From: Venkataramanaiah.R (vramanaiah@gmail.com)
Date: Fri Dec 02 2005 - 20:01:28 GMT-3
Shouldnt this ACL be reordered as below?
access-list 100 permit tcp any host 10.10.10.10 eq www established
access-list 100 deny ip any host 10.10.10.10 fragment
access-list 100 permit ip any any
This will let the established tcp traffic from inside to pass through
even if the packets are fragmented, where as the unestablished
fragment packets would be dropped by the second ACL.. Agree?
-Venkat
On 11/8/05, nhqky888@ybb.ne.jp <nhqky888@ybb.ne.jp> wrote:
> Hi,
>
> A hacker is doing fragment attack to WEB server 10.10.10.10.
> Filtering fragmented packet should be done to prevent this.
>
> Here is the acl,
>
> access-list 100 deny ip any host 10.10.10.10 fragment
> access-list 100 permit ip any any
>
> This acl filters any fragmented HTTP packets web users use, I think.
>
>
> Second acl,
>
> access-list 100 permit tcp any host 10.10.10.10 fragment
> access-list 100 deny ip any host 10.10.10.10 fragment
> access-list 100 permit ip any any
>
>
> This acl permit any fragmented HTTP packets web users use,
> however, this server will be attacked with TCP fragment.
>
> How can I accomplish this task without breaking Web services?
>
> Ive read Cisco router FW security by Deal,
> Deal indicates as lower security risk in it,
>
> access-list 100 deny ip any host 10.10.10.10 fragment
> access-list 100 permit tcp any host 10.10.10.10 eq www established
> access-list 100 permit ip any any
>
>
>
> Plz give any suggestion to me.
>
>
>
> Thanks,
>
>
> KY
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:50 GMT-3