This is strictly from http://www.efficient.com Knowledge Base & I take no credit or blame for anything in this article.
Security 101 - Implementing Security on 5700-, 5800-, 5900-, and 7000-series Routers
Relevant Products
5700-series
5800-series
5900-series
7000-series
Overview
The Efficient 5700, 5800, 5900 and 7000 series routers can provide adequate security measurers when the proper technologies are implemented.
Note: Regardless of technology used, you should always change the default password on your router to prevent the simplest form of hack by entering the line command [system admin (new password)].
Solution
Firewalls
The scripts below are provided as a starting point for your firewall.
They may be copied to a text editor and loaded to the router using the configuration manager, or they can be copied to a telnet or console session. They can also be copied to the router via ftp as a file name you can execute from the command line. Copying this script in this manner means it can be executed anytime you wish.
To remove the filter at any time the first 6 commands can also be run from command line or copied as a separate file and executed.
This script below is simple and to the point; it works by checking the packets for the proper sequence of [syn] and [ack]. While UDP ports are opened with this script, this will not matter however if your LAN is secure.
Example 1
#flush all existing filters
remote ipfilter flush input internet
remote ipfilter flush output internet
remote ipfilter flush transmit internet
remote ipfilter flush receive internet
eth ip filter flush input
eth ip filter flush output
eth ip filter flush transmit
eth ip filter flush receive
#DNS from LAN to WAN will be accepted
remote ipfilter insert input accept -p udp -sp 53 internet
remote ipfilter insert output accept -p udp -dp 53 internet
#dynamic control all packets from LAN to WAN accepted
#deny any connection requests from the WAN
remote ipfilter insert input accept -tcp ack internet
remote ipfilter insert input accept -tcp syn -tcp ack internet
remote ipfilter insert output accept -tcp ack internet
remote ipfilter insert output accept -tcp syn internet
#remote ipfilter insert input accept -tcp syn internet
remote ipfilter insert input accept -tcp ack -tcp syn internet
remote ipfilter insert output accept -tcp syn internet
remote ipfilter insert output accept -tcp ack internet
#deny and echo reply from the router, (ping acknowledge)
remote ipfilter insert output drop -p icmp -sp 0 internet
#FTP from LAN to WAN accepted
remote ipfilter insert input accept -tcp syn -sp 20 internet
remote ipfilter insert output accept -tcp syn -tcp ack -dp 20 internet
#FTP WAN TO LAN accepted
remote ipfilter insert input accept -tcp syn -dp 20 internet
remote ipfilter insert output accept -tcp syn -tcp ack -sp 20 internet
Example 2
The filter below allows all tcp connections to be accepted regardless of the port. It is noted in italics. To provide extra security this filter can be left out of the script.
remote ipfilter insert input accept -tcp syn internet
Example 3
The script below is one that will provide security based on a port and protocol.
DESTINATION ADDRESS (-da) IP address that the packet is being sent to.
SOURCE ADDRESS (-sa) IP address that the packet has been sent from.
FLAGS - Conditional status indicators, used to determine how to interpret other portions of the header. Such as
syn, ack and reset.
SOURCE PORT (-sp) Numbers used to identify what application the packet is for.
DESTINATION PORT (dp)- Numbers used to identify what application the packet is for.
PROTOCOL - Numbers that identify the packet type. TCP and UDP are packet types.
#flush all existing filters
remote ipfilter flush input internet
remote ipfilter flush output internet
eth ip filter flush input
eth ip filter flush output
#drop all packets
remote ipfilter append input drop internet
remote ipfilter append output drop internet
#ICMP from LAN to WAN will be accepted
remote ipfilter insert output accept -p icmp internet
remote ipfilter insert input accept -p icmp -sp 0 internet
remote ipfilter insert input accept -p icmp -sp 3 internet
remote ipfilter insert input accept -p icmp -sp 8 internet
remote ipfilter insert input accept -p icmp -sp 11 internet
#telnet from LAN to WAN will be accepted
remote ipfilter insert output accept -p tcp -dp 23 internet
remote ipfilter insert input accept -p tcp -sp 23 internet
#SSL accepted
remote ipfilter insert output accept -p udp -dp 443 internet
remote ipfilter insert input accept -p udp -sp 443 internet
#HTTP from LAN to WAN will be accepted
remote ipfilter insert output accept -p tcp -dp 80 internet
remote ipfilter insert input accept -p tcp -sp 80 internet
#FTP from LAN to WAN will be accepted
remote ipfilter insert input accept -p tcp -sp 21 -dp 1024:65535 internet
remote ipfilter insert output accept -p tcp -dp 21 -sp 1024:65535 internet
remote ipfilter insert input accept -p tcp -sp 20 -dp 1024:65535 internet
remote ipfilter insert output accept -p tcp -dp 20 -sp 1024:65535 internet
#DNS from LAN to WAN will be accepted
remote ipfilter insert output accept -p udp -dp 53 internet
remote ipfilter insert input accept -p udp -sp 53 internet
#E-mail - SMTP and POP3 requests from LAN to WAN accepted
remote ipfilter insert output accept -p tcp -dp 25 internet
remote ipfilter insert output accept -p tcp -dp 110 internet
remote ipfilter insert input accept -p tcp -sp 25 internet
remote ipfilter insert input accept -p tcp -sp 110 internet
Editing Scripts
When your needs exceed the services provided with the above scripts, each section can be modified to allow the services in to your LAN.
Web Server Example
#HTTP from LAN to WAN will be accepted
remote ipfilter insert output accept -p tcp -dp 80 internet
remote ipfilter insert input accept -p tcp -sp 80 internet
To add a web server to the script, copy both lines and change each line so that you have an output rule with
[-dp] and [-sp].
Working Solution
Below is a working solution. This can be implemented with most services in the same manner, however it will not work with FTP.
remote ipfilter insert output accept -p tcp -dp 80 internet
remote ipfilter insert output accept -p tcp -sp 80 internet
remote ipfilter insert input accept -p tcp -sp 80 internet
remote ipfilter insert input accept -p tcp -dp 80 internet
Once you have installed the scripts you may need to allow additional services to access your LAN.
Allowing Additional Services LAN Access
IP filtering can be used to show packets on a given interface. You can place IP filtering rules on the router to display the packets without restricting packet flow.
These rules can be used on a router that has a firewall, as well as one that does not. If one does not, enter [save] or all the rules will be lost during a reboot.
These rules can be left on a router with no ill affects. If you ever need to look at the packets again all you will have to do is turn the watch on and check your [sys hist] or [sys log].
Note: The minimum router software is v.3.5.0.
Displaying Packets
Use the following commands to display packets on a specific router interface.
eth ip fil insert input accept -v (ethernet input - from LAN)
eth ip fil insert output accept -v (ethernet output - to LAN)
rem ipf insert input accept -v <rem name>
(remote input - from internet)
rem ipf insert output accept -v <rem name>
(remote output - to internet)
Turn packet watch on.
eth ip fil watch on
rem ipf watch on <rem name>
You can also add ports and protocols to the filter to check for services passing from interface to interface.
Adding Ports and Protocols
Eth ip fil insert output accept -v -p tcp -dp 25
Eth ip fil insert input accept -v -p tcp -sp 25
Rem ipfilter insert input accept -v -p tcp -dp 25 (rem name)
Rem ipfilter insert output accept -v -p tcp -sp 25 (rem name)
The filter above would allow you to see packets for port 25 or a mail server on the LAN. This should be used when you want to know if the server is active.
Displaying Watched Packets on a Telnet Session
sys hist
(or)
sys log start
and
sys log stop
Note: The packets will display automatically to the console or port monitor log. On dual Ethernet routers you must specify the Ethernet interface using a 0 or 1 after all Ethernet commands. This also applies to routers that support more than one Ethernet LAN subnet.
Results
What you get is a printout (like the following example) for every packet that goes through the interface.
Information provided includes Date, Time, Protocol, Source IP Address, Source Port, Destination IP Address,
Destination Port, and Flag Status. Be aware that the Proto will be a Protocol number if not TCP or UDP. (i.e. 47 for GRE)
07/17/2000-13:29:14:PROTO 6 (TCP) pkt from 192.168.254.3/1173 to 26.34.59.3/80 accepted, ACK Flag
07/17/2000-13:29:14:PROTO 6 (TCP) pkt from 192.168.254.3/1174 to 26.34.59.3/80 accepted, No Flags
07/17/2000-13:29:14:PROTO 6 (TCP) pkt from 192.168.254.3/1173 to 26.34.59.3/80 accepted, ACK Flag
In addition to the previous scripts, the management interface of the router needs to be protected. This is very simple to do from either the command line or from the web GUI; however, the web GUI does not allow IP address specification.
Command Line Entries
From the command line, the following commands can be used:
System addtelnetfilter lan|firstipaddress/lastipaddress
System addhttpfilter lan|firstipaddress/lastipaddress
System addsnmpfilter lan|firstipaddress/lastipaddress
System addsylogfilter lan|firstipaddress/lastipaddress
The management interface can also be disabled from the web GUI or the command line.
Changing Ports
Alternatively, the port itself can be changed. From the command line, enter the following:
System telnetport disable|port number
System httpport disable|port number
System snmpport disable|port number
System syslogport disable|port number
With all the above security items in place, Efficient Networks routers make a hard target for hacks.
Regarding Code Red and Similar Attacks
The Code Red and NIMDA IIS (and others to follow) attacks can also use up bandwidth. These can be stopped from harming the router with some simple measures. Both of these rely on port 80 to be open and to accept tcp syn on the router itself.
First, disable the HTTP management port on the router to external IP addresses, or limit it to IPs that you know need to access it.
Second, only accept tcp syns from IPs you know must manage the router.
The commands for this follow:
System httpport disable|port number
system addhttpfilter LAN|IP Address
remote ipfilter insert input accept -tcp syn -sa xxx.xxx.xxx.xxx internet*
*Where xxx.xxx.xxx.xxx is use the address you want to allow tcp syn.
