#!/usr/local/bin/perl -- -*-Perl-*- # # $Id$ # $Source$ # Paul Traina (Feburary 1994) # # Generate cisco extended security access list. # # This is a special version of netsec which resides on the gateway # between CIO and the rest of cisco. # require 'netsec-data.pl'; @cio = ( "cio-sys"); ######################################################################## ##### ##### OUTBOUND CONTROL (this controls CIO's access to cisco and ##### the rest of the world) ##### ######################################################################## &header_prelude; &start_list(102); ######################################################################## ##### ##### TCP Access controls ##### ######################################################################## # # Permit established TCP connections (these are return packets from # an originated outbound connection). This line goes first so most # of the time we don't have to run through the ACL's at all. # &entry("permit", "tcp", "established", @anyone,"*", @anyone); # # CIO is allowed to send mail only to some hard wired machines # who are then responsible for geting the mail to the outside world. # @smtp_servers = ( "fred", "barney", "baby-bop" ); &entry("permit", "tcp", "smtp", @cio,"*", @smtp_servers); # # Deny X, OpenWindows, and any other nasties above 1023 # &entry("deny", "tcp", "x11", @anyone,"*", @anyone); &entry("deny", "tcp", "x11:1", @anyone,"*", @anyone); &entry("deny", "tcp", "x11:2", @anyone,"*", @anyone); &entry("deny", "tcp", "openwin", @anyone,"*", @anyone); &entry("deny", "tcp", "openwin:1", @anyone,"*", @anyone); &entry("deny", "tcp", "openwin:2", @anyone,"*", @anyone); # # CIO may ftp to our public ftp server and anyone outside of cisco, but no one # inside cisco. # @ftp_servers = ( "ftp" ); &entry("permit", "tcp", "ftp-cmd", @cio,"*", @ftp_servers); &entry("deny", "tcp", "ftp-cmd", @cio,"*", @cisco_networks); &entry("permit", "tcp", "ftp-cmd", @cio,"*", @anyone); &entry("permit", "tcp", "ftp-data", @cio,"*", @ftp_servers); &entry("deny", "tcp", "ftp-data", @cio,"*", @cisco_networks); &entry("permit", "tcp", "ftp-data", @cio,"*", @anyone); # # In order to support CIO as a FTP server, we need to allow CIO to # open connections to remote systems on ports > 1023. We don't want # CIO to be able to attack cisco systems, so inside, we always use # passive-ftp when talking to CIO or outside cisco (except stupid.cisco.com, # which is a machine that is too stupid to run pftp). Stupid.cisco.com # is vulnerable to TCP attacks based upon connections to random ports >1023. # (this is an example, stupid.cisco.com doesn't really exist) # @ftp_clients = ( "stupid", ); &entry("permit", "tcp", "gt 1023", @cio,"*", @ftp_clients); &entry("deny", "tcp", "gt 1023", @cio,"*", @cisco_networks); &entry("permit", "tcp", "gt 1023", @cio,"*", @anyone); ######################################################################## ##### ##### UDP Access controls ##### ######################################################################## # # Permit DNS and NTP requests and replies # While this is a known security hole (and believe me it is), we're willing # to put up with time based attacks and dns snooping. DNS and NTP are # blocked in relative strict ways by the corporate border firewall. # &entry("permit", "udp", "dns", @anyone,"*", @anyone); &entry("permit", "udp", "ntp", @anyone,"*", @anyone); ######################################################################## ##### ##### Other IP protocols ##### ######################################################################## # yes we can be screwed by denial of service attacks... but ICMP is just # so damn useful... besides we can turn it off is someone gets nasty. &entry("permit", "icmp", "", @anyone,"*", @anyone); ######################################################################## ##### ##### INBOUND CONTROL (this controls access from the world into CIO) ##### ######################################################################## &start_list(103); ######################################################################## ##### ##### TCP Access controls ##### ######################################################################## # # Permit established TCP connections (these are return packets from # an originated outbound connection). This line goes first so most # of the time we don't have to run through the ACL's at all. # &entry("permit", "tcp", "established", @anyone,"*", @anyone); # # Deny X, OpenWindows, and any other nasties above 1023 # &entry("deny", "tcp", "x11", @anyone,"*", @anyone); &entry("deny", "tcp", "x11:1", @anyone,"*", @anyone); &entry("deny", "tcp", "x11:2", @anyone,"*", @anyone); &entry("deny", "tcp", "openwin", @anyone,"*", @anyone); &entry("deny", "tcp", "openwin:1", @anyone,"*", @anyone); &entry("deny", "tcp", "openwin:2", @anyone,"*", @anyone); # # Anyone may telnet into CIO # &entry("permit", "tcp", "telnet", @anyone, "*", @cio); # # Only cisco SMTP servers may send mail to CIO (this is to attempt # to protect CIO from sendmail bug exploitation). # &entry("permit", "tcp", "smtp", @smtp_servers, "*", @cio); # # Anyone is allowed to FTP into cio. # &entry("permit", "tcp", "ftp-cmd", @anyone,"*", @cio); &entry("permit", "tcp", "ftp-data", @anyone,"*", @cio); # # This is a MAJOR security hole necessary so that CIO can ftp files # from the rest of the world (the server needs to open a data connection # back to the client and that data connection is on a random port that has # been selected by the client). We could close this hole by using the # pftp client on this machine, but not all FTP servers out there understand # the PASV command. # &entry("permit", "tcp", "gt 1023", @anyone, "*", @cio); ######################################################################## ##### ##### UDP Access controls ##### ######################################################################## # # Permit DNS and NTP requests and replies # While this is a known security hole (and believe me it is), we're willing # to put up with time based attacks and dns snooping. # &entry("permit", "udp", "dns", @anyone,"*", @anyone); &entry("permit", "udp", "ntp", @anyone,"*", @anyone); ######################################################################## ##### ##### Other IP protocols ##### ######################################################################## &entry("permit", "icmp", "", @anyone,"*", @anyone); print "end\n"; # ------------------------------------------------------------------------- # $Log$ # -------------------------------------------------------------------------