robmack@eik.ii.uib.no (Robert MacKinnon ) (04/03/91)
I have the following configuration: a Cisco AGS+ with two Ethernet interfaces and one token ring interface. One Ethernet connects to the UiB backbone; the other two interfaces connect to their respective LAN segments. The IP addressing is class B subnetted so the UiB connection is to the 30 subnet (ie. xxx.xxx.30.xx) and the other interfaces are to the 20 and 21 subnets respectively. The senerio I wish to accomplish is to protect the 20 and 21 nets from being accessed through the 30 net. So, I wish free flowing of all packets between 20 and 21; and free flowing of all outbound packets through the 30 net. Conversely, I don't want any inbound packets from the 30 net to reach either the 20 or 21 nets EXCEPT for certain IP ports and services (like, for instance, mail and ping). Currently, I am using access lists on the 20 and 21 nets to accomplish this filtring. However, I have come up with one possible security bug that could breach the security barriers on the 20 and 21 nets. Another alternative to the security question would be to use IPSO and label the 20 and 21 nets as 'secure' and the 30 net as 'genser'. However, I would then not be able to allow certain IP services through to the 20 and 21 nets...IPSO would block all or none. How do I setup the AGS+ to have the 20 and 21 interfaces reject packets if they originate from a PARTICULAR INTERFACE and not based on IP address? Rob MacKinnon Bergen Norway.
he@idt.unit.no (Havard Eidnes) (04/06/91)
In article <1991Apr2.225108.18647@eik.ii.uib.no>, robmack@eik.ii.uib.no (Robert MacKinnon ) writes: |> How do I setup the AGS+ to have the 20 and 21 interfaces reject packets |> if they originate from a PARTICULAR INTERFACE and not based on IP address? I can think of no easy way to do this, sorry. What you're trying to do is to connect a "secure" network to an "unsecure" network, and still be able to pass some traffic between these networks. I do not think that the IP security options were designed to solve that kind of problem. What remains is a carefully crafted access list (I may help you if that's desired), turn off IP source routing on the cisco, and trust that nobody "out there" will pass you a datagram with source 129.177.2[01].x. If I am not much mistaken, that can only be done from the nearby network (129.177.30.x) since you have turned off processing of source routing through the cisco (no?). Anyway, you will not route that packet back to the "fake" source because you have turned off passing of source routed datagrams in the cisco. - Havard (one of the two) Uninett TCP/IP technical manager