Re: fragment filtering

From: Bob Sinclair (bsinclair@netmasterclass.net)
Date: Tue May 10 2005 - 19:44:13 GMT-3

• Next message: Dennis J. Hartmann: "NMC Scenario #3 (Security Section)"
• Previous message: Sean C: "Re: OSPF over async"
• Maybe in reply to: ccie2be: "fragment filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim,

Good questions. Let me see if I can help at all. Comments in-line below.

Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net

  ----- Original Message -----
  From: ccie2be
  To: 'Bob Sinclair' ; 'Group Study'
  Sent: Tuesday, May 10, 2005 5:51 PM
  Subject: RE: fragment filtering

  Hey Bob,

  Thanks for getting back to me. I happen to have the Richard Deal book but
  I'm not 100% sure of what he's saying and how to apply the info he
provides.

  For example, he talks mostly about NON-INITIAL fragments.

  " When filtering fragments, noninitial fragments that match Layer 3
  information in your ACL have the appropriate action taken against them:
  permit or deny."
  Is this the same as saying, "If the fragment keyword is used, noninitial
  fragments that match Layer 3 information in your ACL have the appropriate
  action taken against them: permit or deny."

>>>YES: all packets and fragments have all layer 3 info. so if you are
matching on destination or source address, fragments will match just like any
other packet would.

  Or, put another way, is the difference between these 2 acl entries as
noted?

  access-list 101 deny ip any any fragments <- all ip traffic including
  initial and non-initial fragments are dropped

  access-list 101 deny ip any any <- Only initial
  fragments and unfragmented ip traffic is dropped; non-initial fragments
pass
  thru

>> I don't think so.... deny ip any any WILL deny all. Non-initial
fragments will be denied. There is no layer-4 match required here.

  As a practical matter for the lab, it seems to me, I have to sort acl
  entries into 2 groups:

  Group 1 - has no port information >>>NON-INITIAL fragments have NO port
info.

  Group 2 - has port info ie the acl includes either tcp or udp

>>When Deal talks about "layer 4" info, he seems to me to be referring to
port numbers, not L4 protocol specification. Doesn't he say that "deny udp
any any fragments" would deny udp fragments? In other words, the protocols
UDP, TCP and ICMP can be detected in the layer 3 header (protocol field).
Sound right? The issue seems to be that the layer 4 header, which has the
ports, may be missing in non-initial fragments.

  For Group 1, the behavior is as described above.

  For Group 2, I'm still not that clear.

  Last thing: Is there any simple way to verify the configuration will work
as
  intended?

>>>No shortcut here: have to lab it up! Fortunately, this can be done on a
bunch of 2500s!

  I hate it when I take the lab and find I'm not sure about some little
detail
  and don't know how to verify if I did the config correctly.

  Can you help clear up this confusion for me? I would be tremendously
  appreciative.

  TIA, Tim
    _____

  From: Bob Sinclair [mailto:bsinclair@netmasterclass.net]
  Sent: Tuesday, May 10, 2005 4:33 PM
  To: ccie2be; Group Study
  Subject: Re: fragment filtering

  Tim,

  Richard Deal covers this topic well in his book Cisco Router Firewall
  Security. Non-initial fragments will not have the UDP port information.
So
  if you want to deny all UDP DNS fragments, denying UDP fragments is as
  specific as you can get. According to Deal, non-initial fragments are
  denied by the implicit deny-any at the end of the access-list in recent
IOS.
  Initial fragments and unfragmented packets can be explicitly denied by UDP
  port.

  HTH,

  Bob Sinclair
  CCIE #10427, CCSI 30427, CISSP
  www.netmasterclass.net
  ----- Original Message -----
  From: ccie2be <mailto:ccie2be@nyc.rr.com>
  To: Group Study <mailto:ccielab@groupstudy.com>
  Sent: Tuesday, May 10, 2005 4:02 PM
  Subject: fragment filtering

  Hi guys,

  I'm a bit confused about this. I've read the Doc-CD CR several times and
  some other sources as well.

  It seems that if the fragment keyword is added to the end of an acl entry,
  it deals with non-initial fragments.

  But, suppose this were the task:

  Filter udp fragments coming in int e0 going to the DNS server.

  Does this mean initial and non-initial fragments? IF so, how would I do
  this?

  Now, suppose I also had to filter ip fragments. Would the acl entry for
  this affect the previous acl entry?

  If possible, a couple of examples would be very helpful.

  TIA, Tim

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

• Next message: Dennis J. Hartmann: "NMC Scenario #3 (Security Section)"
• Previous message: Sean C: "Re: OSPF over async"
• Maybe in reply to: ccie2be: "fragment filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:57 GMT-3