CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.5  Security Baselines            9  3.5.2  Network Hardening                 9  3.5.2.2  Configuration

3.5.2.2.1  Enabling and Disabling Services and Protocols 1 3.5.3  Application Hardening

Access control lists (ACLs), sometimes called filters, are used to determine which traffic is permitted to pass through a network interface, in which direction, between which addresses. Routers typically manage access control via a text file of access control rules; OSes and home networking devices including this functionality generally wrap access control lists in a GUI for ease of use. The network device examines the information in each packet, comparing it to the ACLs, and either lets the packet through or stops it depending on the ACL instructions.

Typical attributes that may be examined by rules in access control lists include a packet’s:

• Source IP address.
  
  
• Destination IP address.
  
  
• Source port number.
  
  
• Destination port number.
  
  
• IP protocol number (this is not the same thing as the application port number).

Direction of travel (incoming to or outgoing from the interface)

The above is just a sample list of common parameters that can be included in an access control list – the features supported by your equipment may vary (unlike Internet protocols, access lists are not standardized, since they are not required to be “interoperable” between different vendors’ devices).

Typically an overall default policy is set on each device, specifying whether inbound traffic will be permitted by default, or denied by default. A similar default policy is set for outbound traffic. Often it is appropriate to “deny all” inbound traffic by default and “permit all” outbound traffic by default, but that depends on your organization.

You should set up access control lists to enforce your security policies, such as those which specify which Internet services are, and are not, made available from your network to the Internet. As pointed out in section 3.5.2.2, two “no-brainer” access control list rules to implement are:

• Do not allow into your network, any traffic from the outside whose Source IP address is set to an address inside your network (it’s a red flag that the incoming traffic was spoofed – to keep the attacker out, don’t let the traffic in).
  
  
• Do not allow out of your network, any traffic from the inside whose Source IP address is set to an address outside your network (another red flag that the traffic is spoofed – although this time, you’ve got more problems, because the spoofer is somewhere on your network, at least you’re not aiding and abetting him in attacking someone on another network).

If you want more information on how to work with Cisco IOS access lists, check out the Cisco Access Lists Field Guide by Held and Hundley³⁶⁰, which shows how to work with access lists, use content-based access control to dynamically open ports for applications requiring multiple connections, set up NAT, configure IPSec on Cisco routers, etc.

3.5.2.2.1  Enabling and Disabling Services and Protocols 1 3.5.3  Application Hardening