Network Security

Port Filtering
WHAT IS PORT FILTERING?
blocking the use of certain Internet services by computers on your
network
1

allowing or blocking network packets into or out of a device or the 2

network based on their application (port number)

practice of selectively enabling or disabling TCP ports and UDP ports
on computers or network devices
3

protects from security risks that attack specific ports, but doesn't do
any real packet inspection 4

1 2
108 Mbps Wireless Router WGT624 v4 Reference Manual, 2007, p.50. https://www.pcmag.com/encyclopedia/term/65979/port-filtering
3 4
https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8c2d046b-4be8-49ee-a76f-ed19ba98e83f.mspx?mfr=true https://arstechnica.com/civis/viewtopic.php?f=20&t=946678
EXAMPLE
System Requirements
Company has three servers. Assign one server for each section; Server0 for development section, Server1
for production section and Server2 for management section. Sections should be able to access only their
own server. They are not allowed to access each others server.
Development section should be able to access production section. It should not be able to access
management section.
Production section should be able to access development section. It should not be able to access
management section.
Users from development are not allowed to ping their server (Server0). But they are allowed to access all
services running on their server.
System Requirements
One user (PC0) from development section should not be able to access anything except its own section.
One user (PC2) is allowed to access only web server from server.
One user (PC3) from production section should also be able to access management section.
One user (laptop0) from management section should be able to access only Server section not the
development section and production section. He is allowed to access only ftp and web service from server.
CONFIGURATION
ROUTER 1
Router(config)#ip access-list extended 110
Router(config-ext-acl)# deny ip host 200.0.0.2 any
Router(config-ext-acl)# permit ip 200.0.0.0 0.0.0.127 200.0.0.128 0.0.0.63
Router(config-ext-acl)# deny ip 200.0.0.0 0.0.0.127 200.0.0.192 0.0.0.31
Router(config-ext-acl)# deny icmp 200.0.0.0 0.0.0.127 host 200.0.0.226 echo
Router(config-ext-acl)# permit ip 200.0.0.0 0.0.0.127 host 200.0.0.226
Router(config-ext-acl)# deny ip 200.0.0.0 0.0.0.127 200.0.0.224 0.0.0.15
Router(config-ext-acl)#exit
Router(config)#
CONFIGURATION
ROUTER 1 (continuation)
Router(config)#ip access-list extended 120
Router(config-ext-acl)# permit ip 200.0.0.128 0.0.0.63 200.0.0.0 0.0.0.127
Router(config-ext-acl)# permit ip host 200.0.0.131 200.0.0.192 0.0.0.31
Router(config-ext-acl)# deny ip 200.0.0.128 0.0.0.63 200.0.0.192 0.0.0.31
Router(config-ext-acl)# permit tcp host 200.0.0.130 host 200.0.0.227 eq 80
Router(config-ext-acl)# deny ip host 200.0.0.130 host 200.0.0.227
Router(config-ext-acl)# permit ip 200.0.0.128 0.0.0.63 host 200.0.0.227
Router(config-ext-acl)# deny ip 200.0.0.128 0.0.0.63 200.0.0.224 0.0.0.15
Router(config-ext-acl)#exit
CONFIGURATION
ROUTER 1 (continuation)
Router(config)#interface fastethernet 0/0
Router(config-if)#ip access-group 110 in
Router(config-if)#exit
Router(config)#

Router(config)#interface fastethernet 0/1

Router(config-if)#ip access-group 120 in
Router(config-if)#exit
Router(config)#
CONFIGURATION
ROUTER 2
Router(config)#ip access-list extended SecureManagement
Router(config-ext-acl)#permit tcp host 200.0.0.194 host 200.0.0.228 eq 21
Router(config-ext-acl)#permit tcp host 200.0.0.194 host 200.0.0.228 eq 80
Router(config-ext-acl)#deny ip host 200.0.0.194 host 200.0.0.228
Router(config-ext-acl)#permit ip 200.0.0.192 0.0.0.31 host 200.0.0.228
Router(config-ext-acl)#deny ip 200.0.0.192 0.0.0.31 200.0.0.224 0.0.0.15
Router(config-ext-acl)#permit ip 200.0.0.192 0.0.0.31 host 200.0.0.131
Router(config-ext-acl)#exit
Router(config)#
CONFIGURATION
ROUTER 2 (continuation)
Router(config)#interface Fa0/0
Router(config-if)#ip access-group SecureManagement in
Router(config-if)#exit
Router(config)#