Access Control Lists Mark Clements

17 March 2009ITCN 2 This Week – Access Control Lists What are ACLs? What are they for? How do they work? Standard ACLs Extended ACLs Where to place them

17 March 2009ITCN 3 Reasons for ACLs Limit network traffic to where we define and increase network performance Provide traffic flow control – ACLs can restrict or reduce the contents of routing updates Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at router interfaces

17 March 2009ITCN 4 Consider an arbitrary Network

17 March 2009ITCN 5 Routers and ACLs Router can read packets Packets contain much data We can choose to act upon this data Permits us to allow or deny whichever part of this data we wish ACLs implement this policy

17 March 2009ITCN 6 The task of ACLs An ACL is a group of statements that define how or whether packets: Enter inbound interfaces Exit outbound interfaces of the router Relay through the router or not

17 March 2009ITCN 7 The Order of ACLs is important IOS tests the packet against each condition statement in the order in which the statements were created Note: After a match is found, no more condition statements are checked If you create a condition statement that permits all traffic, no statements added later will ever be checked If all the ACL statements are unmatched, an implicit "deny any" statement is imposed

17 March 2009ITCN 8 ACL Statement Order Implicit ‘last statement’ denies all traffic Must make statements preceding this allow the permitted traffic to flow Construct statements carefully Anything not explicitly permitted will be denied

17 March 2009ITCN 9 Standard ACLs You use standard ACLs when you : want to block all traffic from a network allow all traffic from a specific network deny entire protocol suites e.g. www or icmp Standard ACLs check the source address of packets that could be routed across your network Standard ACLs are not used very often

17 March 2009ITCN 10 Extended ACLs These are used whenever we want to be more specific about the type of traffic to block e.g. a certain host or an entire protocol e.g. www or ftp or icmp (ping) These are used very frequently

17 March 2009ITCN 11 Creating ACLs Enter global configuration mode i.e. Router(config)# Enter the command ip access-list [standard|extended] number (to identify it) Router prompt changes accordingly

Using Notepad Create ACLs in Notepad (or other text editor) They can be easily manipulated and reordered – This is not possible on a router – it is necessary to delete the entire list and start again Once the ACL is correct, it can be pasted into the router’s CLI 17 March 2009ITCN 12

17 March 2009ITCN 13 Standard and Extended ACLs ACL 1 to 99 are for standard ACL statements Router(config-std-nacl)# ACL 100 to 199 are for extended ACL statements Router(config-ext-nacl)# Logically order the ACL Permitted IP protocols must be specified – all other protocols should be denied

17 March 2009ITCN 14 Which Interface to place the ACL? ACLs assigned to one or more interfaces Can filter inbound or outbound traffic Outbound ACLs are generally more efficient than inbound – Only checks packets on that interface Inbound ACLs must check all packets before switching packet to outbound interface

17 March 2009ITCN 15 Wildcard Mask This identifies a host or range of addresses It is the binary inversion of the subnet mask i.e. in a ‘class C’ address range we use the subnet mask To specify the same range with a wildcard mask we use (all 1s are now 0s and all 0s are now 1s)

17 March 2009ITCN 16 Wildcard Mask Bits Sometimes we need to specify a range of IP addressesSometimes we need to specify a range of IP addresses Wild card mask is 32-bit quantity divided into four octetsWild card mask is 32-bit quantity divided into four octets Each octet contains 8 bits Each octet contains 8 bits Wildcard mask bit 0 means "check corresponding bit value" Wildcard mask bit 0 means "check corresponding bit value" Wildcard mask bit 1 means "do not check (ignore) that corresponding bit value" Wildcard mask bit 1 means "do not check (ignore) that corresponding bit value"

17 March 2009ITCN 17

17 March 2009ITCN 18 Example What is the dotted decimal wildcard mask you would use to check for all traffic from hosts in the range to ? Hint – convert to binary first Write first and last addresses to compare like and unlike bits Convert back to decimal afterwards

Quad Zero Address is known as the Quad Zero address and it is ‘shorthand’ for any IP address. 17 March 2009ITCN 19

17 March 2009ITCN 20 Useful Commands – ANY To specify that any source address will be permitted to pass Router(config-std-nacl)# access-list 1 permit Is the same as (but shorter) Router(config-std-nacl)# access-list 1 permit any

17 March 2009ITCN 21 HOST Command A specific IP host address will be denied in an ACL test Router(config-std-nacl)# access- list 1 deny Is the same as (but this is shorter) Router(config-std-nacl)# access- list 1 deny host

17 March 2009ITCN 22 Examples of ACLs access-list 33 permit (permits all traffic in the range to ) access-list 44 deny (denies traffic from only the host ) access-list 55 permit any (permits all traffic from any network )

17 March 2009ITCN 23 Extended ACLs Provide a greater range of control than standard ACLs E.g. we can allow Web traffic but deny File Transfer Protocol (FTP) or TELNET or other traffic Extended ACLs check for both source and destination packet addresses. Specific protocols, port numbers and other parameters can be checked for Packets can be permitted or denied output based on where the packet originated and based on its destination

17 March 2009ITCN 24 Extended ACL example chatham(config)#ip access-list extended 150 chatham(config-ext-nacl)#? default Set a command to its defaults deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment chatham(config-ext-nacl)#permit tcp

17 March 2009ITCN 25 Well-known Port numbers Some ports are commonly used Their numbers are well-known PC can be configured by a hacker to use a different port !

17 March 2009ITCN 26 in

17 March 2009ITCN 27 Placing Standard and Extended ACLs Put the Extended ACLs as close as possible to the source machine or range (on your network) for the traffic type denied Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near to the destination machine (or range) we want to deny as possible

17 March 2009ITCN 28 Applying ACLs to an interface Once you have written an ACL, you need to apply it to an interface either IN or OUT If we have written access-list 101, we could apply it to the Fa0/0 interface inbound int fa0/0 ip access-group 101 in ACLs can also be placed on an interface in the outbound direction

17 March 2009ITCN 29 Placing ACLs Imagine you are standing INSIDE the router The direction of the ACL for an interface will be the same as our perspective standing INSIDE the router

17 March 2009ITCN 30 Conclusion ACLs will check packets for certain conditions Standard ACLs test simple conditions Extended ACLs test for more rigorous conditions Define ACL – Apply to interface Place ACLs sensibly Be sure to order ACLs sensibly too!