cisco dynamic ACLS?

Printable View

August 25th, 2004, 02:43 PM
phishphreek

cisco dynamic ACLS?

I've never heard of this done... but I was curious...

I'm using a Cisco 831 with IOS 12.3.8T3 (latest and greatest)

Can I create dynamic ACLs based on domain names?

Example:

I often need access to my home network from other places (work and school).

Work is easy, I create an ACL to allow my work IPs inbound.

School is a bit more complicated... there are quite a few IPs.
They have a public IP for every machine.
I can allow the whole netblock, but I don't want to do that.... if I don't have to.

Here is what I want to do:

Register a dynamic DNS domain name... somedomain.dyndns.org

allow inbound connections from somedomain.dyndns.org on the router.

I can run a dynamic dns updating program on the machine I want to connect with.
The records update pretty quickly, so that wouldn't be a problem.

How would I create an ACL that would allow inbound from a certain domain, not IP?

When I've tried this before, it would only allow me to do this with source/dest ip...

Would this create too much overhead? It would have to resolve every IP?
Or would it just have to resolve the IP IF it was trying to access VPN or the service/port I specify in the ACL?

Are there any security concerns if I were to do this? People can't spoof the domain name? They'd have to update the record. They would have to guess which domain names I allow and the username and password to update it...

In the past, I've just been allowing the whole netblock and monitoring my logs....

I still have the services secured behind the router... but I want to keep it as tight as possible. I've always applied security with a layered approach.

Just a thought that popped into my head...
August 25th, 2004, 03:00 PM
Shrekkie

hey phish i know you can for.ex. permit / deny based on dns but only if its one host . I didn't see so far the possibility of permit / denying all possible subdomains. So i guess i you have multiple dyndns and that way multiple acl's its possible. but only if you make multiple acl's then.

Code:

ROUTER(config)#access-list 101 permit ip host ? Hostname or A.B.C.D Source address

These are for example my possibilities in my extended acl. Hope this enlightens a bit

** EDIT ** Had to adapt the code. I needed to show the next step.
August 25th, 2004, 03:14 PM
phishphreek

Damn, I'm feeling half retarded today...

My sticky fingers messing up on they keyboard....

access-list 105 permit ip host somedomain.dyndns.org any log

Doh! I need to wake up. Now... where did I put that funnel and pot of coffee?

Now, would that cause the router to slow down a lot? Because it has to do all those lookups? I suppose I can test it out....
August 25th, 2004, 03:48 PM
Shrekkie

If it just are a few dns's, it will not slow down alot IMO. Have fun ;)
August 25th, 2004, 04:13 PM
Tiger Shark

Unless I'm doing a "Phish" this morning then it may slow the router considerably IMO.

What the ACL says is "run a reverse DNS lookup to determine whether or not the remote host belongs to domain xxxxxxx.xxx and if it does then allow the packet inbound to any"

If you start getting a lot of inbound connection attempts then each attempt is going to require a reverse DNS lookup. The problem I see is that reverse DNS entries are far from common. Couple this with the fact that the standard DNS timeout is 2 seconds, (and I'm assuming that this is true on your router), then every inbound connection is going to require up to a two second waiting period before a decision can be made. There would have to come a point where "critical mass" is reached and the router is effectively denied service.... A worm going wild out there may cause this and would be a good example....

Just my thoughts.....
August 25th, 2004, 04:21 PM
phishphreek

TS: Thats what I was thinking... but why would they allow you to do this if you are just going to DOS yourself? I guess they expect you to know better? lol

If I were to do it only for specific services/protocols... then it would only have to do a reverse dns lookup in that instance... but I see what you are saying about a worm. I could run the service on a non standard port and that would lessen the likelyhood of being DOS'd?

I don't have to implement this... I was just curious... I can allow the netblock as the services are locked down too...
August 25th, 2004, 04:25 PM
Tiger Shark

Quote:

but why would they allow you to do this if you are just going to DOS yourself?

Well, not all routers are internet facing.... Lots are internal so the acls against a domain name wouldn't be so bad but would still allow accounting to see sales' figures.
August 25th, 2004, 04:59 PM
Shrekkie

You could always set those dns's in the routers hosttables. For.ex. i have a dyndns too but i have pointed one of my own subdomains pointing to the dyndns. This way i have 2 static domainnames, yet behind the dyndns is a dynamic ip.

So you could put the domain referriing to the dyndns in the hosts table of the router. This way it doesn't have to do a reverse lookup, and considerably speeding up the filtering.

Cheers
August 25th, 2004, 06:24 PM
phishphreek

Shrekkie: Thats a pretty good idea. Thanks for the suggestion(s).