Internet Ingress Transit Access-List

This access-list pre-filters traffic coming inbound from the internet to eliminate traffic that we know will not need to be inspected by the firewall policy because it is either inherently malicious or unused.

Object Groups

object-group network og_PUBLIC_NETWORKS
  !-- list of public networks which we trust and have
  !-- administrative control over.
!
object-group network og_RFC1918
  10.0.0.0 255.0.0.0
  172.16.0.0 255.240.0.0
  192.168.0.0 255.255.0.0
!
object-group network og_RFC6598_CGN
  100.64.0.0 255.192.0.0
!
object-group network network og_MARTIANS
  object-group og_RFC1918
  0.0.0.0      255.0.0.0
  127.0.0.0    255.0.0.0
  169.254.0.0  255.255.0.0
  192.0.2.0    255.255.255.0
  192.88.99.0  255.255.255.0
  198.18.0.0   255.255.128.0
  198.51.100.0 255.255.0.0
  203.0.113.0  255.255.255.0
!
object-group network og_INTERNET_EBGP_PEERS
  !-- list of ebgp peers which we exchange routes with
  host x.x.x.x
!
object-group network og_NETMGMT_NETS
  !-- list of networks permitted to poll
  !-- this and other devices.
!
object-group network network og_USER_NETS
  !-- user nets which are permitted to access
  !-- network devices.
!
object-group network og_SNMP_ACCESS
  object-group og_ONEOK_PUBLIC_NETWORKS
  object-group og_NETMGMT_NETS
!
object-group network og_SSH_ACCESS
  object-group og_ONEOK_PUBLIC_NETWORKS
  object-group og_NETMGMT_NETS
  object-group og_USER_NETS
!
object-group network og_PUBLIC_DNS
  !-- list of public DNS servers which we use
  !-- as recursive DNS hosts.

! — Permitted access-list for managed access via SSH
!

ip access-list extended acl_VTY_ACCESS
  permit ip object-group og_SSH_ACCESS any ssh
!
line vty 0 15
  ip access-group acl_VTY_ACCESS
!

! — Internet Ingress Access-list
!

!
ip access-list extended acl_INTERNET_INGRESS

  remark #
  remark # --- Deny IP fragments using protocol-specific ACEs to aid 
  remark # ----in classifying attack traffic. MUST BE FIRST IN ACL!
  remark # --- (https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html)
  remark #
  deny tcp any any fragments
  deny udp any any fragments
  deny icmp any any fragments
  deny ip any any fragments
  deny ip any any option any-options

  remark #
  remark # --- Permit low TTL packets for traceroute and drop
  remark # --- all packets not capable of traversing the network
  remark # --- to their ultimate destination (past NAT).
  remark #
  permit icmp any any eq echo ttl lt 2
  remark # UNIX TRACEROUTE
  permit udp any range 33434 33466 any gt 1024 ttl lt 2
  remark # LAND ATTACK MATCHES
  deny ip any any ttl lt 5 log

  remark #
  remark # --- Permit ICMP
  remark #
  permit icmp any any eq echo
  permit icmp any any eq echo-reply
  permit icmp any any eq unreachable
  permit icmp any any eq port-unreachable
  permit icmp any any eq packet-too-big
  permit icmp any any eq ttl-exceeded
  remark # UNIX TRACEROUTE
  permit udp any range 33434 33466 any gt 1024
  permit udp any gt 1024 any range 33434 33466


  remark #
  remark # --- Deny Martian Packets
  remark # (https://en.wikipedia.org/wiki/Martian_packet)
  remark #
  deny ip object-group og_MARTIANS any
  deny ip any object-group og_MARTIANS
  remark # --- BLOCK MULTICAST CIDR AS SOURCE-IP
  deny ip 224.0.0.0    15.255.255.255 any
  remark # --- EXPERIMENTAL BLOCK (INCLUDES BROADCAST)
  deny ip 240.0.0.0    15.255.255.255 any
  deny ip any 240.0.0.0    15.255.255.255

  remark #
  remark # --- Permit required connections for routing protocols
  remark #
  permit tcp object-group og_INTERNET_EBGP_PEERS eq 179  object-group og_ROUTER_INTERFACES gt 1023
  permit tcp object-group og_INTERNET_EBGP_PEERS gt 1023 object-group og_ROUTER_INTERFACES eq 179

  remark #
  remark # --- Permit required connections for network management
  remark #
  permit tcp object-group og_NETWORK_MANAGEMENT any eq 22

  remark #
  remark # --- Permit ICMP Echo (ping) from management systems
  remark #
  permit icmp host og_NETWORK_MANAGEMENT any echo

  remark #
  remark # --- Permit Known UDP
  remark #
  remark # --- Permit DTLS
  permit udp any any eq 123
  remark #
  remark # --- Permit NTP
  permit udp any any eq 123
  remark #
  remark # --- Permit DNS
  permit udp any eq 53 any
  remark #
  remark # --- Permit STUN
  permit udp any eq 3478 any
  remark #
  remark # --- Permit SIP
  permit udp any eq 5060 any
  remark #
  remark # --- Permit IKE/NAT-T response 
  permit udp any eq 500 any eq 500
  permit udp any eq 4500 any
  permit udp any any eq 4500 
  remark #
  remark # --- Permit DHCP response 
  permit udp any eq 67 any eq 68
  remark #
  remark # --- DENY ALL UDP
  deny udp any any

  remark #
  remark # --- Permit Internet Traffic
  remark #
  permit ip any any
!

The following copps policy is a work in progress…

ip access-list extended acl_COPP_ROUTING
  remark #
  remark # --- Mark BGP Traffic.
  remark # 
  permit tcp object-group  object-group  eq 179
  permit tcp any eq bgp object-group  gt 1024 established
  ! --- IF ERRORS ON PREV LINE: permit tcp any any eq 179
!
ip access-list extended acl_COPP_MANAGEMENT
  remark #
  remark # --- Mark SSH Traffic
  remark # 
  deny tcp object-group  any eq 22
  permit tcp any any eq 22
  deny ip any any
!
ip access-list extended acl_COPP_PERMISSIVE
  remark #
  remark # --- Mark ICMP/IP Traffic for Drop
  remark # 
  permit icmp any object-group router-interfaces> echo
  permit icmp any object-group  echo-reply
  permit icmp any object-group  ttl-exceeded
  permit icmp any object-group  packet-too-big
  permit icmp any object-group  port-unreachable
  permit icmp any object-group  unreachable
  permit pim any any
  permit igmp any any
  permit gre any any

!
ip access-list extended acl_COPP_UNDERSIRABLE
  remark #
  remark # --- Mark ICMP/IP Traffic for Drop
  remark # 
  permit icmp any any fragments

  permit udp any any fragments
  permit tcp any any fragments
  permit ip any any fragments
  remark #
  remark # --- Block previously matched protocols
  remark #
  permit tcp any any eq bgp rst
  remark #
  remark # --- Known exploit blocks
  remark #
  permit udp any any eq 1434

!
ip access-list extended acl_COPP_DEFAULT
  remark #
  remark # --- Mark ICMP/IP Traffic for Drop
  remark # 
  permit tcp any any
  permit udp any any
  permit icmp any any
  permit ip any any
!
!
!
class-map match-all cmap_COPP_ROUTING 
match access-group acl_
!
! – CoPP Management class-map
!
class-map match-all cmap_COPP_MANAGEMENT
match access-group 121
!
! – CoPP Normal class-map
!
class-map match-all cmap_COPP_PERMISSIVE
match access-group 122
!
! – CoPP Undesirable class-map
!
class-map match-all cmap_COPP_UNDERIRABLE
match access-group 123
!
! – CoPP Catch-All-IP class-map
!
class-map match-all cmap_COPP_DEFAULT
match access-group 124
!





class-map match-any cmap_COPP_KNOWN_UNDESIRABLE
 match access-group name acl_COPP_KNOWN_UNDESIRABLE 
!
policy-map pmap_COPP_INPUT_POLICY
 class COPP-KNOWN-UNDESIRABLE
  drop
!
control-plane
 service-policy input pmap_COPP_INPUT_POLICY
!

Advertisements