Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Ingess and Egress Filtering to Protect Against IP Spoofing

Reply
Thread Tools

Ingess and Egress Filtering to Protect Against IP Spoofing

 
 
sillz
Guest
Posts: n/a
 
      09-19-2007
Hi there,

I'm a realtive Cisco newbie, and I have a new edge router in a network
with the following characteristics:

Cisco 6509 -- Flex-WAN module, 4 ports
2 ISP's
2 Multilinked T1's
BGP enabled
3 Private Network Segments

I want to enable Ingress and Egress Filtering to protect against IP
Spoofing.

Let's say these are the addresses for my multilinked T1's:

ISP1 - 55.55.55.254 255.255.255.252
ISP2 - 66.66.66.254 255.255.255.252

My Network Block looks like this:

77.77.77.0 255.255.255.0

My private segments look like this:

10.1.0.0 /16
10.2.0.0 /16
10.3.0.0 /16

I was wondering if somone could give me assistance with how to
construct my ACL's based on my network information and help me make
sure the syntaxt is correct.


Your help would be appreciated.

Regards,

Beth
Systems Admin

 
Reply With Quote
 
 
 
 
Trendkill
Guest
Posts: n/a
 
      09-19-2007
On Sep 19, 12:09 pm, sillz <(E-Mail Removed)> wrote:
> Hi there,
>
> I'm a realtive Cisco newbie, and I have a new edge router in a network
> with the following characteristics:
>
> Cisco 6509 -- Flex-WAN module, 4 ports
> 2 ISP's
> 2 Multilinked T1's
> BGP enabled
> 3 Private Network Segments
>
> I want to enable Ingress and Egress Filtering to protect against IP
> Spoofing.
>
> Let's say these are the addresses for my multilinked T1's:
>
> ISP1 - 55.55.55.254 255.255.255.252
> ISP2 - 66.66.66.254 255.255.255.252
>
> My Network Block looks like this:
>
> 77.77.77.0 255.255.255.0
>
> My private segments look like this:
>
> 10.1.0.0 /16
> 10.2.0.0 /16
> 10.3.0.0 /16
>
> I was wondering if somone could give me assistance with how to
> construct my ACL's based on my network information and help me make
> sure the syntaxt is correct.
>
> Your help would be appreciated.
>
> Regards,
>
> Beth
> Systems Admin


For IP spoofing, all you really need to do is put an 'in' filter for
all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
172.16.0.0/20, etc) as well as any external ranges that you do
actually own. This prevents folks out on the internet from
effectively spoofing their IP to make your router think that they are
part of your internal network (although with a good firewall, this
wouldn't be a problem). Just put it as an 'in' filter on the external
interface (towards the internet).

 
Reply With Quote
 
 
 
 
sillz
Guest
Posts: n/a
 
      09-19-2007
On Sep 19, 10:02 am, Trendkill <(E-Mail Removed)> wrote:
> On Sep 19, 12:09 pm, sillz <(E-Mail Removed)> wrote:
>
>
>
>
>
> > Hi there,

>
> > I'm a realtive Cisco newbie, and I have a new edge router in a network
> > with the following characteristics:

>
> > Cisco 6509 -- Flex-WAN module, 4 ports
> > 2 ISP's
> > 2 Multilinked T1's
> > BGP enabled
> > 3 Private Network Segments

>
> > I want to enable Ingress and Egress Filtering to protect against IP
> > Spoofing.

>
> > Let's say these are the addresses for my multilinked T1's:

>
> > ISP1 - 55.55.55.254 255.255.255.252
> > ISP2 - 66.66.66.254 255.255.255.252

>
> > My Network Block looks like this:

>
> > 77.77.77.0 255.255.255.0

>
> > My private segments look like this:

>
> > 10.1.0.0 /16
> > 10.2.0.0 /16
> > 10.3.0.0 /16

>
> > I was wondering if somone could give me assistance with how to
> > construct my ACL's based on my network information and help me make
> > sure the syntaxt is correct.

>
> > Your help would be appreciated.

>
> > Regards,

>
> > Beth
> > Systems Admin

>
> For IP spoofing, all you really need to do is put an 'in' filter for
> all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
> 172.16.0.0/20, etc) as well as any external ranges that you do
> actually own. This prevents folks out on the internet from
> effectively spoofing their IP to make your router think that they are
> part of your internal network (although with a good firewall, this
> wouldn't be a problem). Just put it as an 'in' filter on the external
> interface (towards the internet).- Hide quoted text -
>
> - Show quoted text -


Thanks for your reply. Could you show me what this in filter would
look like?

I am required to do this in both directions because of an audit
finding. I must do it for compliance.

 
Reply With Quote
 
Trendkill
Guest
Posts: n/a
 
      09-19-2007
On Sep 19, 4:51 pm, sillz <(E-Mail Removed)> wrote:
> On Sep 19, 10:02 am, Trendkill <(E-Mail Removed)> wrote:
>
>
>
> > On Sep 19, 12:09 pm, sillz <(E-Mail Removed)> wrote:

>
> > > Hi there,

>
> > > I'm a realtive Cisco newbie, and I have a new edge router in a network
> > > with the following characteristics:

>
> > > Cisco 6509 -- Flex-WAN module, 4 ports
> > > 2 ISP's
> > > 2 Multilinked T1's
> > > BGP enabled
> > > 3 Private Network Segments

>
> > > I want to enable Ingress and Egress Filtering to protect against IP
> > > Spoofing.

>
> > > Let's say these are the addresses for my multilinked T1's:

>
> > > ISP1 - 55.55.55.254 255.255.255.252
> > > ISP2 - 66.66.66.254 255.255.255.252

>
> > > My Network Block looks like this:

>
> > > 77.77.77.0 255.255.255.0

>
> > > My private segments look like this:

>
> > > 10.1.0.0 /16
> > > 10.2.0.0 /16
> > > 10.3.0.0 /16

>
> > > I was wondering if somone could give me assistance with how to
> > > construct my ACL's based on my network information and help me make
> > > sure the syntaxt is correct.

>
> > > Your help would be appreciated.

>
> > > Regards,

>
> > > Beth
> > > Systems Admin

>
> > For IP spoofing, all you really need to do is put an 'in' filter for
> > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
> > 172.16.0.0/20, etc) as well as any external ranges that you do
> > actually own. This prevents folks out on the internet from
> > effectively spoofing their IP to make your router think that they are
> > part of your internal network (although with a good firewall, this
> > wouldn't be a problem). Just put it as an 'in' filter on the external
> > interface (towards the internet).- Hide quoted text -

>
> > - Show quoted text -

>
> Thanks for your reply. Could you show me what this in filter would
> look like?
>
> I am required to do this in both directions because of an audit
> finding. I must do it for compliance.


access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 7.255.255.255 any
access-list 101 deny ip X.X.X.X X.X.X.X any
access-list 101 permit ip any any

Use the x.x.x.x one to add any public networks that you may own. If
not, just delete it before pasting in.

 
Reply With Quote
 
Trendkill
Guest
Posts: n/a
 
      09-19-2007
On Sep 19, 4:51 pm, sillz <(E-Mail Removed)> wrote:
> On Sep 19, 10:02 am, Trendkill <(E-Mail Removed)> wrote:
>
>
>
> > On Sep 19, 12:09 pm, sillz <(E-Mail Removed)> wrote:

>
> > > Hi there,

>
> > > I'm a realtive Cisco newbie, and I have a new edge router in a network
> > > with the following characteristics:

>
> > > Cisco 6509 -- Flex-WAN module, 4 ports
> > > 2 ISP's
> > > 2 Multilinked T1's
> > > BGP enabled
> > > 3 Private Network Segments

>
> > > I want to enable Ingress and Egress Filtering to protect against IP
> > > Spoofing.

>
> > > Let's say these are the addresses for my multilinked T1's:

>
> > > ISP1 - 55.55.55.254 255.255.255.252
> > > ISP2 - 66.66.66.254 255.255.255.252

>
> > > My Network Block looks like this:

>
> > > 77.77.77.0 255.255.255.0

>
> > > My private segments look like this:

>
> > > 10.1.0.0 /16
> > > 10.2.0.0 /16
> > > 10.3.0.0 /16

>
> > > I was wondering if somone could give me assistance with how to
> > > construct my ACL's based on my network information and help me make
> > > sure the syntaxt is correct.

>
> > > Your help would be appreciated.

>
> > > Regards,

>
> > > Beth
> > > Systems Admin

>
> > For IP spoofing, all you really need to do is put an 'in' filter for
> > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
> > 172.16.0.0/20, etc) as well as any external ranges that you do
> > actually own. This prevents folks out on the internet from
> > effectively spoofing their IP to make your router think that they are
> > part of your internal network (although with a good firewall, this
> > wouldn't be a problem). Just put it as an 'in' filter on the external
> > interface (towards the internet).- Hide quoted text -

>
> > - Show quoted text -

>
> Thanks for your reply. Could you show me what this in filter would
> look like?
>
> I am required to do this in both directions because of an audit
> finding. I must do it for compliance.


May also want to add deny's for ranges for broadcast (255.0.0.0
0.255.255.255), loopbacks (127.0.0.1 255.255.255.255), default spoof
(0.0.0.0 255.255.255.255), and any other ones you can think of
(224.0.0.0 7.255.255.255). Hope this helps.

 
Reply With Quote
 
Trendkill
Guest
Posts: n/a
 
      09-19-2007
On Sep 19, 5:12 pm, Trendkill <(E-Mail Removed)> wrote:
> On Sep 19, 4:51 pm, sillz <(E-Mail Removed)> wrote:
>
>
>
> > On Sep 19, 10:02 am, Trendkill <(E-Mail Removed)> wrote:

>
> > > On Sep 19, 12:09 pm, sillz <(E-Mail Removed)> wrote:

>
> > > > Hi there,

>
> > > > I'm a realtive Cisco newbie, and I have a new edge router in a network
> > > > with the following characteristics:

>
> > > > Cisco 6509 -- Flex-WAN module, 4 ports
> > > > 2 ISP's
> > > > 2 Multilinked T1's
> > > > BGP enabled
> > > > 3 Private Network Segments

>
> > > > I want to enable Ingress and Egress Filtering to protect against IP
> > > > Spoofing.

>
> > > > Let's say these are the addresses for my multilinked T1's:

>
> > > > ISP1 - 55.55.55.254 255.255.255.252
> > > > ISP2 - 66.66.66.254 255.255.255.252

>
> > > > My Network Block looks like this:

>
> > > > 77.77.77.0 255.255.255.0

>
> > > > My private segments look like this:

>
> > > > 10.1.0.0 /16
> > > > 10.2.0.0 /16
> > > > 10.3.0.0 /16

>
> > > > I was wondering if somone could give me assistance with how to
> > > > construct my ACL's based on my network information and help me make
> > > > sure the syntaxt is correct.

>
> > > > Your help would be appreciated.

>
> > > > Regards,

>
> > > > Beth
> > > > Systems Admin

>
> > > For IP spoofing, all you really need to do is put an 'in' filter for
> > > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
> > > 172.16.0.0/20, etc) as well as any external ranges that you do
> > > actually own. This prevents folks out on the internet from
> > > effectively spoofing their IP to make your router think that they are
> > > part of your internal network (although with a good firewall, this
> > > wouldn't be a problem). Just put it as an 'in' filter on the external
> > > interface (towards the internet).- Hide quoted text -

>
> > > - Show quoted text -

>
> > Thanks for your reply. Could you show me what this in filter would
> > look like?

>
> > I am required to do this in both directions because of an audit
> > finding. I must do it for compliance.

>
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny ip 172.16.0.0 0.15.255.255 any
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> access-list 101 deny ip 224.0.0.0 7.255.255.255 any
> access-list 101 deny ip X.X.X.X X.X.X.X any
> access-list 101 permit ip any any
>
> Use the x.x.x.x one to add any public networks that you may own. If
> not, just delete it before pasting in.


Even better:

http://ciscotips.wordpress.com/2006/...ernet-routers/

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Cisco 3750 egress rate-limit Kanagaraj Krishna Cisco 2 02-14-2008 10:47 PM
QoS - Why use egress queing response3 Cisco 1 02-09-2007 11:57 PM
ARP Spoofing, countermeasures against attack? Joe Hanes Computer Security 9 12-09-2004 01:01 AM
VLAN EGRESS POLICING ON SUP720 Eagle Cisco 0 12-03-2004 11:59 PM
egress queues on 6500 what@meworry.com Cisco 0 08-06-2004 02:25 AM



Advertisments