Cisco: maggior sicurezza alla vostra rete con ACLs per bogus e blackholes
mercoledì 6 dicembre, 2006Autore: Matteo Rinaudo
Trentaquattro anni, è Senior Systems Integration Consultant presso una nota IT Company a New York, NY USA.
In questo documento trovate le Access Control Lists da me sviluppate per la prevenzione di attacchi basati sulla contraffazione dell’indirizzo IP (IP spoofing) sferrati all’interfaccia esterna del vostro router (ad esempio la Dialer0). Trovate anche delle routes statiche per mettere nel `bit bucket’, cestinare nell’interfaccia logica `Null0′ le reti riservate dallo IANA.
Estratti dalla mia configurazione (IOS 12.3):
!Interfaccia logica che conterra' le routes `black hole'
interface Null0
no ip unreachables
!Applicazione alla interfaccia, ad es. Dia0
interface Dialer0
ip access-group 150 in
ip access-group 151 out
!Blackholes
ip route 1.0.0.0 255.0.0.0 Null0
ip route 2.0.0.0 255.0.0.0 Null0
ip route 5.0.0.0 255.0.0.0 Null0
ip route 7.0.0.0 255.0.0.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 23.0.0.0 255.0.0.0 Null0
ip route 27.0.0.0 255.0.0.0 Null0
ip route 31.0.0.0 255.0.0.0 Null0
ip route 36.0.0.0 255.0.0.0 Null0
ip route 37.0.0.0 255.0.0.0 Null0
ip route 39.0.0.0 255.0.0.0 Null0
ip route 42.0.0.0 255.0.0.0 Null0
ip route 49.0.0.0 255.0.0.0 Null0
ip route 50.0.0.0 255.0.0.0 Null0
ip route 77.0.0.0 255.0.0.0 Null0
ip route 78.0.0.0 255.0.0.0 Null0
ip route 79.0.0.0 255.0.0.0 Null0
ip route 92.0.0.0 255.0.0.0 Null0
ip route 93.0.0.0 255.0.0.0 Null0
ip route 94.0.0.0 255.0.0.0 Null0
ip route 95.0.0.0 255.0.0.0 Null0
ip route 96.0.0.0 255.0.0.0 Null0
ip route 97.0.0.0 255.0.0.0 Null0
ip route 98.0.0.0 255.0.0.0 Null0
ip route 99.0.0.0 255.0.0.0 Null0
ip route 100.0.0.0 255.0.0.0 Null0
ip route 101.0.0.0 255.0.0.0 Null0
ip route 102.0.0.0 255.0.0.0 Null0
ip route 103.0.0.0 255.0.0.0 Null0
ip route 104.0.0.0 255.0.0.0 Null0
ip route 105.0.0.0 255.0.0.0 Null0
ip route 106.0.0.0 255.0.0.0 Null0
ip route 107.0.0.0 255.0.0.0 Null0
ip route 108.0.0.0 255.0.0.0 Null0
ip route 109.0.0.0 255.0.0.0 Null0
ip route 110.0.0.0 255.0.0.0 Null0
ip route 111.0.0.0 255.0.0.0 Null0
ip route 112.0.0.0 255.0.0.0 Null0
ip route 113.0.0.0 255.0.0.0 Null0
ip route 114.0.0.0 255.0.0.0 Null0
ip route 115.0.0.0 255.0.0.0 Null0
ip route 116.0.0.0 255.0.0.0 Null0
ip route 117.0.0.0 255.0.0.0 Null0
ip route 118.0.0.0 255.0.0.0 Null0
ip route 119.0.0.0 255.0.0.0 Null0
ip route 120.0.0.0 255.0.0.0 Null0
ip route 121.0.0.0 255.0.0.0 Null0
ip route 122.0.0.0 255.0.0.0 Null0
ip route 123.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 173.0.0.0 255.0.0.0 Null0
ip route 174.0.0.0 255.0.0.0 Null0
ip route 175.0.0.0 255.0.0.0 Null0
ip route 176.0.0.0 255.0.0.0 Null0
ip route 177.0.0.0 255.0.0.0 Null0
ip route 178.0.0.0 255.0.0.0 Null0
ip route 179.0.0.0 255.0.0.0 Null0
ip route 180.0.0.0 255.0.0.0 Null0
ip route 181.0.0.0 255.0.0.0 Null0
ip route 182.0.0.0 255.0.0.0 Null0
ip route 183.0.0.0 255.0.0.0 Null0
ip route 184.0.0.0 255.0.0.0 Null0
ip route 185.0.0.0 255.0.0.0 Null0
ip route 186.0.0.0 255.0.0.0 Null0
ip route 187.0.0.0 255.0.0.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 197.0.0.0 255.0.0.0 Null0
ip route 223.0.0.0 255.0.0.0 Null0
!ACLs
access-list 150 deny ip 0.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 1.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 2.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 5.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 7.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 23.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 27.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 31.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 36.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 37.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 39.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 42.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 49.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 50.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 77.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 78.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 79.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 92.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 93.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 94.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 95.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 96.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 97.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 98.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 99.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 100.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 101.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 102.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 103.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 104.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 105.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 106.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 107.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 108.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 109.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 110.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 111.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 112.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 113.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 114.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 115.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 116.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 117.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 118.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 119.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 120.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 121.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 122.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 123.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 169.254.0.0 0.0.255.255 any log-input
access-list 150 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 150 deny ip 173.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 174.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 175.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 176.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 177.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 178.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 179.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 180.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 181.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 182.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 183.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 184.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 185.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 186.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 187.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 192.0.2.0 0.0.0.255 any log-input
access-list 150 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 150 deny ip 197.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 223.0.0.0 0.255.255.255 any log-input
access-list 150 deny ip 224.0.0.0 31.255.255.255 any log-input
access-list 150 deny icmp any any log-input fragments
access-list 150 permit ip any 224.0.0.0 15.255.255.255
!Protocollo 41 per il forwarding
access-list 150 permit 41 any any
!Traffico permesso ai server interni, ad es.: access-list 150 permit tcp any any range 6881 6889 per BitTorrent
!Ovviamente occorre nattare staticamente le macchine che usano BitTorrent, ma e' un off-topic qui
access-list 150 permit icmp any any echo
access-list 150 permit icmp any any echo-reply
access-list 150 deny icmp any any redirect
access-list 150 deny icmp any any mask-request
access-list 150 permit icmp any any
access-list 150 permit tcp any any gt 1023 established
access-list 150 permit udp any any gt 1023
access-list 150 permit tcp any eq ftp-data any gt 1023
access-list 150 deny ip any any log
access-list 151 permit ip any any
Spero vi sia utile.
Matteo Rinaudo (netsurgeon)
