Unauthorized Access
The perimeter router is the first line of defense against
external threats. Features like using access lists to perform traffic filtering,
covered in Appendix
A, can help in the battle. In this section, you learn about the Dynamic and
Reflexive access lists.
Address
Filtering
RFC 2827 filtering involves filtering
out any IP addresses from coming into a network segment, which should already be
on that segment. If the entire 195.17.1.0 network is attached to a router
interface, then no legitimate packets with source addresses in that network
should be coming in through the router. This should be applied to perimeter
routers for sure, but it can be used on internal routers to prevent spoofing
within the network. Similarly, limiting any outbound packets, leaving the
network to ones that have source addresses assigned to that network, can prevent
a network’s hosts from spoofing other networks. This could be the result of an
attacker on the inside or a DoS bot on a local host participating in an attack
on an outside host. If the company can get its ISP to perform RFC 2827 filtering
on packets coming into the network, it would preserve the bandwidth of the link
and kill some hack attempts.
RFC 1918 filtering involves filtering out RFC-defined private
addresses from entering or exiting the network segment. Because they have no
business on the Internet anyway, they shouldn’t be there. If private addresses
are used in the network, RFC 2827 filtering will include them. The following is
a standard ACL approach, although an extended or named list would also work.
interface serial 0
ip access-group 10 in
access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 deny 172.16.0.0 0.15.255.255
access-list 10 deny 192.168.0.0 0.0.255.255
access-list 10 permit any
Sections
Comments (0 posted)
Syndication
