RE: Cisco ACL Question

["David Gillett" <gillettdavid () fhda edu>]

  You need something like this for traceroute, but you can restrict 
it to roughly the range 33000-35000.  (My experience is that >90%
of LAN users don't know how to interpret traceroute results, so
allowing the whole internal range this access may not be useful.)

  You only need something like this for DNS if you permit (Windows?) 
clients to call on external DNS servers directly.  Because this opens 
such a large hole, my preference is to replace "any" with the IP 
addresses of my local DNS servers -- and since recursive requests 
usually use 53 for both the source and destination port numbers, to 
cut it down to just that port.  The piece of DNS traffic that may 
need ephemeral ports is restricted to my LAN and need not pass the
perimeter.

  I know of no use of UDP by FTP.

  I avoid talking TFTP to or from "any".  If you absolutely need to 
talk it to a few devices outside your perimeter, they should be explicitly
listed.

David Gillett


> -----Original Message-----
> From: noconflic [mailto:nocon () texas-shooters com]
> Sent: June 10, 2003 15:49
> To: security-basics () securityfocus com
> Subject: Cisco ACL Question
>
>
> Hello, 
>
>    I have a question about the following inbound Cisco ACL entry...
>
>       access-list 100 permit udp any X.X.X.0 0.0.0.255 gt 1023
>
>  From what i understand so far is that this entry is required 
> for normal 
> outbound ftp,tftp,dns, and traceroute traffic. It has been 
> suggested that 
> one should specificly add deny rules for common UDP ports 
> above that range. 
> My question, I am looking for suggestions to make that more 
> restrictive ? 
> What problems would there be with other hosts on the LAN if 
> the entry was 
> removed ?
>
> Thanks, 
>
> -CH 
>
> --------------------------------------------------------------
> -------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by 
> top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure 
> remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------