RE: CISCO ACLs.. Are there lists already out there to protect me from trojans and known bad sites?

From: Jacob (jacob_at_excaliburfilms.com)
Date: 11/09/05

  • Next message: Christopher Carpenter: "RE: CISCO ACLs.. Are there lists already out there to protect me from trojans and known bad sites?"
    To: <security-basics@securityfocus.com>
    Date: Wed, 9 Nov 2005 11:13:05 -0800
    
    

    Here is a snippet of what I have on my routers. XXX.XXX.XXX.0 is your
    network. (In my case, a /24)

    access-list 199 deny ip 10.0.0.0 0.255.255.255 any
    access-list 199 deny ip 172.16.0.0 0.15.255.255 any
    access-list 199 deny ip 192.168.0.0 0.0.255.255 any
    access-list 199 deny ip 127.0.0.0 0.255.255.255 any
    access-list 199 deny ip 224.0.0.0 31.255.255.255 any
    access-list 199 deny ip host 255.255.255.255 any
    access-list 199 deny ip host 0.0.0.0 any
    access-list 199 deny ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 199 deny tcp any any range 135 139
    access-list 199 deny udp any any range 135 netbios-ss
    access-list 199 deny tcp any any eq 445
    access-list 199 deny udp any any eq 445

    Then, you want to allow only traffic that is legit, for example:

    access-list 199 permit tcp any any eq www

    Ending with a deny all. (or leave as is. Deny all is allow added at the
    end.)

    -----Original Message-----
    From: Pigeon [mailto:fredit@charter.net]
    Sent: Tuesday, November 08, 2005 9:27 PM
    To: security-basics@securityfocus.com
    Subject: CISCO ACLs.. Are there lists already out there to protect me from
    trojans and known bad sites?

    I just got my first cisco router in (well for home use :) ).. and I want to
    lock my network down.. Are there any default ACL lists that will block:
    A) known bad IPs
    B) trojan ports
    C) protection against spoofing (aka denying private IP source port incoming

    in the WAN port)

    I know I will have to modify whatever I have.. but a general list would be
    great!

    thanks!


  • Next message: Christopher Carpenter: "RE: CISCO ACLs.. Are there lists already out there to protect me from trojans and known bad sites?"

    Relevant Pages

    • Re: best firewall option for FreeBSD
      ... It's never a good idea to silently deny incoming connections on port 113 ... port and you won't be served untill they've timed out on the ident connection. ... Also, never trust your local users too much, especially if you have a wireless network. ...
      (FreeBSD-Security)
    • Re: Denying network access to all but one application
      ... there are certainly group polices that allow to sandbox the whole system, like removing explorer, deny access to the cmd, remove the start menu and more.... ... network folder, for allowing clients to access it. ... A mischevious person can use Explorer etc. to ...
      (microsoft.public.dotnet.security)
    • IPFW-2 help please
      ... One machine is attached to the 2.0 network. ... 08000 deny ip from any to 192.168.2.254 dst-port 23 ... 08200 allow ip from any to any in via dc2 keep-state ... If I move Rule 8000 before Rule 1600, packets are blocked ...
      (freebsd-questions)
    • Re: Look at this ZA message.
      ... I usually find it helpful to deny access first and then see if anything ... Your computer is safe. ... > CFD.exe is part of the client software for your broadband network connection. ...
      (sci.med.transcription)
    • Re: Locking a user down to a single computer!
      ... I might take a look at using the 'deny ... If moving all of the computer account objects EXCEPT ONE to a separate OU ... > out of every PC at the domain level and then allowing through at a lower ... My network is a Windows 2000 network ...
      (microsoft.public.win2000.active_directory)