1 / 54

Understanding Cisco ACLs for Network Security

Learn about Access Control Lists to control network access, create Standard and Extended ACLs, and configure ACLs to enhance network security and performance. Discover how ACLs function on routers and how to apply and manage them effectively.

ebonyk
Download Presentation

Understanding Cisco ACLs for Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs CCNA2 Chapter 11

  2. ACL – Access Control Lists • ACLs are instructions that are applied torouter’sinterfaces. • The ACLs tell what kind of packets to accept or deny. • Acceptance / denial can be based on: • source address • destination address • port number • ACLs are configured at the router to controlaccessto anetworkorsubnet. • ACLs must be defined separately for each protocol; one for IP, one for IPX; one for AppleTalk, etc. Some times they are called packet filters.

  3. Reasons to create ACLs • limit network traffic, hence increase network performance i.e. packets can be processed before other traffic • provide traffic flow - limit traffic through the network • provide for security • decide which traffic is blocked and forwarded

  4. Cisco IOS checks the packet and Upper - layer headers for • destination address • source address • protocol • port number • The ACL statements are checked insequential orderand when there is amatch, no more checks are made. If there areno matches, then thepacket is discarded. • IF additional statements are needed for an ACL, one must delete the ACL statements and re-create a new ACL. (If additional statements are added at the end, then one does not have to delete the ACL statements.)

  5. When a packet enters an interface • 1) checks if there are ACLs • If there are, then tests against the conditions. If pass, then • 2) checks the packet against the routing tables • Then the destination interface • 1) checks for ACLs • If there are, then test against the conditions. If pass, then • 2) sent out the interface

  6. ACL statements operate in logical, sequential order. When there is a match, the rest of the conditions are not checked. If all the ACL statements are not matched, then there is implicit deny any. access-list 10 { permit | deny } { test conditions } access-list 10 { permit | deny } { test conditions } access-list 10 { permit | deny } { test conditions } access-list 10 { permit | deny } { test conditions } access-list 10 { permit | deny } { test conditions } access-list 10 deny any

  7. Two types of IP ACL : • standard - has access list value of 1- 99 • extended - has access list value of 100 - 199 • Must be in global configuration mode. Router (config) # • Steps in creating ACLs: • 1) create the ACL (in global configuration mode) • 2) apply the ACL to an interface • ACLs can be written to filter: • inbound traffic, or • outbound traffic

  8. Where to place ACLs Standard ACLs are placed as close as possible to thedestination. Extended ACLs are placed as close as possible to thesource.

  9. Create: • Router(config)# access-list <ACL number> { permit | deny } { test conditions } • Router(config)# access-list 1 permit { test conditions } • Router(config)# access-list 50 deny { test conditions } • Apply: • At an interface: • Router(config)# int E0 • Router(config-if)# { protocol } access-group <ACL number> [in | out] • Out is the default if not mentioned • Router(config-if)# ip access-group 1 • Router(config-if)# ip access-group 50 • To delete all ACL statements of an access-list • Router(config)# no access-list <ACL number> • Router(config)# no access-list 50

  10. A wildcard mask is matched with an IP address or protocol address. It is a 32 bit mask divided into 4 octets, each containing 8 bits. A0in the mask means tocheckthe bit. A1in the mask meansignorethe bit.

  11. Abbreviations • To permit any address: • 0.0.0.0 255.255.255.255 • Address wildcard mask • Use the abbreviationany • Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255 Router(config)# access-list 1 permit any

  12. Abbreviations • To match all the bits of IP address: • EX: 172. 30.16. 29 0. 0. 0. 0 • Router(config)# access-list 1 permit 172.30.16.29 0.0.0.0 • Router(config)# access-list 1 permit host 172.30. 16.29

  13. Standard ACLs • Criteria: • block all traffic from a network • allow all traffic from a network • deny entire protocol suits • Standard ACLs only check the source address. • Router(config)# access-list <ACL number> { deny | permit } source [ source wildcard] [log]

  14. Standard ACLs What does this statement perform: access-list 33 permit 172.16.0.0 0.0.255.255 log Permits all traffic from 172.16.0.0 and sends messages to the console every time the access list is hit.

  15. Standard ACLs What does this statement perform: access-list 44 deny 172.16.13.7 0.0.0.0 log Denies traffic from host 172.16.13.7 and sends messages to the console every time the access list is hit.

  16. Standard ACLs What does this statement perform: access-list 55 deny 172.16.64.0 0.0.0.255 Denies all traffic from network 172.16.64.0

  17. Standard ACLs • The log command: • Prints messages to the console: • includes the ACL number, whether the packet waspermitted or denied, thesource address, and thenumber of packets. • The message is generated for the first packet that matches, and then at five-minute intervals, including the number of packets permitted or denied in the prior five-minute interval. • Use for debugging. Not used for live networks.

  18. Standard ACLs • Example of applying the access-list (note: it is at the interface): • Router(config-if)# ip access-group 33 in • Router(config-if)# ip access-group 44 out • Router(config-if)# ip access-group 44

  19. Standard ACLs • To monitor IP access list:(at the EXEC mode) • show access-list • Displays all access lists and their parameters configured on the router.(Does not show which interface the list is set on.) • show access-list <ACL number> • Shows only the parameters for the access list <ACL number>.(Does not show the interface the list is set on.) • show ip access-list • Shows only the IP access lists configured on the router • show ip interface • Shows which interfaces have access lists set. • show running-config • Shows the access lists and which interfaces have access lists set

  20. Standard ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 server Non-172.16.0.0 172.16.4.13 R(config)# access-list 1 permit 172.16.0.0 0.0.255.255 R(config)# Interface E0 R(config-if)# ip access-group 1 out R(config)# Interface E1 R(config-if)# ip access-group 1 out What does it do?

  21. Standard ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 server Non-172.16.0.0 172.16.4.13 R(config)# access-list 1 permit 172.16.0.0 0.0.255.255 R(config)# Interface E0 R(config-if)# ip access-group 1 out R(config)# Interface E1 R(config-if)# ip access-group 1 out Allows only traffic from source network 172.16.0.0 to be forwarded and non-172.16.0.0 traffic is blocked.

  22. Standard ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 server Non-172.16.0.0 172.16.4.13 R(config)# access-list 1 deny 172.16.4.130.0.0.0 R(config)# access-list 1 permit any R(config)# Interface E0 R(config-if)# ip access-group 1 out What does this do?

  23. Standard ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 server Non-172.16.0.0 172.16.4.13 R(config)# access-list 1 deny 172.16.4.13 0.0.0.0 R(config)# access-list 1 permit any R(config)# Interface E0 R(config-if)# ip access-group 1 out Denies traffic from a specific device, 172.16.4.13 and allows all other traffic thru E0 to network 172.16.3.0.

  24. Standard ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 Non-172.16.0.0 172.16.4.13 • access-list 1 deny 172.16.4.0 0.0.0.255 • access-list 1 permit any • Interface E0 • ip access-group 1 out • What does this do?

  25. Standard ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 Non-172.16.0.0 172.16.4.13 • access-list 1 deny 172.16.4.0 0.0.0.255 • access-list 1 permit any • Interface E0 • ip access-group 1 out • Denies traffic from the subnet, 172.16.4.0 and allows all other traffic thru E0 to network 172.16.3.0.

  26. Extended ACLs • Criteria: • check for both sourceanddestination packet addresses • check for specific protocol • check for specific port numbers • permit or denied pings / telnets / FTP, etc. • for IP, the ACL values range between 100 - 199

  27. Extended ACLs • Port Numbers (decimal) IP Protocol • 20 FTP data • 21 FTP program (control) • 23Telnet • 25 Simple Mail Transport Protocol (SMTP) • 53DNS • 69 TFTP

  28. Extended ACLs • Router(config)# access-list <ACL number> { permit | deny } protocol source source-mask • destination destination-mask operator operand {established} • ACL number • 100 - 199 • permit | deny • Entry is allowed or blocks the specified address • protocol • IP, TCP, UDP, ICMP, GRE or IGRP • source • Source address • source-mask • ACL wildcard mask • destination • Destination address • destination-mask • ACL wildcard mask

  29. Extended ACLs • Router(config)# access-list <ACL number> { permit | deny } protocol source source-mask • destination destination-mask operator operand [established] • operator • lt, gt, eq, neq • Operand • Port number • established • Allows TCP traffic to pass if the packet uses an established connection ( for example, has ACK bits set ). • access-list 101 permit tcp 172.16.4.0 0.0.0.255 any eq 25

  30. Extended ACLs Assign the ACL to an interface: Router(config-if)# ip access-group<ACL number> { in | out } NOTE: out is the default (though with the present IOS, you have to put out). Router(config)# int E0 Router(config-if)# ip access-group 101 in

  31. Extended ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 Non-172.16.0.0 172.16.4.13 • access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 • access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255 • Interface E0 • ip access-group 101 • What does this do?

  32. Extended ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 Non-172.16.0.0 172.16.4.13 • access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 • access-list 101 permit ip 172.16.4.0 0.0.0.255 0.0.0.0 255.255.255.255 • Interface E0 • ip access-group 101 • Blocks FTP traffic from all host on 172.16.4.0 to any device on 172.16.3.0 and allows all other traffic to 172.16.3.0

  33. Extended ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 Non-172.16.0.0 172.16.4.13 • access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23 • access-list 101 permit ip any any • Interface E0 • ip access-group 101 • What does this do?

  34. Extended ACLs 172.16.3.0 172.16.4.0 E0 E1 S0 Non-172.16.0.0 172.16.4.13 • access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 23 • access-list 101 permit ip any any • Interface E0 • ip access-group 101 • Denies only telnet traffic from 172.16.4.0 to 172.16.3.0 network andpermits all other traffic thru E0 to any address.

  35. Extended/Standard ACL numbers for IP • NOTE: • Standard ACL numbers: 1-99;1300-1999 • Extended ACL numbers: 100-199;2000-2699

  36. Extended/Standard ACL One can not add ACL statements to the access-list (except at the end of the list). The access list must be deleted first, and then rewritten. That is why it is a good idea to first write your access-list in text (using Notepad), and then transfer it to your router. Outbound filters do not affect traffic originating from the local router!

  37. Configuring Named ACLs • NOTE: • named ACLs are not compatiblewith Cisco IOS releasepriorto Release 11.2 • cannotuse thesame nameformultiple ACLs. • Ex. Can’t specify a standard ACL named XYZand an extended ACL with same name. • can be usedbothforstandard and extended • use an alphanumeric string instead of the ACL number (1 - 199 ) • use Named ACLs to intuitively identify ACLs using an alphanumeric name • use Named ACLs when having more than 99 standard and 100 extended ACLs to be configured in a router for a given protocol

  38. Configuring Named ACLs Router(config)# ip access-list { standard | extended } name { deny | permit } { commands } ip access-list standard internetfilter deny 172.10.15.0 0.0.0.255 permit 128.88.0.0 0.0.255.255 permit 36.0.0.0 0.0.255.255 ip access-list extended marketing-group permit tcp any 171.69.0.0 0.255.255.255 eq telnet deny udp any 171.69.0.0 0.255.255.255 lt 1024

  39. Named ACL A named ACL will allow the deletion of statements, but will only allow for the statements to be inserted a theend of the list.

  40. More Details access-list 1 permit 172.16.0.0 0.0.255.255 10101100.00010000.00000000.00000000 00000000.00000000.xxxxxxxx. xxxxxxxx 10101100.00010000.xxxxxxxx. xxxxxxxx Matched value Incoming packet with address of 172.18.4.2. Will it be permitted? Source :10101100.00010010.00000100.00000010 Wildcard mask:00000000.00000000.xxxxxxxx. xxxxxxxx 10101100.00010010.xxxxxxxx. xxxxxxxx Result

  41. access-list 1 permit 172.16.0.0 0.0.255.255 10101100.00010000.00000000.00000000 00000000.00000000.xxxxxxxx. xxxxxxxx 10101100.00010000.xxxxxxxx. xxxxxxxx Matched value Incoming packet with address of 172.18.4.2. Will it be permitted? Source :10101100.00010010.00000100.00000010 Wildcard mask:00000000.00000000.xxxxxxxx. xxxxxxxx 10101100.00010010.xxxxxxxx. xxxxxxxx Result Does theresultequal thematched value? No! The incoming packet will not be permitted.

  42. access-list 1 permit 172.16.0.0 0.0.255.255 10101100.00010000.00000000.00000000 00000000.00000000.xxxxxxxx. xxxxxxxx 10101100.00010000.xxxxxxxx. xxxxxxxx Matched value Incoming packet with address of 172.16.4.2. Will it be permitted? Source :10101100.00010000.00000100.00000010 Wildcard mask:00000000.00000000.xxxxxxxx. xxxxxxxx 10101100.00010000.xxxxxxxx. xxxxxxxx Result Does theresultequal thematched value? Yes! The incoming packet will be permitted.

  43. access-list 1 permit 172.16.0.0 0.0.255.254 10101100.00010000.00000000.00000000 00000000.00000000.xxxxxxxx. xxxxxxx0 10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value Incoming packet with address of 172.16.4.1. Will it be permitted? Source : 10101100.00010000.00000100.00000001 Wildcard mask:00000000.00000000.xxxxxxxx. xxxxxxx0 10101100.00010000.xxxxxxxx. xxxxxxx1 Result Incoming packet with address of 172.16.4.4. Will it be permitted? Source :10101100.00010000.00000100.00000100 Wildcard mask:00000000.00000000.xxxxxxxx. xxxxxxx0 10101100.00010000.xxxxxxxx. xxxxxxx0 Result

  44. access-list 1 permit 172.16.0.0 0.0.255.254 10101100.00010000.00000000.00000000 00000000.00000000.xxxxxxxx. xxxxxxx0 10101100.00010000.xxxxxxxx. xxxxxxx0 Matched value Incoming packet with address of 172.16.4.5. Will it be permitted? Source :10101100.00010000.00000100.00000101 Wildcard mask:00000000.00000000.xxxxxxxx. xxxxxxx0 10101100.00010000.xxxxxxxx. xxxxxxx1 Result Thi access list permits 172.16.4.4, and denies 172.16.4.1 and 172.16.4.5 Permits all even addresses from the network 172.16.0.0

  45. Permit/Deny blocks of addresses One can permit or deny a block of addresses. However, the blocks must be a power of 2! (Example, 2, 4, 8, 16, 32, 64, 128, etc.) When we need to specify a range of addresses - choose the closet block size for our needs. Example: block access to part of a network that is in the range from 172.16.0.8 through 172.16.0.15. This is a block size of 8. Hence: 172.16.0.8 0.0.0.7 Note: the wildcard part is always1 less than the block size! Also, in this case for a block of 8, the beginning address must either start at 0, 8, 16, etc.

  46. Permit/Deny blocks of addresses Example: A subnet whose addresses range from 171.17.2.128 to 171.17.2.191. To divide this network so the top half addresses are permitted and the bottom half are denied to any other network. What is the access list? The block range is: 64 What is the access-list for the bottom? access-list 101 deny ip 171.17.2.128 0.0.0.31 any What is the access-list for the top? access-list 101 permit ip 171.17.2.159 0.0.0.31 any

  47. Permit/Deny blocks of addresses What does this do? access-list 10 deny 172.16.64.0 0.0.63.255 Denies a block of 64 subnetworks starting at 172.16.64.0

  48. Virtual Terminal ACL To block access through the vty ports in order to control telnet sessions into the router. Write the ACL as usual but useaccess-classto apply it. Example: Router(config t)# access-list 1 permit 172.16.1.0 0.0.0.255 Router(config t)# line vty 0 4 Router(config-line)# login Router(config-line)# password cisco Router(config-line)# access-class 1 in Note: only numbered access lists can be applied to virtual lines!

  49. Established option The ‘establish’ option in an access-list occurs only with TCP datagrams. There are cases when one wants to stop a host B from initiating a connection with a host A while permitting A to initiate connections with B. establish A response B establish

  50. Established option 172.16.3.0 E1 E0 INTERNET 172.16.4.0 172.16.3.13 Note: established argument is limited to tcp which means UDP, ICMP and all other IP protocols are not matched - and will be denied unless specifically allowed. Router(config)# access-list 101 permit tcp any 172.16.0.0 0.0.255.255 eq www established Router(config)# access-list 101 permit icmp any any Router(config)# access-list 101 permit udp any any eq 53 Router(config)# int E1 Router(config-if)# ip access-group 101 in

More Related