1 / 36

Access Control Lists

Access Control Lists. Accessing the WAN – Chapter 5. Objectives. Explain how ACLs are used to secure a medium-size Enterprise branch office network. Configure standard ACLs in a medium-size Enterprise branch office network.

carl-bonner
Download Presentation

Access Control Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Lists Accessing the WAN– Chapter 5

  2. Objectives • Explain how ACLs are used to secure a medium-size Enterprise branch office network. • Configure standard ACLs in a medium-size Enterprise branch office network. • Configure extended ACLs in a medium-size Enterprise branch office network. • Describe complex ACLs in a medium-size Enterprise branch office network. • Implement, verify and troubleshoot ACLs in an enterprise network environment.

  3. Security in the Campus Model • Core: not here. Fastest part of the network, implementing security here would slow it down. Besides, traffic has already got into the network. • Access switches: switch ports set to specific VLANs. Port security: disable port if too many MAC addresses. • Access routers: let traffic in/out from outside the network. Good place to enforce security • Inter-VLAN routers or L3 switches: allows traffic to cross between VLANs. Good place to enforce security

  4. Routers Inspect Packet Fields • Routers already inspect the destination IP address of a packet to determine how to route it • and may drop the packet if there is no route • We add a security mechanism: Access Control Lists (ACLs) • ACL: a set of rules that inspect some fields in a packet. • If the packet matches the rule, we can choose to keep the packet or drop the packet

  5. Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network • What steps occur in a complete TCP conversation?

  6. What Fields Can Be Inspected? • IP Source address • IP Destination address • Layer 4 protocol, e.g. TCP, IP, ICMP • Layer 4 source port • Layer 4 destination port, e.g. port 80 for the web • If the packet is start of a connection (SYN) or not • NOTE: traffic is bi-directional. Port 80 might be the destination port in one direction, but the source port in the other direction

  7. Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network • Explain how a packet filter allows or blocks traffic

  8. Where Can ACL Rules be Applied? • A group of rules (tests, entries) form an Access Control List • An ACL can be applied to a router interface in-bound • As soon as traffic arrives, before it is routed • An ACL can be applied to a router interface out-bound • As packets are queued for retransmission • On each interface, we can have two ACLs: • One in-bound and one out-bound

  9. Example Location of ACLs on Router Interfaces

  10. Rules in an Access Control List • Each rule (test, entry) is applied. If no match, move to next • If match, obey the permit or deny operation • If no rule matches drop the packet

  11. Standard and Extended ACLs • A standard ACL has rules that only match the source IP address and wildcard. Example: • An extended ACL has rules that match destination IP, L4 protocol and source & destination ports. • Wildcard: inverse of netmask. Think of it as a range. • 192.168.30.0 0.0.0.255 means 30.0 up to 30.255

  12. Naming or Numbering an ACL • ACLs can be numbered or named • Standard ACLs: name or number from 1 to 99 • Extended ACLs: name or number from 100 to 199

  13. Where to Place ACLs: Rule of Thumb • Extended: as close to the traffic source as possible • Standard: as close to the destination as possible

  14. ACL Best Practices • ACLs implement your organisation’s security policy • Often unreadable, so give each one a description • Fiddly to edit, so use a text editor • Will cause havoc when mistakes made, so always test them on a development network before you put them into production

  15. ACLs: Rule Order is Important • We want to block all of 131.70.5.0/24 from coming into our LAN, but we want to let 131.70.5.42 in. • access-list 10 deny 131.70.5.0 0.0.0.255 • access-list 10 permit 131.70.5.42 0.0.0.0 • This in fact will also block 131.70.5.42 • And it will block all traffic: implict deny all rule at the bottom • Reorder the rules: • access-list 10 permit 131.70.5.42 0.0.0.0 • access-list 10 deny 131.70.5.0 0.0.0.255 • access-list 10 permit 0.0.0.0 255.255.255.255

  16. Special Shorthand Keywords • “host X” matches a single host address • “any” matches all IP addresses • We can rewrite the ACL on the previous slide: • access-list 10 remark Let Sandeep’s PC in to the LAN • access-list 10 permit host 131.70.5.42 • access-list 10 remark But stop the rest of subnet 5.0 • access-list 10 deny 131.70.5.0 0.0.0.255 • access-list 10 remark All other traffic can come in • access-list 10 permit any

  17. Standard ACL Command Syntax

  18. Applying an ACL to an Interface • Once we have an ACL, we have to apply it to a specific interface an in a specific direction • interface fa0/0 • ip access-group 10 out

  19. Editing ACLs: The Easy Way • Show the entries for a specific ACL from the running configuration • Copy theminto a text file • Edit the text file • Do “no access-list 10” to remove the ACL from the router • Paste the corrected ruleset back into the router

  20. Named ACLs • Named ACLs are good as they help to document the purpose of the ACL

  21. Is My ACL Working? • How do I know if my ACL is working? Has it permitted or denied any traffic? Which rules are being used?

  22. Extended ACLs: More Power • Src/dest IP, L4 protocol, src/dest ports

  23. Extended ACLs • Operators to test if ports match, don’t match or are in a specific range; if pkt starts connection of part of an established connection

  24. Configure Extended ACLs in a Medium-Size Enterprise Branch Office Network • Describe how to apply an extended ACL to an interface

  25. Configure Extended ACLs in a Medium-Size Enterprise Branch Office Network • Describe how to create named extended ACLs

  26. Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network • List the three types of complex ACLs

  27. Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network • Explain how and when to use dynamic ACLs

  28. Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network • Explain how and when to use reflexive ACLs

  29. Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network • Explain how and when to use time-based ACLs

  30. Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network • Describe how to troubleshoot common ACL problems

  31. Implement, Verify and Troubleshoot ACLs in an Enterprise Network Environment • Create, place and verify a standard/ extended ACL and verify its placement. • Verify ACL’s functionality and troubleshoot as needed.

  32. Summary • An Access List (ACL) is: • A series of permit and deny statements that are used to filter traffic • Standard ACL • Identified by numbers 1 - 99 and 1300 - 1999 • Filter traffic based on source IP address • Extended ACL • Identified by number 100 -199 & 2000 - 2699 • Filter traffic based on • Source IP address • Destination IP address • Protocol • Port number

  33. Summary • Named ACL • Used with IOS 11.2 and above • Can be used for either standard or extended ACL • ACL’s use Wildcard Masks (WCM) • Described as the inverse of a subnet mask • Reason • 0  check the bit • 1  ignore the bit

  34. Summary • Implementing ACLs • 1st create the ACL • 2nd place the ACL on an interface • Standard ACL are placed nearest the destination • Extended ACL are placed nearest the source • Use the following commands for verifying & troubleshooting an ACL • Show access-list • Show interfaces • Show run

  35. Summary • Complex ACL • Dynamic ACL • Reflexive ACL • Time based ACL

More Related