Wednesday, April 15, 2009

Ingress & Egress filtering

I was just chatting with a coworker about Ingress and Egress filtering and figured it would be a good topic for my first network security related posting. Ingress and Egress filtering is the process of filtering large classes of traffic that can be defined as invalid or inappropriate for a specific part of your network. This filtering will take place at the entry and exit points of your network. Today one of the most common locations for this type of filtering would be the Internet border router. In this posting I will give examples specifically for an Internet border router but you should be able to extrapolate this to work with any border router. Keeping in mind that some of the traffic denied would need to change.

So that being said, what traffic can be classified as being invalid or inappropriate when sourcing form the Internet?
  • You should never see your external IP address range as a source address. This would indicate a Spoofed Public Addresses.
  • The loopback address 127.0.0.0/8. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere.
  • RFC 1918 Private Address Space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/24) is not routable over the Internet and should never be the source of traffic from the Internet.
  • The Link-Local DHCP default network (169.254.0.0/16). Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. This block is not routable over the Internet.
  • The documentation/test network (192.0.2.0/24), 192.0.2.0/24 - This block is assigned by IANA as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet.
  • 0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network.
  • The "limited broadcast" destination address 255.255.255.255 should never be forwarded outside the (sub-)net of the source
  • Traffic destined for the broadcast address of your public network otherwise known as a Smurf Attack.
  • If your network does not need multicast traffic, then block the IP multicast address range 224.0.0.0/4.
  • Although you may want to allow some ICMP traffic for diagnostics for the most part you will want to block it as it provides reconnaissance information to would-be hackers.
  • Unless you have an external 3rd party monitoring your network you should block all SNMP Traffic. If you do have a 3rd party monitoring your network via SNMP you should limit this traffic their network or hosts.
  • Lastly deny any other traffic that does not source from you public address space.
So what does this look like?
  • ip access-list extended acl_inbound
  • remark Permit BGP to Egress Interface
  • permit tcp host (BGP PEER) host (ROUTERS EGRESS INTERFACE) eq bgp
  • remark Block Spoofed Addresses
  • deny ip (PUBLIC NETWORK AND MASK) any log
  • remark Block local host address
  • deny ip 127.0.0.0 0.255.255.255 any log
  • remark Block RFC 1918 Address Allocation for Private Internets
  • deny ip 10.0.0.0 0.255.255.255 any log
  • deny ip 172.16.0.0 0.15.255.255 any log
  • deny ip 192.168.0.0 0.0.255.255 any log
  • remark Block link-local DHCP
  • deny ip 169.254.0.0 0.0.255.255 any log
  • remark Block documentation/test network
  • deny ip 192.0.2.0 0.0.0.255 any log
  • remark Block host *.0.0.0
  • deny ip 0.0.0.0 0.255.255.255 any log
  • remark Block host 255.255.255.255
  • deny ip host 255.255.255.255 any log
  • remark Block Smurf Attack
  • deny ip any host (PUBLIC NETWORK BROADCAST ADDRESS) log
  • remark Block Multicast Traffic
  • deny ip 224.0.0.0 15.255.255.255 any log
  • remark Permit Selective ICMP Traffic
  • permit icmp any host (ROUTERS EGRESS INTERFACE) eq echo-reply
  • remark Deny ICMP Traffic
  • deny icmp any any log
  • remark Block SNMP & SNMP Trap
  • deny udp any any eq snmp log
  • deny udp any any eq snmptrap log
  • remark Permit Everything else to public networks only
  • permit ip any (PUBLIC NETWORK AND MASK)
  • remark Block everything else
  • deny ip any any log

It’s worth noting that I recently checked my inbound access list and found a significant number of attempts on the blocked traffic above. This is just a small indication of what is trying to make its way into your network.

So now you may ask I’m not a hacker nor is anyone in my company, why do I need to filter outbound traffic? The reason is fairly simple you can never know who is or is not a hacker. But what’s more likely you may not know that a system has been compromised. So what would be invalid traffic coming from your own network? Well a lot of the same traffic that shouldn’t be coming to your network.
  • The loopback address 127.0.0.0/8. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere.
  • RFC 1918 Private Address Space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/24) is not routable over the Internet and should never be the source of traffic from the Internet.
  • The Link-Local DHCP default network (169.254.0.0/16). Hosts obtain these addresses by auto-configuration, such as when a DHCP server may not be found. This block is not routable over the Internet.
  • The documentation/test network (192.0.2.0/24), 192.0.2.0/24 - This block is assigned by IANA as "TEST-NET" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. Addresses within this block should not appear on the public Internet.
  • 0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network.
  • The "limited broadcast" destination address 255.255.255.255 should never be forwarded outside the (sub-)net of the source
  • If your network does not need multicast traffic, then block the IP multicast address range 224.0.0.0/4.
  • Although you may want to allow some ICMP traffic for diagnostics for the most part you will want to block it as it provides reconnaissance information to would-be hackers.
  • Unless you monitor external networks you should block outbound SNMP Traffic.
  • Lastly deny any other traffic that does not source from you public address space.
Here is what this looks like:
  • ip access-list extended acl_outbound
  • remark Block local host address
  • deny ip 127.0.0.0 0.255.255.255 any log
  • remark Block RFC 1918 Address Allocation for Private Internets
  • deny ip 10.0.0.0 0.255.255.255 any log
  • deny ip 172.16.0.0 0.15.255.255 any log
  • deny ip 192.168.0.0 0.0.255.255 any log
  • remark Block link-local DHCP
  • deny ip 169.254.0.0 0.0.255.255 any log
  • remark Block documentation/test network
  • deny ip 192.0.2.0 0.0.0.255 any log
  • remark Block host *.0.0.0
  • deny ip 0.0.0.0 0.255.255.255 any log
  • remark Block host 255.255.255.255
  • deny ip host 255.255.255.255 any log
  • remark Block Multicast Traffic
  • deny ip 224.0.0.0 15.255.255.255 any log
  • remark Permit Selective ICMP Traffic
  • permit icmp any (PUBLIC NETWORK AND MASK) host (ROUTERS INGRESS INTERFACE) eq echo
  • remark Deny ICMP Traffic
  • deny icmp any any log
  • remark Permit Management of the router from Management Server
  • permit tcp host (MGT SERVER) host (ROUTERS INGRESS INTERFACE) eq ssh
  • remark Permit SNMP & SNMP Trap from SNMP Monitoring Server
  • permit udp host (SNMP SERVER) host (ROUTERS INGRESS INTERFACE) eq snmp
  • permit udp host (SNMP SERVER) host (ROUTERS INGRESS INTERFACE) eq snmptrap
  • remark Block SNMP & SNMP Trap
  • deny udp any any eq snmp log
  • deny udp any any eq snmptrap log
  • remark Permit Everything else to public networks only
  • permit ip (PUBLIC NETWORK AND MASK) any
  • remark Block everything else
  • deny ip any any log


(BGP PEER): If your router is performing BGP you must explicitly allow the traffic from you BGP Peering partner.
(ROUTERS EGRESS INTERFACE): This IP is typically assigned by your ISP to your routers outside interface.
(PUBLIC NETWORK AND MASK): This would be the public network and mask assigned by your ISP, ARIN, or another RIR.
(PUBLIC NETWORK BROADCAST ADDRESS): This is your public network's broadcast address (host portion of the address is all 1's)
(ROUTERS INGRESS INTERFACE): This IP is assigned to your routers inside interface.
(SNMP SERVER): An address of a SNMP monitoring server permitted to monitor your Internet border router
(MGT SERVER): System that is permitted to SSH into the router for management purposes.

Well that’s about it for this one. There is a lot of documentation out there including RFC2827, NSA Router Security Documentation, and many others. If you have any suggestions for additional traffic to filter at this level of the network please feel free to let me know.

-Fred

2 comments:

  1. One thing I should have made note of is that on the egress filter if you are running HSRP or and Internal routing protocol you may need to allow some special traffic including specific multicast addresses.

    ReplyDelete
  2. fred, my isp is giving me grief because my dns can be abused. is there an isp (or hopefully a list of them) that has implemented ingress filtering? regards, brad

    ReplyDelete