Cisco Tips & Tricks

June 4, 2006

Anti-spoofing rules for Internet routers

Filed under: Access-lists, Router, security, Technology and Software — ciscotips @ 12:41 am

As per my experience we should always try to use seperate internet routers for internet services in comparison to our company intranet routers for intranet. Exceptions are always there but it will be considered as a bad design, if we are using single router for internet and intranet traffic. Assuming we are using a seperante internet routers. Here are some anti-spoofing tips.

1)Always create a set of access-lists which deny’s access to your company’s private ipaddress & local host range from internet:-

Example
access-list extended antispoofing
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 255.255.255.255 any

2)Create anti-spoofing rule for the public IP block associated with this internet connection

Example:-
Continuing with anti-spoofing access-list, add following
deny ip x.x.x.x 0.0.0.255 any

3)Deny access of all ip addresses to external/serial interface of router.

Example:-
Continuing with anti-spoofing access-list, add following
deny ip any host x.x.x.x

4) deny icmp and don’t forget to add permit any any statement at the end of anti-spoofing aaccess-list.

Example:-
Continuing with anti-spoofing access-list, add following
deny icmp any any echo
permit ip any any

5)Apply anti-spoofing access-list to public interface (where ur internet is terminating)

Example:-

interface Serial0
ip access-group antispoofing in

After applying anti spoofing rules , make sure logging is enabled and disable all eroneous services as follows:-

logging buffered informational
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone

service password-encryption
no service dhcp
no service tcp-small-servers
no service udp-small-servers
no ip unreachables
no cdp run
no ip source-route
no ip finger
ip subnet-zero
no ip source-route
no ip finger
no ip http server

Secure your SNMP and telnet access by using access-list. Only allow telnet/SNMP access through one or two trusted servers.

3 Comments »

  1. deny ip 127.0.0.0 255.255.255.255 any should be deny ip 127.0.0.0 0.255.255.255 any

    Comment by LOLek — November 19, 2009 @ 12:36 pm

    Reply

  2. deny ip 172.16.0.0 0.0.255.255 any should be deny ip 172.16.0.0 0.15.255.255 any

    There are additional reserved networks listed in RFC 5735 (which deprecated RFC 3330):

    http://tools.ietf.org/html/rfc5735

    Comment by mlan — April 16, 2013 @ 11:10 pm

    Reply

  3. Excellent article! We are linking to this particularly great post on our site.
    Keep up the great writing.

    Comment by ip address — October 28, 2013 @ 2:28 am

    Reply

RSS feed for comments on this post. TrackBack URI

Leave a comment

Create a free website or blog at WordPress.com.