Let's look now at this simple example. This is a simple border router filter which blocks traffic sourced from private address space, protects the management VLANs of the campus and blocks access to services only used on campus. In the examples we'll use 100.64.0 22 for the campus network devices. We'll use 188.8.131.52 for the science demarcation zone and we'll use 184.108.40.206 for the campus services like the web server, the mail server and so on. The slide shows a simple border router filter. We've called it campus in and it applies to incoming traffic on the border router. The first three lines will block private address space so any packets coming from private address space will be not permitted to access the campus. We're also going to block any packets that are using our IP address coming from outside our campus. We shouldn't be seeing any of these but in case we do we will throw these away as they could cause issues within the campus infrastructure. We're not going to allow any telnet in. One of the most common attempts for breaking into networks is looking for open telnet ports so we'll just block down that completely. We'll also block the Netbios ports TCP and UDP we'll block TFTP because TFTP is only used entirely for management within our own campus infrastructure. We should not be seeing any of this from the outside. We also should block SNMP from the outside and SNMP traps be nothing more amusing than somebody from the outside sending piles of SNMP traps to the monitoring system and completely overloading that so we block all SNMP coming from the outside. We block syslog from the outside for the same reason. We block printer protocol coming from the outside for the same reason as well. You've probably read stories of people doing amusing things like causing businesses printer to spew out hundreds of blank pages just because they've been able to access it using the printer protocol. We're going to allow all of ICMP and allowing all of ICMP is part of allowing all of IP anyway but we've included that line to give us some idea of the level of ICMP traffic compared with everything else. It's just for our information. It doesn't cause any extra load on the router To match this we need an outbound filter. This outbound filter we've called the campus out applies to outbound traffic on the outbound interface. We're not going to allow telnet outbound. You may have staff or students come along and say oh but i need to telnet into somewhere. For that we need to explain what the risks of using talnet are: passwords are sent in the clear and all traffic is sent in the clear as well, in fact, the only devices really using telnet now are ones that have been compromised and they're trying to look for other devices to get talent access to. Likewise with incoming we're going to block Netbios outbound. We're going to block TFTP, SNMP, syslog and we're also only going to allow SMPT from the campus. SMTP really and i've given that the address 100.64.0 if anybody else from any other address space in campus tries to send email using port 25 they will be blocked and we'll get a match on the filter here. We could add the log option then we can see which users or which ip addresses are trying to send email using port 25. As we mentioned in the campus best practices presentation most users running their own personal email will be using port 465 or 587 for sending email to the public free email services. We want to allow all of ICMP out from our network not just our address space node. Also I have included a line which allows point-to-point traffic between us and our upstream NREN. So the final line deny ip any will block all other incoming traffic. If you're curious to see what's being blocked you can put on a log as an option there and then the router logs will be filled with all the other traffic that gets blocked.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.