cisco ACLs/Firewall and nmap

[phishphreek]

Why is it then I can't see -sS scans from namp in my cisco ACLs logs?

I can see anything else that I can tell...

It just a cisco 831... not a pix or anything.

AFAIK, I've never seen stealth scans...

Am I configured incorrectly?

I know they are not returning anything... but I don't see it in my logs... and thats debugging.

[JP]

Greetings:

It's hard to tell if you're configured correctly or not, without seeing your configuration. How about posting up your ACLs.

[phishphreek]

I'm on a dsl connection, so this is my dialer0 interface incoming rule

access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp host 207.46.130.100 eq ntp any eq ntp
access-list 101 remark School
access-list 101 permit icmp x.x.0.0 0.0.255.255 any log
access-list 101 remark School
access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq ftp-data log
access-list 101 remark School
access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq ftp log
access-list 101 remark School
access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq 22 log
access-list 101 remark School
access-list 101 permit tcp x.x.0.0 0.0.255.255 any eq 3389 log
access-list 101 remark Work
access-list 101 permit icmp host xxx.xxx.xx.xx any log
access-list 101 remark Work
access-list 101 permit ip host xxx.xxx.xx.xx any log
access-list 101 remark Work
access-list 101 permit tcp host xxx.xxx.xx.xx any log
access-list 101 remark Work
access-list 101 permit udp host xxx.xxx.xx.xx any log
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log

I have a vpn setup too... so thats why I'm allowing those private IPs... but you could figure that out.

[JP]

Greetings:

Ok, several things I want to comment on.

First, you do realize that once a connection reaches a rule that gives it an explicit allow, that it stops looking at the rest of the rules, right?

So, your IP deny statements at the bottom do you no good down there, as any traffic from them would still be allowed if it followed any of the rules above it. You want these on below your permit ip statements at the very top of your list like this:

access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 permit ip host 192.168.1.x any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any

You have a redundancy here
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any


Secondly, try adding a port range to your deny statement at the bottom like this:

deny ip any any range 0 65535 log


It's late, but everything else looks good to me at quick glance. Where are you sending these logs to? Are they going to a syslogd or what?

Also, if you want to be picking up the stealths and things, you'd be well set to have an IDS installed on a monitor port. Ever think about setting one up?

[phishphreek]

Where do I have the explicit allow?

edit:
Ah! Ok, now I see what you are saying... but I'm only allowing specific hosts... so the denys at the bottom should be ok?
Besides... they are private ips... so they can't be routed over the internet unelss they are authenticated via vpn?
/edit:

I am sending the logs to a syslog server.

I just saw the redundancy. I've been toying with this all evening after a long day...

I have been thinking about setting up an IDS, but I don't have the space at the moment.
When I move (which should be soon) I'll have a good chance to change the physical layout.

Right now I don't have the space.

I've been toying with the Cisco Intrusion Prevention System.

I'm trying to determine what comes first... ACLs then IPS, or IPS then ACLs.

I can't see anything in the logs regarding IPS, I'd have to *ass*ume ACLs...
Too bad it won't log both.

I'll add the ports to the ACL. Thanks for the help and suggestions.

[JP]

Greetings:

Originally posted here by phishphreek80
Where do I have the explicit allow?
edit:
Ah! Ok, now I see what you are saying... but I'm only allowing specific hosts... so the denys at the bottom should be ok?
/edit:

Well, you do have some permit any any X statements in there, but they aren't really a big deal. Still, it's good to deny the standard noroutes from everything, no matter how harmless it seems. It's also good to get in the habit of putting your deny ip statements at the top under the allow ips. I have seen a LOT of admins that could have saved themselves a LOT of problems if they had gotten into that routine early on.

[phishphreek]

I know you suggested an IDS system to detect the stealth activity...

And by that you are saying that Cisco CAN'T see stealth activity?

I want to put in an IDS but I have to wait for a while...