From: Price, Jamie (JPrice@xxxxxxxxxxx)
Date: Fri Jun 15 2001 - 12:28:34 GMT-3
Actually.........sequence numbering is "designed" to stop hackers but it
doesn't. An improperly patched server that doesn't randomize initial tcp
sequence numbers can easily be hijacked using tcp sequence number
prediction. To that end Jim is correct - opening up an "any any
established" conduit in an access list is a security risk but it is wholly
dependant on your environment. But thats getting too far off topic :)
-----Original Message-----
From: andrew.2.shore@bt.com [mailto:andrew.2.shore@bt.com]
Sent: Friday, June 15, 2001 8:54 AM
To: jtg@lucent.com; bravojun@hanmail.net; ccielab@groupstudy.com
Subject: RE: What is the fuction of the established keyword in
Access-list ?
Don't forget that tcp sequence numbers stop hackers just sending through
packets to attack systems behind the router. Although it does take extra
routing processor to routes this illegal packets.
-----Original Message-----
From: Jim Graves [mailto:jtg@lucent.com]
Sent: 15 June 2001 14:37
To: bravo; ccielab@groupstudy.com
Subject: Re: What is the fuction of the established keyword in
Access-list?
The "established" keyword simply matches the "established" bit in the TCP
header. That's a bit that's set if a packet claims to be a response in an
existing conversation. In theory, every packet after the initial TCP
handshake will have the "established" bit set.
It's usually used as a shortcut when specific access lists are too painful
or bothersome. For example, you'll sometimes see this sline thrown into an
access-list for inbound traffic:
access-list 110 permit tcp any any established
What that's supposed to do is allow through any reply traffic for existing
connections.
But I don't like using "established", and here's why. As I mentioned, all
it does is match a bit in the TCP header. TCP headers are trivial to
forge. If I'm Henry Hacker, I can just as easily set the "established" bit
on every packet I send. If your access list depends on "established" to
permit or deny access, it's going to let that forged packet right on
through. Not good.
FWIW, reflexive access lists are a much better way to do what the
"established" bit is usually used for. For more on reflexive access lists,
see CCO at
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secu
r_c/scprt3/screflex.htm>.
As for your particular issue - it should work the same whether you have
"established" set or not. I presume that 100.1.1.1 is the ftp server, and
10.1.1.1 is the client (i.e., 10.1.1.1 ftps to 100.1.1.1)? Your issue is
probably a mask/IP problem in your access lists. The destination address
in each case is 10.1.1.1 with a wildcard mask of 0.0.0.255. You probably
mean 10.1.1.0 0.0.0.255. I don't think anything will match 10.1.1.1
0.0.0.255.
At 12:11 PM 6/15/2001 +0900, bravo wrote:
>Hello guy!
>
>Could you explain why the ftp is not work well?
>
>int se 0
> ip addr 100.1.1.254 255.255.255.0
> ip access-group 100 in
>int e 0
> ip addr 10.1.1.254 255.255.255.0
>
>access-list 100 permit tcp host 100.1.1.1 eq ftp 10.1.1.1 0.0.0.255
>established
>access-list 100 permit tcp host 100.1.1.1 eq ftp-data 10.1.1.1 0.0.0.255
>established
>access-list 100 deny ip any any
>
>==================================================
>?l8. @NEM3], Daum
>Fr;} >24B 9+7a E-mail AV<R GQ8^@O3]
>Av18CL GQ1[ 0K;v<-:q=: Daum FIREBALL
>http://www.daum.net
>**Please read:http://www.groupstudy.com/list/posting.html
---------------------------
Jim Graves
CCIE #7524, CISSP, MCSE
Network Systems Consultant
Lucent Worldwide Services
Alpha Pager: 1-800-467-1467
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:24 GMT-3