Advanced Security

[BigMouthBarker]

Advanced Security: Custom Firewall Rule Sets

Greetings!!! This will be my first time visiting your forum board. The subject that I would like to discuss with the board members today is the current custom rule sets that I have in place on my Nat Router to date. Router in question: Westell 327W VersaLink. Platform: Windows XP Home 2000 SP3, IE8, Toshiba Satellite 1135/S155. Laptop (Stand Alone). 1 GB Ram 2 GB Virtual 60 GB HDD. Connection: ATT/DSL. Downstream Rate: 8124 (Kbits/Sec) Upstream Rate: 511 (Kbits/Sec).

If the moderator of this board will allow me to post the following rule sets, I would like additional insight from the members in how I can harden the current rule sets even further from a security point of view if any one is familiar with the router model. To understand the logic behind the TTL and Bits Logic perspective that has been implemented within the rule sets presented, please visit the following web site: http://www.dslreports.com/forum/remark,16694222

To further compliment the rule sets and to strengthen security, I have taken the following step(s):

1) Local DNS Servers: I was tired of trusting the security of my local service provider DNS Servers so I moved upstream to www.OpenDNS.com and began using their servers. This move has made a tremendous difference in performance and security.

2) PCTools Firewall Plus (Stand Alone Free Edition) on the “Local Machine”. To assist in tightening the router firewall down even further, I disengaged the Windows Firewall and installed this firewall behind the Nat Router. Custom Rules are in place to makeup for any short falls that the router firewall may be lacking in. I like the flexibility of this firewall for I am able to direct a lot of my App’s and Process’s including the Browser to the OpenDNS Servers with ease for additional security.

3) To lock down my platform even further I went to the following website: http://www.pctools.com/guides/registry and done an extensive hack on my registry.

Your time is valuable, so please allow me to present my current Inbound/Outbound rule sets for review. The current rule sets in use was taken from: http://www.dslreports.com/forum/remark,16694222

Inbound Rules

title [ Security Level 1 IN rules ]

begin

pass from port >= 135, from port <= 139 >> done

drop icmp-type request, to addr %WANADDR%:32 >> done

RulesDropFrom192

drop from addr %LANADDR%:%LANMASK% >> done, alert 0 [WAN Traffic from LAN IP]

RulesPass

pass all

RulesDropAddress

drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]

RulesPassUDP

pass protocol udp, to port 53 >> done

pass protocol udp, from port 53 >> done

RulesDropICMP

drop protocol icmp >> alert 4 [iCMP Message To WAN IP]

RulesDropWANUDP

drop protocol udp, to addr %WANADDR%:32 >> done, alert 4 [uDP WAN Traffic to WAN IP]

RulesDropWANTCP

drop protocol tcp, to addr %WANADDR%:32 >> done, alert 4 [TCP WAN Traffic to WAN IP]

RulesPassGoodICMP

pass protocol icmp, to addr %WANADDR%:32 >> done, alert 0 [Responding to WAN Ping]

RulesPassGoodICMP

pass protocol icmp, to addr %LANADDR%:%LANMASK% >> done, alert 0 [Nat'ed LOCAL PING]

End

Inbound Firewall Rules - Low

Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.

title [ Security Level Custom (Low) IN rules ]

begin

# Drop and Log Packets with Time to Live (TTL) of 0 or 1

TTL

#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]

drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]

drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]

# Drop and Log Packets of Prohibited Source Address

Address

drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]

# Internet Control Message Protocol (ICMP)

# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP

ICMP

pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))

drop protocol icmp, icmp-type reply >> done, alert 3 [iCMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)

drop protocol icmp, icmp-type reply >> done, alert 3 [iCMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)

drop protocol icmp, icmp-type exceeded >> done, alert 3 [iCMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))

drop protocol icmp, icmp-type unreachable >> done, alert 3 [iCMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)

drop protocol icmp, icmp-type request >> done, alert 3 [iCMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)

drop protocol icmp >> done, alert 3 [iCMP Message To WAN IP - Dropped] # Type: (block all others)

# Permit All Inbound Packets That Are Not Explicitly Denied or That Have a Matching Session State Table Entry.

Permitted

pass all

end

Inbound Firewall Rules - Medium

Deny All Inbound Packets That Are Not Explicitly Permitted or Do Not Have a Matching Session State Table Entry (Unsolicited)

title [ Security Level Custom (Medium) IN rules ]

begin

# Drop and Log Packets with Time to Live (TTL) of 0 or 1

TTL

#drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]

drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]

drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]

# Drop and Log Packets of Prohibited Source Address

Address

drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]

# Internet Control Message Protocol (ICMP)

# Pass Specific ICMP Types, Drop and Log all Unsolicited ICMP

ICMP

pass protocol icmp, icmp-type exceeded >> done # Type: 11 (allow TTL exceeded reply (trace route))

drop protocol icmp, icmp-type reply >> done, alert 3 [iCMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block echo (ping) reply)

drop protocol icmp, icmp-type exceeded >> done, alert 3 [iCMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block TTL exceeded reply (trace route))

drop protocol icmp, icmp-type unreachable >> done, alert 3 [iCMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)

drop protocol icmp, icmp-type request >> done, alert 3 [iCMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block echo (ping) requests)

drop protocol icmp >> done, alert 3 [iCMP Message To WAN IP - Dropped] # Type: (block all others)

# Deny All Inbound Packets That Do Not Have a Matching Session State Table Entry (Unsolicited)

Unsolicited

drop all >> alert 3 [unsolicited Inbound - Drop]

end

Outbound Rules

NOTE: I have disengaged the FTP box with the custom settings in the router and have Strict UDP Control engaged. For FTP Control I am using Passive FTP (for firewall and DSL compatibility & Enable FTP folder view (outside of Internet Explorer) engaged within Internet Properties.

title [ Security Level Custom (Medium) OUT rules ]

begin

# Protocol Match conditions

RulesPass

#pass to port 80 >> state, done # HTTP

#pass from port 80 >> state, done # HTTP

#pass protocol udp, to port 53 >> state, done # DNS

#pass to port 20 >> state, done # FTP

#pass from port 20 >> state, done # FTP

#pass to port 21 >> state, done # FTP

#pass to port 23 >> state, done # Telnet

#pass to port 110 >> state, done # POP

#pass to port 119 >> state, done # NNTP

##pass to port 143 >> state, done ## USENET News Service

##pass to port 220 >> state, done ## IMAP v.3

#pass to port 25 >> state, done # SMTP

#pass to port 443 >> state, done # HTTPS

##pass to port 500 >> state, done ## IPSEC ALG

##pass protocol 50 >> state, done ## IPSEC ESP

#pass to port >= 1024, to port <= 5000 >> state, done # WE/IE Passive FTP P #Uncheck "Use Passive FTP" in IE Advanced Options and enable the FTP firewall service or enable above statement

# Failed to match

RulesDropNETBIOS

drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]

# Pass and Log ICMP Echo Request

RulesPassICMP

pass icmp-type request >> done, state, alert 0 [iCMP - Echo Request - Pass] # Type: 8 (allow ping requests)

# Drop and Log all ICMP Except Echo Request

RulesDropICMP

drop icmp-type reply >> done, alert 3 [iCMP - Echo Reply - Drop] # Type: 0 (block ping reply)

drop icmp-type exceeded >> done, alert 3 [iCMP - TTL Exceeded - Drop] # Type: 11 (block tracert reply)

drop icmp-type unreachable >> done, alert 3 [iCMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)

#drop icmp-type request >> done, alert 0 [iCMP - Echo Request - Drop] # Type: 8 (block ping requests)

drop protocol icmp >> done, alert 3 [iCMP - Unknown Reply - Drop] # Type: (block all others replies)

# Save Session State for Enabled Services

RulesSaveState

pass all >> state

# Drop All Unless Service is Enabled

RulesDrop

drop all >> alert 1 [Packet to be dropped unless Service enabled]

end

Final Output Of Outebound Rules

title [ Security Level 1 OUT rules ]

begin

pass protocol udp, to port 53 >> done

pass to port 194 >> done

pass to port 6667 >> done

RulesDropNETBIOS

drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NETBIOS Traffic]

RulesPass

pass all

end

Outbound Firewall Rules - Low

Permit All Outbound Packets That Are Not Explicitly Denied

title [ Security Level Custom (Low) OUT rules ]

begin

# Protocol Match conditions

# Internet Control Message Protocol

# Pass Specific ICMP Types, Drop and Log all other ICMP Types

ICMP

pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests)

drop protocol icmp, icmp-type reply >> done, alert 2 [iCMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply)

drop protocol icmp, icmp-type exceeded >> done, alert 2 [iCMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route))

drop protocol icmp, icmp-type unreachable >> done, alert 2 [iCMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)

drop protocol icmp, icmp-type request >> done, alert 1 [iCMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests)

drop protocol icmp >> done, alert 2 [iCMP - Prohibited Type - Drop] # Type: (block all others)

# Failed Protocol Match Conditions

# Network Basic Input/Output System (NetBIOS)

# Drop NetBIOS Packets

NetBIOS

drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS

# Permit All Outbound Packets That Are Not Explicitly Denied, and Add to Session State Table for Medium Inbound Firewall Rules

Permitted

#pass all # For Use With Inbound Low Firewall Rules Only

pass all >> state # For Use With Inbound Low or Medium Firewall Rules

end

Outbound Firewall Rules - Medium

Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled

title [ Security Level Custom (Medium) OUT rules ]

begin

# Protocol Match conditions

# World Wide Web

WWW

pass protocol tcp, to port 80 >> state, done # HTTP

pass protocol tcp, from port 80 >> state, done # HTTP

pass protocol tcp, to port 443 >> state, done # HTTPS - Secure Socket Layer (SSL)

# Domain Name System - Name/Address Resolution

DNS

pass protocol udp, to port 53 >> state, done # DNS

# Telecommunication Network (Telnet)

Telnet

pass protocol tcp, to port 23 >> state, done # Telnet

# Internet Protocol Security (IPsec)

Ipsec

#pass protocol udp, to port 500 >> state, done # IPSEC IKE

#pass protocol 50 >> state, done # IPSEC ESP

# eMail & News Groups

# Post Office Protocol (POP) / Simple Mail Transfer Protocol (SMTP) / Network News Transfer Protocol (NNTP)

eMail

pass protocol tcp, to port 110 >> state, done # POP

pass protocol tcp, to port 25 >> state, done # SMTP

pass protocol tcp, to port 119 >> state, done # NNTP

# Secure Socket Layer POP / SMTP / NNTP

eMailSSL

pass protocol tcp, to port 995 >> state, done # POP SSL

pass protocol tcp, to port 465 >> state, done # SMTP SSL

pass protocol tcp, to port 563 >> state, done # NNTP SSL

# File Transfer Protocol (FTP) - "Active" and "Passive" Modes

FTP

pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port

pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port

pass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control Channel Port

pass protocol tcp, from port >= 1024, from port <= 5000 >> state, done # WE/IE Passive Mode FTP Data Channel Ports - Check 'Use Passive FTP' in IE Advanced Properties

Skype - Assigned Port of Each Skype Installation - Tools -> Options... -> Connection

Skype

#pass protocol udp, from port XXXXX >> state, done # Skype

# Network Time Protocol (NTP) (Windows Time Sync)

NTP

pass protocol udp, to port 123 >> state, done # NTP (Windows Time Sync)

# Internet Control Message Protocol

# Pass Specific ICMP Types, Drop and Log all other ICMP Types

ICMP

pass protocol icmp, icmp-type request >> state, done # Type: 8 (allow echo (ping) requests)

drop protocol icmp, icmp-type reply >> done, alert 2 [iCMP - Echo Reply - Drop] # Type: 0 (block echo (ping) reply)

drop protocol icmp, icmp-type exceeded >> done, alert 2 [iCMP - TTL Exceeded - Drop] # Type: 11 (block TTL exceeded reply (trace route))

drop protocol icmp, icmp-type unreachable >> done, alert 2 [iCMP - Dst Unreachable - Drop] # Type: 3 (block unreachable reply)

drop protocol icmp, icmp-type request >> done, alert 1 [iCMP - Echo Request - Drop] # Type: 8 (block echo (ping) requests)

drop protocol icmp >> done, alert 2 [iCMP - Prohibited Type - Drop] # Type: (block all others)

# Failed Protocol Match Conditions

# Network Basic Input/Output System (NetBIOS)

# Drop NetBIOS Packets

NetBIOS

drop to port >= 135, to port <= 139 >> done, alert 4 [Dropping NetBIOS Traffic] # NetBIOS

# Deny All Outbound Packets That Are Not Explicitly Permitted, Unless Service is Enabled

NotPermitted

drop all >> alert 1 [Packet to be dropped unless Service enabled]

end

Thank you for your insight and suggestions on the subject matter. Respectfully………BigMouthBarker