1 Access Control Lists (ACLs)

222 Overview 1.Network administrators must be able to a.deny unwanted access to a network and b.allow authorized users to access necessary services. 2.Security tools such as passwords and physical security devices are helpful. However, they often lack the flexibility of basic traffic filters. 3.Routers provide the capability to filter traffic, such as blocking Internet traffic, with access control lists (ACLs). 4.An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols.

333 Objectives 1.Learn standard and extended ACLs 2.Placement of ACLs 3.Create and apply named ACLs 4.Function of firewalls 5.Use ACLs to restrict virtual terminal access

444 Introduction to ACL ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny.

555 Introduction to ACL (cont.) 1.ACLs can be created for all routed network protocols such as IP and Internetwork Packet Exchange (IPX). 2.ACLs can be configured at the router to control access to a network or subnet. 3.To filter network traffic, ACLs determine if routed packets are forwarded or blocked at the router interfaces. 4.The router examines each packet and will forward or discard it based on the conditions specified in the ACL. 5.If ACLs are not configured on the router, all packets that pass through the router will be permitted to access the entire network.

666 Introduction to ACL (cont.) An ACL makes routing decisions based on source address, destination address, protocols, and upper-layer port numbers

777 Introduction to ACL (cont.) ACLs must be defined on a per protocol, per direction, or per port basis

888 Introduction to ACL (cont.) ACLs can be used to perform the following tasks: Limit network traffic and increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces. Control which areas a client can access on a network. Screen hosts to permit or deny access to a network segment.

999 How ACLs Work An ACL is made up of statements that define whether packets are accepted or rejected at inbound and outbound interfaces

10 How ACLs Work (cont.) 1.The order in which ACL statements are placed is important. 2.The Cisco IOS software tests the packet against each condition statement in order from the top of the list to the bottom. 3.Once a match is found in the list, the accept or reject action is performed and no other ACL statements are checked. 4.If a condition statement that permits all traffic is located at the top of the list, no statements added below that will ever be checked. 5.If additional condition statements are needed in an access list, the entire ACL must be deleted and recreated with the new condition statements.

11 How ACLs Work (cont.) Add image Add earlier animation

12 Creating ACLs 1.ACLs are created in global configuration mode. 2.There are many types of ACLs: standard ACLs, extended ACLs, and named ACLs. 3.When ACLs are configured on a router, each ACL must have a unique identification number assigned to it. 4.This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list.

13 Protocols with ACLs Specified by Numbers

14 ACL configuration task Step 1 Step 2

15 Creating ACLs (cont.)

16 Creating ACLs (cont.) 1.In TCP/IP, ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound traffic by using the ip access- group command in interface configuration mode. 2.The access-group command is issued in the interface configuration mode. 3.When an ACL is assigned to an interface, inbound or outbound placement should be specified. The filter direction can be set to check packets that travel into or out of an interface. 4.To determine if an ACL controls inbound or outbound traffic, the network administrator must view the interfaces as if looking at them from inside the router. 5.An ACL containing numbered ACL statements cannot be altered. It must be deleted by using the no access-list list-number

17 Rules to create and Apply access lists 1.There should be one access list per protocol per direction. 2.Standard access lists should be applied closest to the destination. 3.Extended access lists should be applied closest to the source. 4.The inbound or outbound interface should be referenced as if looking at the port from inside the router. 5.Statements are processed sequentially from the top of the list to the bottom until a match is found. If no match is found then the packet is denied, and discarded.

18 Rules to create and Apply access lists (cont.) 6.There is an implicit deny any at the end of all access lists. 7.Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. 8.The match condition is examined first. The permit or deny is examined only if the match is true. 9.Never work with an access list that is actively applied. 10.A text editor should be used to create comments that outline the logic. Then fill in the statements that perform the logic.

19 11.New lines are always added to the end of the access list. A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. 12.An IP access list will send an ICMP host unreachable message to the sender of the rejected packet 13.An access list should be removed carefully. If an access list that is applied to a production interface is removed, some versions of IOS will apply a default deny any to the interface and all traffic will be halted. Rules to create and Apply access lists (cont.)

20 The Function of a Wildcard Mask 1.A wildcard mask is a 32-bit quantity that is divided into four octets. 2.A wildcard mask is paired with an IP address. 3.The numbers one and zero in the mask are used to identify how to treat the corresponding IP address bits. 4.The term wildcard mask represents the ACL mask-bit matching process. 5.Wildcard masks have no functional relationship with subnet masks. They are used for different purposes and follow different rules.

21 The permit/deny parameter PermitDeny ICMP MessageForward Packet After you’ve typed access-list and chosen the correct access-list-number, you type either permit or deny depending on the action you wish to take.

22 The {test-conditions} parameter –In the {test conditions} portion of the ACL, you will specify various parameters depending on the type of access list. –Common to most access lists is the source address’ ip mask and wildcard mask. –The source address can be a subnet, a range of addresses, or a single host. It is also referred to as the ip mask because the wildcard mask uses the source address to check bits. –The wildcard mask tells the router what bits to check. We will spend some time now learning its function. Lab-A(config)#access-list 1 deny ip maskwildcard mask

23 The Wildcard Mask –A wildcard mask is written to tell the router what bits in the address to match and what bits to ignore. –A “0” bit means means check this bit position. A “1” means ignore this bit position. This is completely different than the ANDing process we studied in Semester 1. –Our previous example of can be rewritten in binary as: (Source address) (Wildcard mask) –What do all the bits turned off in the wildcard mask tell the router?

24 The Wildcard Mask This table from the curriculum may help:

25 Masking Practice –On the next several slides, we will practice making wildcard masks to fit specific guidelines. Don’t worry if you don’t get it right away. Like subnetting, wildcard masking is a difficult concept that takes practice to master. –Write an ip mask and wildcard mask to check for all hosts on the network: –Answer: Notice that this wildcard mask is a mirror image of the default subnet mask for a Class C address. WARNING: This is a helpful rule only when looking at whole networks or subnets.

26 Masking Practice –Write an ip mask and wildcard mask to check for all hosts in the subnet: If you answered YOU’RE RIGHT!! is the mirror image of Let’s look at both in binary: – ( ) – ( ) To prove this wildcard mask will work, let’s look at a host address within the.32 subnet – ( ) host address – ( ) ip mask – ( ) wildcard mask

27 Masking Practice –Notice in the previous example (repeated below), some bits were colored blue. These bits are the bits that must match. – ( ) host address – ( ) ip mask – ( ) wildcard mask Remember: a “0” bit in the wildcard mask means check the bit; a “1” bit in the wildcard mask means ignore. The “0”s must match between the address of the packet ( ) being filtered and the ip mask configured in the access list ( ) –Write an ip mask and wildcard mask for the subnet with a subnet mask of ? Answer:

28 Masking Practice 1.Write an ip mask and wildcard mask for the subnet with a subnet mask of ? Answer: Write an ip mask and wildcard mask for the subnet with a subnet mask of ? Answer: Write an ip mask and wildcard mask for the subnet with a subnet mask of ? Answer: By now, you should have the hang of ip mask and wildcard masks when dealing with a subnet. If not, go back & review.

29 Masking a Host Range 1.Masking will not be so easy during the “Hands On” final. You’ll need to be able to deny a portion of a subnet while permitting another. 2.To mask a range of host within a subnet, it is often necessary to work on the binary level. 3.For example, –students use the range to –teachers use the range to –Both groups are on network How do you write an ip mask and wildcard mask to deny one group, yet permit another?

30 Masking a Host Range Let’s write the masks for the students. 1.First, write on the first and last host address in binary. Since the first 3 octets are identical, we can skip those. All their bits must be “0” First Host’s 4th octet: Last Host’s 4th octet: Second, look for the leading bits that are shared by both (in blue below) These “bits in common” are to be checked just like the common bits in the portion of the addresses. Examples: Host Ranges to.127 and.128 to.255

31 Masking a Host Range 1.Third, add up the decimal value of the “1” bits in the last host’s address (127) 2.Finally, determine the ip mask and wildcard mask »The ip mask can be any host address in the range, but convention says use the first one »The wildcard mask is all “0”s for the common bits What about the teachers? What would be their ip mask and wildcard mask? ( ) to ( ) Answer: Notice anything? What stayed the same? changed? Examples: Host Ranges to.127 and.128 to.255

32 Time Saver

33 Verifying ACLs There are many show commands that will verify the content and placement of ACLs on the router. show ip interface show access-lists Show running-config

34 #show ip interface

35 #show access-lists

36 #show running-config

37 Standard ACLs

38 Standard ACLs (cont.) The full syntax of the standard ACL command is as follows: 1.Router(config)#access-listaccess-list-number deny permit remarksource [source- wildcard ] [log] 2.Router(config)#access-list 1 permit Router(config)#access-list 1 remark Permit only Jones workstation through access- list 1 permit [The remark keyword makes the access list easier to understand. Each remark is limited to 100 characters] 4.Router(config)#no access-listaccess-list-number 5.Router(config)#ip access-group {access-list-number | access-list-name } {in | out }

39 Standard ACLs (cont.) 1.Standard ACLs check the source address of IP packets that are routed. 2.The ACL will either permit or deny access for an entire protocol suite, based on the network, subnet, and host addresses.

40 Extended ACLs 1.Extended ACLs are used more often than standard ACLs because they provide a greater range of control. 2.Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers. 3.This gives greater flexibility to describe what the ACL will check. 4.Access can be permitted or denied based on where a packet originates, its destination, protocol type, and port addresses.

41 Extended ACLs (cont.)

42 Extended ACLs (cont.) 1.For a single ACL, multiple statements may be configured. 2.Each statement should have the same access list number, to relate the statements to the same ACL. 3.There can be as many condition statements as needed, limited only by the available router memory.

43 Extended ACLs (cont.) Router(config-if)#ip access-group access-list-number {in | out }

44 Named ACLs 1.Named ACLs allow standard and extended ACLs to be given names instead of numbers. 2.The following are advantages that are provided by a named access list: Alphanumeric names can be used to identify ACLs. The IOS does not limit the number of named ACLs that can be configured. Named ACLs provide the ability to modify ACLs without deletion and reconfiguration. However, a named access list will only allow for statements to be inserted at the end of a list.

45 Named ACLs (cont.)

46 Named ACLs (cont.)

47 Placing ACLs Standard ACLs should be placed close to the destination. Extended ACLs should be placed close to the source.

48 Firewalls A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders. Exterior Router Interior Router 1.The interior router accepts packets only from the application gateway. 2.The gateway controls the delivery of network-based services both into and from the internal network.

49 Restricting Virtual Terminal Access 1.Standard and extended access lists apply to packets that travel through a router. 2.They are not designed to block packets that originate within the router. 3.Just as there are physical ports or interfaces, such as Fa0/0 and S0/0 on the router, there are also virtual ports. These virtual ports are called vty lines. 4.There are five vty lines, which are numbered 0 through 4. 5.For security purposes, users can be denied or permitted virtual terminal access to the router but denied access to destinations from that router

50 Restricting Virtual Terminal Access (cont.) 1.The Telnet protocol can also be used to create a nonphysical vty connection to the router. There is only one type of vty access list. 2.Identical restrictions should be placed on all vty lines since it is not possible to control the line on which a user will connect. 3.Applying the ACL to a terminal line requires the access-class command instead of the access-group command. 4.Only numbered access lists can be applied to virtual lines.

51 Restricting Virtual Terminal Access (cont.)

52 The End