1 / 31

CIT 384: Network Administration

CIT 384: Network Administration. Access Lists. Topics. Access Lists Wildcard Masks Standard ACLs Extended ACLs Examples Named ACLs Reflexive ACLs. Access Control Lists. ACLs cause routers to filter packets Packets specified by IP address, protocol, etc.

zasha
Download Presentation

CIT 384: Network Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 384: Network Administration Access Lists CIT 384: Network Administration

  2. Topics • Access Lists • Wildcard Masks • Standard ACLs • Extended ACLs • Examples • Named ACLs • Reflexive ACLs CIT 384: Network Administration

  3. Access Control Lists ACLs cause routers to filter packets • Packets specified by IP address, protocol, etc. • Used to protect network from attacks. CIT 384: Network Administration

  4. What You Can Do Filter packets based on: • IP address packet is coming from • IP address packet is going to • Network protocol (ICMP, TCP, BGP, etc.) • TCP/UDP port packet is coming from • TCP/UDP port packet is going to • TCP flags (SYN,ACK,RST,etc.) set in packet CIT 384: Network Administration

  5. What You Can Do Using packet filtering you can: • Prevent any outside IP address from connecting to the telnet port on any of your networks. • Allow certain IP addresses to connect to the ssh port on a single server on your network. • Allow anyone to connect via HTTP or HTTPS to your web server. CIT 384: Network Administration

  6. What You Can’t Do Basic packet filtering isn’t powerful enough to: • Specify which users can login via telnet from the outside. • Limit which files can be transferred out of your network. • Prevent people from tunneling IM protocols over outbound HTTP connections. CIT 384: Network Administration

  7. Where Can ACLs Be Used On each interface inbound: before routing decisions outbound: after reouting decisions CIT 384: Network Administration

  8. Wildcard Masks Wildcard masks • Define portion of IP address to be ignored. • 0s for matching bits, 1s for wildcard bits • Logical inverse of a subnet mask CIT 384: Network Administration

  9. Computing Wildcard Masks Take network address + netmask to block 172.16.8.0 255.255.252.0 Subtract subnet mask from 255.255.255.255 255.255.255.255 - 255.255.252.0 0. 0. 3.255 CIT 384: Network Administration

  10. Types of Cisco ACLs Standard ACLs Filter based on source IP address. Extended ACLs Filter based on source + destination IP address. Filter based on protocol and port information. Time-based ACLs Filter based on date and time. Context-based ACLs Stateful packet filtering with dynamic ACLs CIT 384: Network Administration

  11. Access List Numbering CIT 384: Network Administration

  12. Standard ACLs access-list # action source [wildcard_mask] access-list 1 remark Stop traffic from Bob. access-list 1 deny 172.16.3.10 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255 interface fa0/1 ip address 172.16.1.1 255.255.255.0 ip access-group 1 out Bob fa0/1 fa0/0 172.16.3.10 172.16.3.0/24 172.16.1.0/24 CIT 384: Network Administration

  13. Standard ACLs access-list 1 remark Stop traffic from Bob. access-list 1 deny host 172.16.3.10 access-list 1 permit any interface fa0/1 ip address 172.16.1.1 255.255.255.0 ip access-group 1 out Bob fa0/1 fa0/0 172.16.3.10 172.16.3.0/24 172.16.1.0/24 CIT 384: Network Administration

  14. Extended ACLs access-list # action protocol source [source_wildcard] [s-port] destination [dest_wildcard] [d-port] [precedence #] [tos #] [established] access-list 101 remark Stop A from telneting to B. access-list 101 deny tcp any any eq 23 access-list 101 permit ip any any interface fa0/0 ip access-group 101 in fa0/1 fa0/0 B A CIT 384: Network Administration

  15. Specifying Ports lt n All ports less than n gt n All ports greater than n eq n Port n neq n All ports except for n range n m All ports from n through m, inclusive. CIT 384: Network Administration

  16. established keyword Used to matched established TCP connections • Matches packets with either ACK or RST set. • Only 1st TCP packet does not have these flags. • Used to allow response packets to outgoing connections. access-list 110 permit tcp any any established access-list 110 deny ip any any access-list 111 permit tcp any any eq telnet access-list 111 deny ip any any interface fa0/0 access-group 110 in access-group 111 out CIT 384: Network Administration

  17. ACL Processing Access lists processed sequentially • If rule matches, permit or deny action is taken. • If not, processing goes on to next list. • Last entry typically permit or denies any. • Router adds a deny all to the end of all ACLs. For best perf, place most used entries at top. CIT 384: Network Administration

  18. Example: outbound telnet Client on internal net telnets to external server. • Must allow outgoing packets to send commands. • Must allow incoming packets to receive responses. CIT 384: Network Administration

  19. Outgoing Packets • Source IP of packets is client’s IP address. • Dest IP of packets is server’s IP address. • Protocol type is TCP. • TCP destination port is 23. • TCP source port is a random port X >1023. • 1st outgoing packet will establish connect with SYN flag set. • Remaining outgoing packets will have ACK flag set. CIT 384: Network Administration

  20. Incoming Packets • Source IP of packets is server’s IP address. • Dest IP of packets is client’s IP address. • Protocol type is TCP. • TCP source port is 23. • TCP destination port is same random port X >1023. • All incoming packets will have ACK flag set. CIT 384: Network Administration

  21. Example: outbound telnet • Rule allows outgoing telnet packets. • Rule allows response packets back in. • Rule denies all else, following Principle of Fail-Safe Defaults. CIT 384: Network Administration

  22. Example: outbound telnet access-list 110 permit tcp any gt 1023 any eq telnet access-list 110 deny ip any any access-list 111 permit tcp any eq telnet any gt 1023 established access-list 111 deny ip any any interface fa0/1 access-group 110 out access-group 111 in CIT 384: Network Administration

  23. Preventing IP Spoofing Must occur on Internet gateway router. Incoming packets from your IP range are spoofed. Or there’s an unexpected egress to your network. ! ACL to block IP address spoofing access-list 111 deny ip 170.170.7.0 0.0.0.255 any access-list 111 permit ip any any ! Internet interface; to block spoofing interface serial0 ip access-group 111 in CIT 384: Network Administration

  24. Editing Access Lists Adding a new line access list 1 deny host 10.10.10.1 Added to end of ACL (before implicit deny) Any other modification • Create access list with new number • Change interface to use new ACL • Delete old ACL (no access list 1) • Create copy of new ACL with old number • Change interface to use old ACL # • Delete new ACL # CIT 384: Network Administration

  25. Named ACLs Advantages • Use names to identify purpose of ACLs. • Can insert, delete, and modify entries in ACL. Router(config)#ip access-list extended barney Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any Router(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 ! The next statement is purposefully wrong so that the process of changing ! the list can be seen. Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2 Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2 Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#interface serial CIT 384: Network Administration

  26. Editing Named ACLs Router(config)#ip access-list extended barney Router(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 Router(config-ext-nacl)#^Z Router#show access-list Extended IP access list barney 10 permit tcp host 10.1.1.2 eq www any 20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 50 deny ip host 10.1.1.130 host 10.1.3.2 60 deny ip host 10.1.1.28 host 10.1.3.2 70 permit ip any any Note that no 40 would have performed the same deletion. CIT 384: Network Administration

  27. Applying ACLs to Lines Use access-class instead of access-group line vty 0 4 login password cisco access-class 10 in CIT 384: Network Administration

  28. Reflexive ACLs Allow creation of dynamic ACLs. • Outbound list creates entries in temporary ACL • Inbound list filters based on temporary ACL Use to manage user sessions • Opens filter for response packets to connection. • Unlike established, only opens filter for packets that are responses to current sessions. • Established always allows ACK|RST from any IP • Reflexive entries timeout if no traffic for 300s. CIT 384: Network Administration

  29. Reflexive ACLs Outbound List ip access-list extended outlist ! Allow all and add to reflexive list tmplist permit tcp any any reflect tmplist Inbound List ip access-list extended inlist ! allow TCP port 80 to internal web server permit tcp any host 10.10.10.1 eq www ! evaluate temporary reflexive list created by outlist evaluate tmplist ! deny anything that reaches this point deny ip any any CIT 384: Network Administration

  30. Logging ACL Use Use log keyword to log usage of ACL. Router1(config)# access-list 120 permit ip any any log Router1(config)# interface fa0/1 Router1(config-if)# ip access-group 150 in Apr 6 20:33:17: %SEC-6-IPACCESSLOGRP: list 120 permitted ospf 1.1.1.1 -> 224.0.0.5, 9 packets Apr 6 20:33:17: %SEC-6-IPACCESSLOGDP: list 120 permitted icmp 1.1.1.1 -> 1.1.1.2 (0/0), 4 packets CIT 384: Network Administration

  31. References • James Boney, Cisco IOS in a Nutshell, 2nd edition, O’Reilly, 2005. • D. Brent Chapman, Simon Cooper, and Elizabeth D. Zwicky, Building Internet Firewalls, 2nd edition, O’Reilly, 2000. • Cisco, Cisco Connection Documentation, http://www.cisco.com/univercd/home/home.htm • Cisco, Internetworking Basics, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm • Gary A. Donahue, Network Warrior, O’Reilly, 2007. • Wendell Odom, CCNA Official Exam Certification Library, 3rd edition, Cisco Press, 2007. • Jeff Sedayao, Cisco IOS Access Lists, O’Reilly, 2001. CIT 384: Network Administration

More Related