Page 388 - StudyBook.pdf
P. 388

372    Chapter 6 • Infrastructure Security: Devices and Media


                 access-list <list_number> <permit/deny> <source_addresss> <mask>
                     For example, to create an “anti-spoof” set of rules (as discussed in
                this section), the following rules can be used:
                 access-list 1 deny 207.46.230.0 0.0.0.255
                 access-list 2 allow 207.46.230.0 0.0.0.255

                     The first rule is applied to the wide area network (WAN) interface to
                deny all traffic coming into that interface from an IP address belonging
                to the internal network. The second rule is then applied to the internal
                interface to allow all traffic coming into that interface from the internal
                network addresses to pass through.


                 Most current routers offer security capabilities along with their routing func-
             tionality. Segmenting a network using routers limits the amount of data flowing
             between segments.Typically, this applies to broadcast traffic. Not propagating broad-
             cast traffic between segments limits the amount of data that can be obtained from
             them using a sniffer.The less information made available to a potential attacker the
             better.
                 Routers also allow technicians to explicitly deny some packets the ability to be
             forwarded between segments. For example, using just the internal security features
             of some routers can prevent users on the internal network from using Telnet to
             access external systems.Telnet is always a security risk, as the passwords and all
             communications are transmitted in cleartext. Because of this, it is best not to create
             Telnet sessions between the internal network and an external network.Without a
             firewall, a rule can be put in place within the router to drop packets attempting to
             connect to port 23 on any external system.All of this is done by properly config-
             uring the ACLs for the router.An example rule for Cisco routers is as follows:
             access-list 101 deny any any eq 23

                 Another useful security feature of routers is their ability to block spoofed
             packets. Spoofed packets are packets that contain an IP address in the header that is
             not the actual IP address of the originating computer.This technique is often used
             by hackers to fool systems into thinking that the packet came from an authorized
             system, when it actually originated at the hacker’s system. Routers combat this by
             giving technicians the ability to drop packets coming through an interface from the
             wrong subnet. For example, if a packet comes in from the router’s external inter-
             face using an IP address from the network on the router’s internal interface, the
             router can be instructed to drop the packet and not forward it. It should be noted



          www.syngress.com
   383   384   385   386   387   388   389   390   391   392   393