- Apr 15, 2005
- TCP/IP Primer: How Packet Filtering Works
- TCP and UDP Ports
- TCP's Three-way Handshake
- The Cisco Router as a Packet Filter
- An Alternative Packet Filter: IPChains
- The Cisco ACL
- Effective Uses of Packet-Filtering Devices
- Egress Filtering
- Tracking Rejected Traffic
- Problems with Packet Filters
- Dynamic Packet Filtering and the Reflexive Access List
Another use of standard access lists is for egress filters. The concept behind an egress filter is that only packets with your network's source address should be leaving your network. This seems like a forgone conclusion, but as stated in the section on ingress filters, Trojans and other nefarious programs might use a station on your network to send spoofed traffic to the rest of the world. By creating an ACL that only allows your subnet's address in from your network, you prevent this type of traffic from touching the outside world. Of course, this won't help if the program doesn't spoof the source address, but many such programs do to help slow the rate at which they can be traced. Such an access list would look like this, assuming an internal network address of 192.168.100.0:
router(config)#access-list 11 permit 192.168.1.0 0.0.0.255
Implicit deny takes care of denying all other source addresses. You could use an extended access list to tighten this down even more and limit things such as the types of traffic and destinations your stations are allowed to access. This ACL would be applied to the inside interface inbound, effectively on the outside edge of your router's network interface.
You might be wondering what the advantage is in implementing a rule such as this. "What will this do for me?" you might be asking yourself. Well, it is no different from dumping your tray at the local fast food restaurant; it's the good neighbor policy. It doesn't do anything for you directly (other than possibly prevent you from facing outside litigation), but if everyone did it, oh what a world we would live in. Imagine the effect on distributed denial of service attacks that use zombies stationed on innocent people's networks. These filters (assuming that the denial of service [DoS] zombies take advantage of some type of packet spoofing) could help cripple such zombies.
It is also possible to set up filters that prevent traffic from leaving your network from specified systems. For example, imagine that you have a top-secret file server that has no Internet access. This system should only be contacted from inside stations, and it should never contact the outside world or be contacted from the outside world. You can place an ACL on the inside router interface, inbound. It could be a part of the same access list that you used for your egress filter, but it would have to be placed above the egress filter because of the importance of rule order. If the top-secret file server's IP address was 192.168.100.7, here is how the entire egress list would look:
router(config)#access-list 11 deny 192.168.100.7 0.0.0.0 router(config)#access-list 11 permit 192.168.100.0 0.0.0.255
The given host's packets would be filtered before the rule that allows all other systems on the 192.168.100 network to enter the router. It should be noted that this will deny all outbound traffic, so no Internet security updates or downloading of the latest virus-definition file directly to this server.