Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: foundry

UDP 'established' ACL?

 

 

nsp foundry RSS feed   Index | Next | Previous | View Threaded


dmiller at metheus

Mar 31, 2011, 2:06 PM

Post #1 of 3 (1518 views)
Permalink
UDP 'established' ACL?

Serveriron running 10.2.01oTI4

My setup is a more secure layer with utilities and databases, and a
layer for the boxes that have to talk to the 'net.

I currently have an ACL that lets a more-secure box establish TCP
connections to the less secure layer:

permit tcp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established


I'm installing SNMP now, and would like to have the equivalent rule for
UDP - IE, any host on the more secure layer able to send UDP packets and
get the response back. I tried this:

permit udp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established

and it doesn't raise any syntax errors, but it doesn't allow packets to
return to the snmp box.

What am I missing here?

Thanks,

--- David
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


dmiller at metheus

Mar 31, 2011, 5:47 PM

Post #2 of 3 (1488 views)
Permalink
Re: UDP 'established' ACL? [In reply to]

On 3/31/11 5:06 PM, David Miller wrote:


To those who kindly reminded me that UDP is stateless, thank you.

I know UDP is stateless. Firewalls, however, keep track of UDP packets
sent - for short periods - so that packets can be returned. DNS, voip,
and other applications would break if the firewall didn't do this.

That's how I'd like snmp to work here: snmp server on the secure network
selects a random port, sends a UDP packet from that port to the
monitored system on 161. Then the SI should know to allow the returned
packet through. Instead, the packets get blocked going back to the
random port.

Sorry to not communicate this clearly the first time:)

--- David



> Serveriron running 10.2.01oTI4
>
> My setup is a more secure layer with utilities and databases, and a
> layer for the boxes that have to talk to the 'net.
>
> I currently have an ACL that lets a more-secure box establish TCP
> connections to the less secure layer:
>
> permit tcp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established
>
>
> I'm installing SNMP now, and would like to have the equivalent rule
> for UDP - IE, any host on the more secure layer able to send UDP
> packets and get the response back. I tried this:
>
> permit udp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established
>
> and it doesn't raise any syntax errors, but it doesn't allow packets
> to return to the snmp box.
>
> What am I missing here?
>
> Thanks,
>
> --- David
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp [at] puck
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


dschout at high5

Mar 31, 2011, 11:34 PM

Post #3 of 3 (1475 views)
Permalink
Re: UDP 'established' ACL? [In reply to]

Ok, but that is the diference between using a firewall and an ACL on a switch/router.

A firewall builds a session-cache, which you really do not want the switch/router to do, especially when a lot of traffic is going through them.

Strictly speaking, your TCP ACL does block non-established traffic, but will allow DDoS traffic when it spoofs "established" TCP traffic, which a firewall wouldn't.

I'm afraid all you can do is ACL based on source and destination for UDP, and create a similar "smaller" hole like you did for TCP.

For additional security a device like a firewall is required.

Greetings,

Diederik






On 1 Apr 2011, at 02:47 , David Miller wrote:

> On 3/31/11 5:06 PM, David Miller wrote:
>
>
> To those who kindly reminded me that UDP is stateless, thank you.
>
> I know UDP is stateless. Firewalls, however, keep track of UDP packets sent - for short periods - so that packets can be returned. DNS, voip, and other applications would break if the firewall didn't do this.
>
> That's how I'd like snmp to work here: snmp server on the secure network selects a random port, sends a UDP packet from that port to the monitored system on 161. Then the SI should know to allow the returned packet through. Instead, the packets get blocked going back to the random port.
>
> Sorry to not communicate this clearly the first time:)
>
> --- David
>
>
>
>> Serveriron running 10.2.01oTI4
>>
>> My setup is a more secure layer with utilities and databases, and a layer for the boxes that have to talk to the 'net.
>>
>> I currently have an ACL that lets a more-secure box establish TCP connections to the less secure layer:
>>
>> permit tcp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established
>>
>>
>> I'm installing SNMP now, and would like to have the equivalent rule for UDP - IE, any host on the more secure layer able to send UDP packets and get the response back. I tried this:
>>
>> permit udp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established
>>
>> and it doesn't raise any syntax errors, but it doesn't allow packets to return to the snmp box.
>>
>> What am I missing here?
>>
>> Thanks,
>>
>> --- David
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp [at] puck
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp [at] puck
> http://puck.nether.net/mailman/listinfo/foundry-nsp


_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

nsp foundry RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.