Need a review of this PIX ACL.

[jgiacobbe]

Just looking for confirmation on this access list. If I apply this to my inside access list it should block access to time servers and smtp servers on the internet. you can guess from the name of the access list it is inteneded to prevent the sobor virus from spreading if any interneal clients are infected. I also know that I have not blocked smtp access to the 192.168.71.0 network. Their email accounts have not been fully migrated from external email servers. The permit statement at the bottom is intended to allow alltraffice other than that which is explicitly blocked. I know the hitcounts are 0 for most of the lines but it this was copied about 10 seconds after the acl was applied.

access-list sobor line 1 deny udp 192.168.1.0 255.255.255.0 any eq time (hitcnt=0)
access-list sobor line 2 deny udp 192.168.11.0 255.255.255.0 any eq time (hitcnt=0)
access-list sobor line 3 deny udp 192.168.17.0 255.255.255.0 any eq time (hitcnt=0)
access-list sobor line 4 deny udp 192.168.19.0 255.255.255.0 any eq time (hitcnt=0)
access-list sobor line 5 deny udp 192.168.21.0 255.255.255.0 any eq time (hitcnt=0)
access-list sobor line 6 deny udp 192.168.23.0 255.255.255.0 any eq time (hitcnt=0)
access-list sobor line 7 deny udp 192.168.31.0 255.255.255.0 any eq time (hitcnt=0)
access-list sobor line 8 deny udp 192.168.71.0 255.255.255.0 any eq time (hitcnt=0)
access-list sobor line 9 deny udp 192.168.73.0 255.255.255.0 any eq time (hitcnt=0)
access-list sobor line 10 deny tcp 192.168.11.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list sobor line 11 deny tcp 192.168.17.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list sobor line 12 deny tcp 192.168.19.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list sobor line 13 deny tcp 192.168.21.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list sobor line 14 deny tcp 192.168.23.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list sobor line 15 deny tcp 192.168.31.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list sobor line 16 deny tcp 192.168.73.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list sobor line 17 permit ip any any (hitcnt=414)

I am not an expert on Pix firewalls to say the least. I am a MCSE/CCNA who is one of only 3 IT professionals who supports a rather large network shared by several companies.

Thanks in advance for any feedback.

Jeremy Giacobbe

 

[KiscoKid]

Only thing I'd comment on is why don't you deny all NTP and SMTP from any source network,e,g,

access-list sobor deny udp any any eq time
access-list sobor deny tcp any any eq smtp

Or if one of two machines/subnets need access, permit those subnets and then do a deny any for SMTP and NTP.


Other than that it looks fine to me - I just like to keep my ACL's as small and manageable as possible

Also I noticed that the 192.168.1.0 network is allowed to access SMTP (but denied for NTP) - not sure if this is by design.

 

[jgiacobbe]

I would have denied all and only allowed a couple of subnets but there are just as large a number of subnets on the network that I don't per se have authority over. Yes it is a little funky to have control over the firewall but not all the subnets. Lets just say it is kind of political. Allowing the 192.168.1.0 network smtp access was an oversite. Thankyou for noticing.

Jeremy Giacobbe
MCSE, CCNA