Presentation is loading. Please wait.

Presentation is loading. Please wait.

Instructor & Todd Lammle

Published byVictoria Francis Modified over 7 years ago

Similar presentations

Presentation on theme: "Instructor & Todd Lammle"— Presentation transcript:

1 Instructor & Todd Lammle
Sybex CCENT Chapter 12: Security Instructor & Todd Lammle

2 Chapter 12 Objectives The CCENT Topics Covered in this chapter include: IP Services Describe the types, features, and applications of ACLs Standard Sequence numbers Editing Extended Named Numbered Log option Configure and verify ACLs in a network environment Network Device Security Configure and verify ACLs to filter network traffic Configure and verify an ACLs to limit telnet and SSH access to the router Troubleshooting Troubleshoot and Resolve ACL issues Statistics Permitted networks Direction Interface 2

3 Figure 12.1: A typical secured network
Internal routers provide additional security by screening traffic to various parts of the protected corporate network, and they achieve this using access lists. The demilitarized zone (DMZ) can be global (real) Internet addresses or private addresses, depending on how you configure your firewall, but this is typically where you’ll find the HTTP, DNS, , and other Internet-type corporate servers.

4 Introduction to Access Control Lists
An access control list (ACL) is essentially a list of conditions that categorize packets Allows you to exercise control over network traffic Ex: Filter unwanted packets when implementing security policies An ACL is like a series of if-then statements If a given condition is met a given action is taken If a the specific condition isn’t met, nothing happens and the next statement is evaluated

5 Introduction to Access Control Lists cont.
ACLs can apply to either inbound or outbound traffic on any interface An ACL causes the router to analyze every packet crossing that interface in the specified direction and take the appropriate action Rules that a packet follows when it’s being compared with an ACL

6 Types of ACLs There are two main types of access lists:
Standard access lists These ACLs use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such as Web, Telnet, UDP, and so on. Extended access lists Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the Protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic. Named access lists Hey, wait a minute—I said there were only two types of access lists but listed three! Well, technically there really are only two since named access lists are either standard or extended and not actually a distinct type. I’m just distinguishing them because they’re created and referred to differently than standard and extended access lists are, but they’re still functionally the same.

7 Direction To use an ACL as a packet filter, you need to apply it to an interface on the router where you want You also need to specify which direction of traffic you want the ACL applied to You may want different control for inbound and outbound traffic By specifying the direction of traffic, you can and must use different access lists for inbound and outbound traffic on a single interface:

8 Direction cont. Inbound access lists Outbound access lists
When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won’t be routed because they’re discarded before the routing process is invoked. Outbound access lists When an access list is applied to outbound packets on an interface, packets are routed to the outbound interface and then processed through the access list before being queued General guidelines You can assign only on ACL per interface per protocol per direction

9 Notes

10 Notes cont.

11 Security threats ACLs can mitigate

12 ACLs configuration rules
When configuring ACLs from the Internet to your internal network to mitigate security problems

13 Standard Access Lists Filter network traffic by examining the source ID address in a packet Use the access-list numbers 1-99 or in the expanding range of 1300 – 1999 The type of ACL is differentiated using a number Based on the number, the router knows which type of syntax to expect as the list is entered By using the numbers1-99 or , you’re telling the router to create a standard IP access list The router will expect syntax specifying only the source IP address in the test lines

14 The protocols you can specify access for

15 Syntax of standard access lists
Once you’ve chosen the access-list number, you need to decide whether you’re creating a permit or deny statement

16 Syntax of standard access lists cont.

17 Syntax of standard access lists cont.

18 Wildcard masking Wildcards are used with access lists to specify
An individual host, a network or a range of networks You have to specify the range of values in a block size Ex: the range can be 16,32, but not 20 Whenever a zero is present, it indicates that octet in the address must match the corresponding reference octet exactly The value 255 specifies that an octet can be any value

19 Wildcard masking examples

20 Wildcard masking examples

21 Figure 12.2: IP access list example with three LANs and a WAN connection
In Figure 12.2, a router has three LAN connections and one WAN connection to the Internet. Users on the Sales LAN should not have access to the Finance LAN, but they should be able to access the Internet and the marketing department files. The Marketing LAN needs to access the Finance LAN for application services. Lab_A#config t Lab_A(config)#access-list 10 deny Lab_A(config)#access-list 10 permit any Lab_A(config)#int fa0/1 Lab_A(config-if)#ip access-group 10 out Doing this completely stops traffic from from getting out FastEthernet0/1. It has no effect on the hosts from the Sales LAN accessing the Marketing LAN and the Internet because traffic to those destinations doesn’t go through interface Fa0/1.

22 Figure 12.3: IP standard access list example 2
Now we’re going to stop the Accounting users from accessing the Human Resources server attached to the Lab_B router but allow all other users access to that LAN using a standard ACL. Lab_B#config t Lab_B(config)#access-list 10 deny Lab_B(config)#access-list 10 permit any Lab_B(config)#interface Ethernet 0 Lab_B(config-if)#ip access-group 10 out Keep in mind that to be able to answer this question correctly, you really need to understand subnetting, wildcard masks, and how to configure and implement ACLs. The accounting subnet is the /27, which is a , with a block size of 32 in the fourth octet.

23 Figure 12.4: IP standard access list example 3
Okay—you need to write an access list that will stop access from each of the four LANs shown in the diagram to the Internet. Here is an example of what your answer should look like, beginning with the network on E0 and working through to E3: Router(config)#access-list 1 deny Router(config)#access-list 1 deny Router(config)#access-list 1 deny Router(config)#access-list 1 deny Router(config)#access-list 1 permit any Router(config)#interface serial 0 Router(config-if)#ip access-group 1 out

24 Extended Access Lists Allow to specify source and destination address as well as the protocol and port number that identify the upper layer protocol or applications Allow users services access to a physical LAN while denying them access to specific hosts even specific services on those hosts Number range: 100—199,

25 Extended Access Lists: syntax

26 Extended Access Lists: syntax 2

27 Extended Access Lists: syntax 3
If you want to filter by application layer protocol, you have to chose the appropriate layer 4 transport protocol after the permit or deny statement Ex: to filter telnet or FTP, choose TCP

28 Extended Access Lists: syntax 4

29

30

31

32

33 Figure 12.5: Extended ACL example 1
What do we need to do to deny access to a host at on the finance department LAN for both Telnet and FTP services? All other services on this and all other hosts are acceptable for the sales and marketing departments to access. Lab_A#config t Lab_A(config)#access-list 110 deny tcp any host eq 21 Lab_A(config)#access-list 110 deny tcp any host eq 23 Lab_A(config)#access-list 110 permit ip any any Lab_A(config)#int fa0/1 Lab_A(config-if)#ip access-group 110 out The access-list 110 tells the router we’re creating an extended IP ACL. The tcp is the protocol field in the Network layer header. If the list doesn’t say tcp here, you cannot filter by TCP port numbers 21 and 23 as shown in the example.

34 Extended ACL example 2

35 Extended ACL example 3

36 Extended ACL example 3 cont.

37 Named ACLs Allow us to use names for creating and applying either standard or extended access lists Ex: Re-create the standard access list in Figure 12.2 using a named ACL ip access-list: enter a named access list

38 Named ACLs cont.

39 Named ACLs cont. 2

40 Remark A keyword used for comments

41 Table 12.1: Commands used to verify access-list configuration

42 Written Labs and Review Questions
Read through the Exam Essentials section together in class Open your books and go through all the written labs and the review questions. Review the answers in class. 42

Download ppt "Instructor & Todd Lammle"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
CCENT Study Guide Chapter 12 Security.

CCENT Study Guide Chapter 12 Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Introducing ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
Instructor & Todd Lammle

Instructor & Todd Lammle
Policy Based Routing using ACL & Route Map By Group 7 Nischal (304360958) Pranali (304378534)

Policy Based Routing using ACL & Route Map By Group 7 Nischal ( ) Pranali ( )
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Instructor & Todd Lammle

Instructor & Todd Lammle
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
Instructor & Todd Lammle

Instructor & Todd Lammle
CISCO NETWORKING ACADEMY Chabot College ELEC 99.08 Access Control Lists - Introduction.

CISCO NETWORKING ACADEMY Chabot College ELEC Access Control Lists - Introduction.
Instructor & Todd Lammle

Instructor & Todd Lammle
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.

Access Control List ACL. Access Control List ACL.

Similar presentations

Ads by Google