- Dec 12, 2003
Mitigating Security Threats Using ACLs
Using ACLs on the perimeter routers can mitigate some common security threats. Threat mitigation starts by disabling unused services running on the router. You can also mitigate threats on the network by limiting the number of users and services on the router.
ACLs are the most effective because they act as filters between the world and your network. You can also use ACLs to create and enforce corporate security policy in your corporation. We now discuss how you can limit or filter access to some of the protocols.
You can use ACLs to limit Telnet access to certain devices on your network. You can apply access lists to the VTY lines with the access-class command. Here is an example:
Central(config)# access-list 100 permit tcp host 10.0.0.1 host 22.214.171.124 eq 23 Central(config)#line vty 0 4 Central(config-line)# access-class 100 in
In Figure 3.10, the administrator is configuring and applying an access list to VTY lines on a router.Figure 3.10 Configuring and applying an access list to VTY lines on a router.
This configuration allows Telnet access to 126.96.36.199 from 10.0.0.1 hosts only by default, there is an implicit deny statement at the end.
Spoofing is a technique used to gain access to unauthorized networks or resources by sending a data stream to a host with an IP address that indicates that the message is coming from a trusted host.
As a golden rule, you should never allow any IP datagrams coming inbound to a protected network that contain the source address of any internal host or network. To mitigate IP spoofing on all inbound traffic, do the following:
You should deny all localhost addresses, which are the 127.0.0.0/8 class IP addresses.
You should also deny all reserved IP address spaces as described in RFC 1918. However, it is recommended that reserved IP addresses be blocked on interfaces connecting to the ISP's backbone.
Also deny all multicast address ranges from 188.8.131.52/4.
Most importantly, deny any addresses that have the same source address as the protected network.
When securing routers against outbound IP spoofing, make sure you do not allow outbound IP datagrams with source addresses other than the valid and legitimate IP addresses on the protected network.
You can use IP unicast reverse-path forwarding to verify that the packet is not spoofed. This feature is available to you from IOS version 12.0 and higher.
DoS SYN Attack Mitigation
A denial-of-service (DoS) TCP SYN attack is a dangerous type of attack that involves sending large amount of datagrams from a spoofed source to internal hosts. The SYN attack is a DoS attack. The attacked host needs an amount of memory and processor power for each half-open TCP session until it is overloaded and cannot respond to legitimate requests.
This attack opens hundreds of TCP session requests, and because the source IP address is spoofed, the end device starts opening embryonic sessions to that spoofed host. Bottom line: The TCP connections get saturated on the end device and no one can access the information on that device.
To overcome this issue, you can use the TCP intercept command. The TCP intercept command examines each inbound TCP connection attempt and ensures that the external source address is not spoofed but is actually reachable.
You can use the TCP intercept feature to protect the internal network from TCP SYN attacks.