CCNA Security – Chapter 4 (ACLs Mitigating Attacks)

ACLs can be used as an antispoofing mechanism. Spoofing protection involves discarding traffic that has an invalid source address. As a rule, administrators should not allow any IP packets containing the source address of any internal hosts or networks inbound to a private network.
!
!
255.255.255.255/32
127.0.0.0/8
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
224.0.0.0/4
!
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any source-quench
access-list 112 permit icmp any any unreachable
access-list 112 deny icmp any any
access-list 112 permit ip any any
!
access-list 114 permit icmp any any echo
access-list 114 permit icmp any any parameter-problem
access-list 114 permit icmp any any packet-too-big
access-list 114 permit icmp any any source-quench
access-list 114 deny icmp any any
access-list 114 permit ip any any
!
no snmp-server
!
Many network administrators are unaware that IPv6 is enabled on most operating systems.
Dual-stacked hosts can configure themselves, and may be subject to rogue router advertisements (RAs).
Can exploit routing header (RH) to pivot using multiple hops.
Can exploit automatic tunnels to pivot unnoticed by firewalls and IPS.
!
ipv6 traffic-filter
!
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
!
object-group service eng_srv_group
icmp echo
tcp smtp
tcp telnet
tcp source range 1 65535 telnet
udp domain
tcp-udp range 2000 2005
group-object sjc_eng_svcs
exit
!
ip access-list extended acl_policy
permit object-group eng_srv_group object-group eng_network_group any
deny tcp any any
exit
!

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s