exceeded
All other connections should be denied!
access-list100 deny ipany any
All the belowACL rules are implementedonthe border router and on interfaceFE0/1
whichis connected to the PublicNetwork. They are appliedon thisinterface in the
directionIN.
FTP server is allowed to make connections to any machine (to facilitate FTP).
access-list101 permit tcp 136.201.5.10 eq ftp any gt 1023
access-list101 permit tcp 136.201.5.10 eq ftp-data any gt 1023
Web server can only initiate connections to the DataBase Server
(136.201.10.30:1433).
access-list101 permit tcp 136.201.5.20 gt 80 136.201.10.30 eq 1433 established
8. Internal DNS server can be accessed by any machine on ports TCP/53 and UDP/53.
access-list101 permit tcp any host 136.201.10.10 eq53
access-list101 permit udp any host 136.201.10.10 eq 53
Any machine can access Mail Server via SMTP (on port TCP/25).
access-list101 permit tcp any host 136.201.10.20 eq25
Disable incoming ICMP echo request.
access-list101 deny icmpany any echo
Disable the outgoing ICMP reply packets
access-list101 deny icmpany any echo-reply
Disable outgoing ICMP Time Exceeded messages.
access-list101 deny icmpany any ttl-exceeded
All other connections should be denied!
access-list101 deny ipany any
The belowACL rules are implementedon the border router and oninterface FE0/1 whichis
connected to the PublicNetwork. These rules are appliedon thisinterface inthe directions
first OUT andthen IN.
9. All other trafficfrom the web server must be return traffic to previousrequests is achieved
by usingthe reflexive ACL
Reflexive ACL withthe name: webreturntraffic
Ip access-listextendedOUTboundfilter
access-listOUTboundfilterpermittcpany host 136.201.5.20 eqwww
Ip access-listextendedINboundfilter
Evaluate webreturntraffic
All the belowACL rules are implementedonthe Internal router andon interface FE0/0
whichis connected to the Server Network. They are appliedon thisinterface in the
directionIN.
Internal DNS server can access any machine for DNS queries (ports TCP/53 and UDP/53)
access-listpermittcp 136.201.10.10 eq53 any
access-listpermitudp 136.201.10.10 eq 53 any
Mail server can access any machine via SMTP (port TCP/25)
access-listpermittcp 136.201.10.20 eq25 any
Disable incoming ICMP echo request.
access-listdenyicmp any any echo
Disable the outgoing ICMP reply packets
access-listdenyicmp any any echo-reply
Disable outgoing ICMP Time Exceeded messages.
access-listdenyicmp any any ttl-exceeded
10. All other connections should be denied!
access-listdenyip any any
The belowACL rules are implementedon the Internal router and on interface FE0/1 which
is connected to the Workstationssubnet.These rules are appliedon this interface in the
directionsfirst INand then OUT.
Reflexive ACLs are used to ensure the return traffic can reach to the workstation in
response to the corresponding request from workstations.
Reflexive ACL withthe name: returntraffic
Workstations (136.201.100.0/24) can access any web server on ports TCP/80, TCP/8080
and TCP/443.
Ip access-listextendedINboundfilter
access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host any eq 80 reflect
returntraffic
access-listINboundfilterpermittcp 136.201.100.0 0.0.0.255 gt 1023 host any eq 8080
reflectreturntraffic
access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host any eq 443 reflect
returntraffic
Workstations (136.201.100.0/24) can access DataBase server for SQL queries (TCP/1433).
access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.30 eq
1433 reflectreturntraffic
Workstations (136.201.100.0/24) can access Internal DNS server for DNS queries (TCP/53
and UDP/53)
11. access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.10 eq
53 reflectreturntraffic
access-listINboundfilterpermitudp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.10
eq 53 reflectreturntraffic
Workstations (136.201.100.0/24) can access Mail server for IMAP.
access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.20 eq
25 reflectreturntraffic
Workstations (136.201.100.0/24) can access SSH servers on any machine in the business
partner’s network.
access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 20.0.0.0
0.255.255.255 eq 22 reflectreturntraffic
Disable incoming ICMP echo request.
access-listINboundfilterdenyicmpany any echo
Disable the outgoing ICMP reply packets
access-listINboundfilterdenyicmpany any echo-reply
Disable outgoing ICMP Time Exceeded messages.
access-listINboundfilterdenyicmpany any ttl-exceeded
All other connections should be denied!
access-listINboundfilterdenyipany any
Ip access-listextendedOUTboundfilter
Evaluate returntraffic