So we've concluded looking at the simple example. Now let's have a look at the complex example. Now this one is probably more complicated than any campus needs to use and is probably more typically used in an enterprise network. The filter here has included many vulnerabilities from this century including some which have been long solved and also it doesn't allow any user to set up a public service on internal infrastructure outside of the science demarcation zone. It includes all the features of the previous simple example and i'll say this is actually quite a restrictive example contrary to all our advice we've been giving throughout this series that campus networks are open networks but we included it to show you some of the detailed filter configuration possibilities. So the slide shows the first page of the complex border filter. I'm not going to go through it in detail but you'll see elements from the simple filter and then lots of examples of some of the well-known ports that need to be blocked because of historical abuse. So if we jump forward to the third slide you will see some specific entries to allow IPsec VPNs. We're going to allow all of ICMP, of course we want to allow the unprivileged UDP ports. We're going to allow access for the DNS resolvers. We're going to allow a network time protocol and then specific access to various servers and services running on campus. Note we also have a line that allows access to the campus jump host for admin access for the network administration. There should be nothing else so the final line deny ip any will block all other incoming traffic. If you're curious to see what's being blocked you can put on a log as an option there and then the router logs will be filled with all the other traffic that gets blocked. This is applied on the external interface facing the upstream provider, your NREN, and it will apply to incoming traffic. There's a similar outbound filter we've called campus out which has similar elements. As to what we saw in the inbound filter we're going to allow our NTP. We're going to disallow various UDP and TCP ports the equivalence of what we saw in incoming filter and then the second slide shows some of the particular host access which are allowed out to the internet. Note again in the last few lines we only allow traffic coming from our own address space out. We don't do any any. We're notgoing to allow any source. We're only going to allow traffic from our own address based outbound. Note also have included a line which allows point-to-point traffic between us and our upstream NREN. The final line which is deny ip any. We again could add the optional log in there so that we can see any other traffic that might be denied. This could be useful for finding out if there's anything strange going on or any malicious traffic within our own network coming from our users. So in conclusion the previous two examples are just that they are: examples. Please do not cut and paste these into your network. They're provided here to give you inspiration to design your own filters for your campus border router. The simple example should be enough. Modify it to suit your own needs. The complex example is actually very restrictive. It's much more enterprise than campus in style. Consider the two that we have provided and come up with border router filters that suit your own needs.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.