[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]

To: Brian E Carpenter <brc@zurich.ibm.com>
Subject: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
From: Fred Baker <fred@cisco.com>
Date: Tue, 5 Apr 2005 08:31:25 -0700
Cc: v6ops@ops.ietf.org, Alain Durand <alain@tycool.net>
In-reply-to: <42528394.3090304@zurich.ibm.com>
References: <20050404195953.F370D147@smtp-e.tycool.net> <42528394.3090304@zurich.ibm.com>

On Apr 5, 2005, at 5:24 AM, Brian E Carpenter wrote:

I've never understood why a non-NAT domestic router can't be set up with exactly the same default behavior by having default port filtering in place (just like "personal firewall" software that most people run on their PCs). A domestic IPv6 router should indeed be shipped with port filtering on by default, imho. We can write this.

At the risk of sounding proprietary, Cisco has a rather nice capability for this. You might read http://www.cisco.com/en/US/products/sw/secursw/ps1018/ products_tech_note09186a0080094e8b.shtml http://www.cisco.com/en/US/products/sw/secursw/ps1018/ products_white_paper09186a0080094658.shtml http://www.cisco.com/en/US/products/sw/secursw/ps1018/ products_configuration_example09186a0080094111.shtml

Simply stated, it defines an "inside" and an "outside" interface (and in that last, a DMZ). The "outside interface" is configured with an ACL of what to allow to cross, which one might expect to include a pretty limited configuration. The for my home office allows for dynamic creation of a VPN among the home workers on my network at Cisco, which uses DMVPN and IPSEC, and also runs NTP and derives its IP address from the ISP.

	ip access-list extended fw_acl
	 remark ---- DMVPN Firewall ----
	 permit udp any any eq isakmp
	 permit udp any eq isakmp any
	 permit udp any eq non500-isakmp any
	 permit esp any any
	 permit gre any any
	 permit udp host 192.5.41.40 eq ntp any
	 permit udp host 192.5.41.41 eq ntp any
	 permit ip 10.34.250.96 0.0.0.31 10.32.244.216 0.0.0.7
	 permit tcp 128.107.0.0 0.0.255.255 any eq 22
	 permit tcp 128.107.0.0 0.0.255.255 any eq telnet
	 permit udp any any eq bootpc
	 deny   icmp any any packet-too-big
	 permit icmp any any
	 deny   ip any any

The one on my home router (Cisco information security guidelines require a home office to be on a separate network from the home) I use a much simpler one:

	access-list 105 deny   ip 192.168.1.0 0.0.0.255 any
	access-list 105 deny   icmp any any packet-too-big
	access-list 105 permit icmp any any
	access-list 105 permit udp any any eq bootpc
	access-list 105 permit udp any any eq bootps

If this were sitting in front of a SOHO, one could readily imagine also application-specific holes for incoming traffic.

    access-list 105 permit tcp  any  host www.example.com   eq http
    access-list 105 permit tcp  any  host smtp.example.com  eq smtp
    access-list 105 permit tcp  any  host ftp.example.com   eq ftp

Now, in addition to packets permitted by the ACL, the "inside" interface notes new packets sent out and adds their response to a dynamic ACL added to that "outside" ACL, which permits devices beyond the firewall to respond to sessions initiated from behind the firewall.

This is a very simple port-specific firewall that requires a minimum of management - I configured it once and basically forgot it - that provides most of what one would want at layer 3 in a SOHO solution. I would suggest that this is a pretty strong basis for the solution you suggest.

References:
- draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: alain@tycool.net (Alain Durand)
- Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
  - From: Brian E Carpenter <brc@zurich.ibm.com>

Prev by Date: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Next by Date: Tunneling and Transition Drafts
Previous by thread: Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Next by thread: RE: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
Index(es):
- Date
- Thread