RE: [fw-wiz] Problems logging deny's on Cisco Routers?

From: Manson, Jim (MANSO001_at_dcri.duke.edu)
Date: 04/22/04

  • Next message: Ames, Neil: "RE: [fw-wiz] Stanford break in" 
    To: "'Scott C. Kennedy'" <sck@nogas.org>, firewall-wizards@honor.icsalabs.com
Date: Thu, 22 Apr 2004 16:21:00 -0400

    Scott,

    I know this is a late post, and you may have resolved this already, but try
    adding a port range:

    deny ip any any range 0 65535 log

    Jim

    Jim Manson
    Network Engineer
    Information Security Officer
    Duke Clinical Research Institute
    919-668-8833

    -----Original Message-----
    From: Scott C. Kennedy [mailto:sck@nogas.org]
    Sent: Monday, March 08, 2004 3:21 PM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] Problems logging deny's on Cisco Routers?

    Has anyone else seen problems logging on Cisco Routers for deny ACLs?

    I've been using Routers with ACLs for years and have never had problems for
    those sites too small or too diverse to use actual firewall devices. Yet,
    now I have a problem with a site that is using Cisco routers with 'extended'
    ACLs yet, the final line 'deny ip any any log' is not logging all the
    information.

    In tests with NMap for the first 1,024 ports, the router only logs 30% of
    the UDP ports scanned and only 1% of the TCP ports scanned. This was a
    standard NMap full-TCP connect scan, with no odd flags.

    So, what gives? Is this normal for Cisco Routers to not keep accurate logs
    of denied packets? If so, then how are you suppossed to support ACLs on
    these devices without accurate logs. I'd expect some log drops under high
    stress, but these routers are barely putting 1 mb/s of traffic through them,
    and are less the 5% CPU busy, thus they should be able to provide higher
    than 1% accuracy.

    Scott
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Ames, Neil: "RE: [fw-wiz] Stanford break in"

    Relevant Pages

    • Re: UPDATE: [wcolburn@nmt.edu: SMTP relay through checkpoint firewall]
      ... >The authors of Squid sorted that problem out YEARS ago. ... The default ACLs ... >http_access deny CONNECT!SSL_ports ... >i.e. you can only use the CONNECT proxy option for ports 443 and 563. ...
      (Bugtraq)
    • RE: IM Programs
      ... want to block these ports. ... you don't need an explicit deny for the other ports. ... Access-list 101 deny any tcp any any eq 5000 ... >Now, when applying these to your firewall, make sure the number ...
      (Security-Basics)
    • Re: Problem with Kerio - please help!
      ... > only problem I have is with kerio. ... Application Deny ... Run Active Ports to locate 'listening ports' and ... incoming TCP to them (except the Kerio listening ports, ...
      (comp.security.firewalls)
    • Re: CISCO ACLs.. Are there lists already out there to protect me from trojans and known bad sites?
      ... You want to DENY ALL, ... >> all ports and IPs, and then grant access to the ones you need. ... I setup a Linux server, installed Squid as a non-caching web proxy, ... affected by my automatic script. ...
      (Security-Basics)
    • Re: Which Ports to allow on Pix.
      ... but want to add a deny all at the end of our ... In order to do so we need to first iron out the ports we ... > I have the basics, FTP, WWW, SSL. ... > We are running a mail server, several web servers and a radius server ...
      (comp.security.firewalls)