Home > Archive > CCNP > September 2003 > Access List query





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Access List query
peterd

2003-09-09, 6:36 am

Hi Guys,

there's an on-going thread in the General Discussion area titled 'Been Hacked' and I've posted a longer explanation of my problem/query there.

Basically, it looked like we were being used to relay email so I upgraded the ACL on the mail router.

Checking the ACL, I noticed that instruction lines were being added and a short time later deleted from the top of the incoming access list.

So was this part of a hack operation or could these extra lines have been added by the 'established' keyword.

There's nothing much on the Cisco site. Since I took 'established' off the ACL the problem has stopped although it could be that I've blocked whatever it was coming in and doing it...

Regards
Peter
sukuvi

2003-09-09, 9:43 pm

I think this thread about the ACL should have been posted here in the first place as it has to do with how it is working. How are we going to talk about the technical aspect of an ACL in General Discussion? As it is already there but you still need some help with it, is it too late to move the thread here? Just my opinion, Peterd, so don't take it personal.
darthfeces

2003-09-09, 10:50 pm

no offense , but it looks like you've got a really bad security policy in place.
access-lists won't save the world ..... if you're hacked and the policy is swiss cheese.
really strong security in one place is defeated by little or none in another place.

mail relaying (or running an open relay)
has more to do with the smtp server you're running and how it's configured, than putting in band aids.

established
checks to see if the ack bit is set on incoming packets meaning they are part of an established tcp session.
this ensures that the inside can originate sessions to the outside and have traffic return and outside people can't originate sessions to your services.

fyi
i allow connections from anywhere to tcp/25 and don't get relayed .....
that said there is still some risk .......
in connecting any computer to the internet.


here's some relevant links

http://www.faqs.org/rfcs/rfc2196.html
http://www.sans.org/top20/#index
http://www.cymru.com/Documents/secure-ios-template.html
http://www.faqs.org/rfcs/rfc2827.html
http://www.faqs.org/rfcs/rfc3013.html
peterd

2003-09-10, 3:46 am

hi,

unfortunately access lists is all I've got and all I'll ever have here.

We only had two connections to the outside world, the mail routers at our two biggest sites. Now we have three as the boss has split the web access from the mail router here. Hardly Swiss cheese...

If it's a server problem then that's great news as it's someone elses problem (I don't touch PC's or servers!).

I've stopped the problem now, it was clear all day yesterday, but I'd still like to know how the access list contents were changing.

Is it possible to do this from online, etc? How did the hacker (or whatever it was) add and remove lines from the top of the access list without destroying the whole list?

Regards
Peter
darthfeces

2003-09-10, 9:23 am

if your perimiter is not secured ......
it's bad policy. i've seen this a thousand times. unfortunately convincing the execs that they're wrong or have no idea what they're talking about in the relm of security is the hardest part.
we brought in our first firewall and called it a router to get it in the door and magically the hacks stopped.
security has as much to do with the design of your perimiter as it does with the actual config of the devices.
have a look at the cisco safe smr white paper
and compare what you've got to what's there.

the router access is only possible if he's got your passwords
... or an snmp attack if you allow rw snmp
change all your router pw's asap and snmp
community strings.
better yet restrict them with an access-list.

can you introduce your bosses to a pix 515 or 520 so you can have dmz'z or an ios firewall router ?

http://www.cisco.com/safe
SureshHomepage

2003-09-13, 4:40 am

Hi,
Sorry being a late entrant on this thread.

I do not see it as a hand of a hacker...well it could be...but smells like a new technical feature!

On the "sh access-list" output, you would see ACL entries inserted and deleted dynamically. The 'established' keyword doesn't put the additional ACL entries dynamically though it does allow the return traffic in response to an outgoing traffic it allowed a while ago.

If its configured with reflexive access-list or a CBAC where these dynamic inclusions and deletions are nothing unusual.

What is CBAC? Context based Access-Control List. It is packed with firewall feature set IOS, it does the same job as that of an ASA algorithm on a PIX firewall. It dynamically adds an entry on the ACL to allow the incoming tcp/udp packets as a means of allowing the 'response-traffic' in.

ASA algorithm on the PIX you got some more features added like generation of random seq. number on the outgoing tcp packets and etc.

Now on your router configuration can you check if you got a command like "IP inspect name xxx". If you find one then your router has got the CBAC-enabled.
peterd

2003-09-15, 3:37 am

Hello,

yes, it does have 'IP inspect name' set. These are the only two routers on the network set up this way and they were done by someone else some years ago.

The problem was cured early last week when I tweaked up the access-lists to stop the dodgy mail coming in...this was just a 'carry-over' from that.

I couldn't understand why the access-list was changing...

Thanks
Peter
darthfeces

2003-09-15, 9:08 am

oh ....

good catch suresh

he never said cbac or ios firewall .....
just access-list ....
looks like they're answer to security was cbac .... then someone forgot about it.
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net