You probably have a router running basic IOS image without Firewall (FW) feature. You understand that you need a good firewall to protect your network from Internet intruders. There are choices to tackle the problem.
1. Setup a hardware firewall (i.e. PIX Firewall) in front of the router
2. Upgrade the router to run IOS image with FW feature
3. Apply basic Firewall ACL to Internet-facing router interface
Option 1
Check out the following FAQ for sample configuration on setting a PIX Firewall in front of a router.
»Cisco Forum FAQ »Internet - PIX/ASA - Router - LAN
This setup should be the best approach to tackle the problem. However there are some constraints that might prevent you to choose this option, such as:
1. Financial burden
2. The router has integrated modem (i.e. DSL, cable modem, T1, ISDN) or the router Internet-facing (WAN) interface is not Ethernet interface
3. You do BGP peering with another AS, hence requires a router or layer-3 switch to be the public edge equipment
When the WAN interface router is not Ethernet or your router is BGP peering, then you then have a choice to setup a hardware firewall behind the router, while the router run basic firewall ACL.
Check out the following FAQ for sample configuration on setting a PIX Firewall behind a router.
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN
When you have financial burden, then the only choice is to have the router run basic firewall ACL.
Option 2
Upgrading the router is also a good approach. There are followings that might prevent you to do so.
1. You currently don't have proper Smartnet contract and upgrading the contract might be a hassle
2. The router might run too hot on memory and CPU when the router already run heavy routing
3. Activating any additional features on router (including FW feature) will take the router resources (memory and CPU) that might degrade the router robustness or performance
4. You don't have management control over the router, since there is another party doing so (i.e. your ISP or vendor)
5. You need to meet government agency regulations and using the router as a firewall might not meet such regulations
When you have at least one of those situations, then your best option should be putting a hardware firewall in front of or behind the router.
Option 3
This option is the most economical and might be a quick way to tackle the problem. Keep in mind that
1. This basic Firewall ACL only works on certain situations and certain protocol usages
2. Should you choose to implement this basic Firewall ACL on the router, it is suggested to have additional hardware firewall sitting behind the router for long-term solution
Assumptions on the sample configuration:
* There is Ethernet 0 interface as your LAN interface and Ethernet 1 interface as your WAN interface
* You have a single static Public IP address within your network (the 1.1.1.2/30)
* The Internet default gateway is 1.1.1.1/30
* Your LAN only has 10.0.0.0/24 as internal network and nothing else
* You run public Web and Mail servers (the www and smtp) using the 1.1.1.2 as the public IP address
* The internal Mail server IP address is 10.0.0.2 and the internal Web server IP address is 10.0.0.3
* You also use 1.1.1.2 for Internet browsing traffic from your LAN
* You use your ISP DNS servers to browse the Internet (the TCP and UDP port 53)
* Your LAN user typical daily usage is only browsing the Internet (that only use protocol TCP) and no other protocols used
* You keep logs on potential illegitimate traffic attempts
Following is the sample configuration
Notes:
1. The sample configuration is not intended as full router configuration. It only shows related commands.
2. ACL 100: Inbound Traffic Firewall
* The key of the Firewall ACL (ACL 100) is the "established" keyword
* Internet browsing mean outbound connections initiated from your LAN out to the Internet
* Most common Internet browsing (i.e. open up websites, FTP sites, some Internet video or audio live streaming) only requires protocol TCP
* With Internet browsing, only established TCP packets that are necessary to enter your network as reply packets
* These established TCP packets are TCP ACK (acknowledge) during the three-way handshake or on ESTABLISHED mode (the actual data transfer); and RST (reset to close the connection)
* With "established" keyword, only TCP packet ACK and RST will be permitted to enter your network
* Note that there is no need to specify "access-list 100 permit tcp any eq 53 host 1.1.1.2" since the "access-list 100 permit tcp any host 1.1.1.2 established" would take care reply TCP port 53 (DNS) packets
* This ACL assumes that you have static IP address assignment from ISP (the real static IP; not static by DHCP - read this FAQ for more info »Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address ). If your router must receive ISP IP address from ISP DHCP server, then you need to permit incoming bootps traffic as well. Here is the ACL 100 looks like which incorporates ISP DHCP incoming bootps packets.
* Sometimes you need permit some basic ICMP traffic to pass through the router which are Echo Reply (ICMP Type 0), Unreachable (ICMP Type 3), and Time Exceeded (ICMP Type 11). When this is the case, then the ACL 100 should look something like this
3. ACL 101: Outbound Traffic Firewall
* Those TCP and UDP ports are known used by virus/worm, therefore outbound connection to the Internet on such ports should be blocked
* The host IP addresses are "invalid IP addresses" in Internet browsing perspective
* Since only the 1.1.1.0/30 subnet is used as the Public IP subnet, any other IP addresses from different subnet try to go out to the Internet using the router should be illegitimate traffic; hence should be blocked
4. ACL 110: NAT/PAT Traffic Firewall
* NAT/PAT sourcing from any IP address within your Public IP subnet or any IP address other than your internal subnet should be illegitimate traffic and known used by DOS (Denial of Service) attack; hence should be blocked
* No private subnet on the Internet, hence NAT/PAT to those subnets should be blocked as well
5. Blackholing illegitimate traffic
Since there are no other private subnets within your network than 10.0.0.0/24, traffic to other private subnets should go to Null interface (black hole).
In addition, there should be blackhole routes in place for unassigned or reserved IANA IP addresses since a lot of time, hackers use these IP addresses. For more info on these unassigned or reserved IANA IP addresses, check out the following IANA site.
Abuse Issues and IP Addresses
As illustration, you can verify (after the link research) that 23.0.0.0/8 IP subnet is IANA reserved IP addresses. Therefore there should be no traffic to and from 23.0.0.0/8. The black hole route for this then should be the following
More Sample Configuration using ACL as Basic Firewall
»Cisco Forum FAQ »Configure DMZ on routers
 feedback form
 feedback form
by aryoba 
last modified: 2009-01-12 16:24:02 |
