[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-v6ops-nap-00.txt & NAT security [2.2]
On Apr 5, 2005, at 5:24 AM, Brian E Carpenter wrote:
I've never understood why a non-NAT domestic router can't be set up
with exactly the same default behavior by having default port
filtering in place (just like "personal firewall" software that most
people run on their PCs). A domestic IPv6 router should indeed be
shipped with port filtering on by default, imho. We can write this.
At the risk of sounding proprietary, Cisco has a rather nice capability
for this. You might read
http://www.cisco.com/en/US/products/sw/secursw/ps1018/
products_tech_note09186a0080094e8b.shtml
http://www.cisco.com/en/US/products/sw/secursw/ps1018/
products_white_paper09186a0080094658.shtml
http://www.cisco.com/en/US/products/sw/secursw/ps1018/
products_configuration_example09186a0080094111.shtml
Simply stated, it defines an "inside" and an "outside" interface (and
in that last, a DMZ). The "outside interface" is configured with an ACL
of what to allow to cross, which one might expect to include a pretty
limited configuration. The for my home office allows for dynamic
creation of a VPN among the home workers on my network at Cisco, which
uses DMVPN and IPSEC, and also runs NTP and derives its IP address from
the ISP.
ip access-list extended fw_acl
remark ---- DMVPN Firewall ----
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
permit esp any any
permit gre any any
permit udp host 192.5.41.40 eq ntp any
permit udp host 192.5.41.41 eq ntp any
permit ip 10.34.250.96 0.0.0.31 10.32.244.216 0.0.0.7
permit tcp 128.107.0.0 0.0.255.255 any eq 22
permit tcp 128.107.0.0 0.0.255.255 any eq telnet
permit udp any any eq bootpc
deny icmp any any packet-too-big
permit icmp any any
deny ip any any
The one on my home router (Cisco information security guidelines
require a home office to be on a separate network from the home) I use
a much simpler one:
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 deny icmp any any packet-too-big
access-list 105 permit icmp any any
access-list 105 permit udp any any eq bootpc
access-list 105 permit udp any any eq bootps
If this were sitting in front of a SOHO, one could readily imagine also
application-specific holes for incoming traffic.
access-list 105 permit tcp any host www.example.com eq http
access-list 105 permit tcp any host smtp.example.com eq smtp
access-list 105 permit tcp any host ftp.example.com eq ftp
Now, in addition to packets permitted by the ACL, the "inside"
interface notes new packets sent out and adds their response to a
dynamic ACL added to that "outside" ACL, which permits devices beyond
the firewall to respond to sessions initiated from behind the firewall.
This is a very simple port-specific firewall that requires a minimum of
management - I configured it once and basically forgot it - that
provides most of what one would want at layer 3 in a SOHO solution. I
would suggest that this is a pretty strong basis for the solution you
suggest.