Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Sybex CCNA 640-802 Chapter 10: Security. Chapter 10 Objectives The CCNA Topics Covered in this chapter include: Introduction to Security –Types of attacks.

Published byFlorence Phillips Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Sybex CCNA 640-802 Chapter 10: Security. Chapter 10 Objectives The CCNA Topics Covered in this chapter include: Introduction to Security –Types of attacks."— Presentation transcript:

1 1 Sybex CCNA 640-802 Chapter 10: Security

2 Chapter 10 Objectives The CCNA Topics Covered in this chapter include: Introduction to Security –Types of attacks –Mitigating attacks –Types of hardware used for defense: Firewalls Application Layer Gateways (ALGs) Packet Filtering Stateful Packet Filtering Access-lists –Standard –Extended –Named –Monitoring Access-lists 2

3 (c) University of Technology, Sydney 2000 - 2004 3 Earliest firewalls ? What is the air-speed velocity of an unladen swallow?

4 Introduction to Security ACLs normally go here ACLs sometimes go here Any server that handles a lot of internet traffic should be placed in the DMZ. This allows the “trusted”, inner network to be protected from the dangers of the Internet. The web and email servers above are placed here, as well as DNS, proxy, reverse proxy, FTP and VoIP servers.

5 (c) University of Technology, Sydney 2000 - 2004 5 DMZ between Internet and Network (between the barbarians and the Keep) Web server DMZ

6 Firewalls: Application Layer Gateway The ALG intercepts and establishes connections to the Internet hosts on behalf of the client. See notes

7 Firewalls: Stateful Packet Filtering Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, and ICMP types and codes. Stateful inspection then remembers certain details, or the state of that request. See notes

8 Attacks A PPLICATION - LAYER ATTACKS A UTOROOTERS B ACKDOORS D ENIAL OF SERVICE (D O S) AND DISTRIBUTED DENIAL OF SERVICE (DD O S) ATTACKS –( AND MANY OTHERS ) - (see text pp 612-13) –Note: The underlying reason why so many attacks against networks are successful is that when networking in general and the Internet specifically were being developed, security was simply not an issue. –Not only the structure of networks, but the applications themselves were created with no thought that they might someday be exploited by hackers. For examples try “googling” “network security structure” or some such combination of words

9 Mitigating Attacks The book mentions ASA (Adaptive Security Appliance) products. They are the best thing going but they run on expensive hardware and are beyond the scope of the CCNA exam. –Cisco firewalls have their own IOS. Some hardware and features are: –Appliances IDS: Intrusion Detection System IPS: Intrusion Prevention System –the book rolls the description of both of these appliances into the IDS blurb, so beware; the IDS detects the threat and sends a message. You need an IPS or some other device to actually respond to the intrusion. –Stateful IOS Firewall Inspection Engine (AKA CBAC, for context-based access control) Allows you to use ACLs efficiently to filter traffic, detect intrusions, etc. (See: power point on CBAC)

10 Mitigating Attacks –Firewall Voice Traversal a VoIP feature –ICMP Inspection An ACL can be a blunt instrument, either allowing or denying all ICMP packets (PING, Traceroute, etc.) This feature allows you to respond to internal ICMP packets while blocking external ones –Authentication Proxy HTTP, HTTPS, FTP, and Telnet authentication Provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols

11 Access Lists Purpose: Used to permit or deny packets moving through the router Permit or deny Telnet (VTY) access to or from a router Create dial-on demand (DDR) “interesting traffic” that triggers dialing to a remote location

12 Important Rules Packets are compared to each line of the assess list in sequential order Packets are compared with lines of the access list only until a match is made –Once a match is made & acted upon no further comparisons take place! An implicit “deny” is at the end of each access list –If no matches have been made, the packet will be discarded

13 Two Types of Access Lists Standard Access List –Filter by source IP addresses only Extended Access List –Filter by Source IP, Destination IP, Protocol Field, Port Number Named Access List –Functionally the same as standard and extended access lists.

14 Application of Access Lists Inbound Access Lists –Packets are processed before being routed to the outbound interface. –Any packets that are denied won’t be routed because they are discarded before the routing process. Outbound Access Lists –Packets are routed to the outbound interface & then processed through the access list

15 ACL Guidelines One access list per interface, per protocol, per direction Place more specific tests at the top of the ACL New lists are placed at the bottom of the ACL Individual lines cannot be removed – (must start over!) –So, save your ACLs to a text file; when finished, copy it to the router. If you have to edit the ACL, do it in the text file. End ACLs with a permit any command (this prevents you from shutting down an interface accidentally) Create ACLs & then apply them to an interface ACLs do not filter traffic originated from the router Put Standard ACLs close to the destination (SAD) Put Extended ACLs close the source (EAD)

16 Standard IP Access Lists Router# config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list ? IP standard access list IP extended access list IPX SAP access list Extended 48-bit MAC address access list IPX summary address access list IP standard access list (expanded range) Protocol type-code access list DECnet access list Appletalk access list 48-bit MAC address access list IPX standard access list IPX extended access list These numbers are ranges of specific types of ACLs

17 Standard IP Access Lists Creating a standard IP access list: Router(config)#access-list 10 ? deny Specify packets to reject permit Specify packets to forward Permit or deny? Router(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any any source host host A single host address Using the host command Router(config)#access-list 10 deny host 172.16.30.2

18 Wildcards What are they ??? –Used with access lists to specify a…. Host Network Part of a network A wildcard mask is a 32-bit quantity that is divided into four octets (like an IP address or a subnet mask, although it has nothing to do with subnet masking). A wildcard mask is paired with an IP address. Wildcards are used when you don’t want the ACL to apply to a single address, or to an entire network (or subnet). Wildcards let you specify which group of addresses the ACL should apply to.

19 Block Sizes 64321684 Rules: –When specifying a range of addresses, choose the closest block size For example, if you want to block a range of 12 addresses, choose a block size of 16, provided the 16 numbers cover the entire 12 addresses that you want to block. –Each block size must start at 0 Because of this, the number in the wildcard mask will always be one number less than the associated block size; e.g., for a block size of 8 in the last octet, the wildcard mask would be 0.0.0.7 See next page for more examples. –A ‘0’ in a wildcard means that octet must match exactly –A ‘255’ in a wildcard means that octet can be any value –The command any is the same thing as writing out the wildcard: 0.0.0.0 255.255.255.255

20 Specifying a Range of Subnets (Remember: specify a range of values in a block size) Requirement: Block access in the range from 172.16.8.0 through 172.16.15.0 = block size 8 Network number = 172.16.8.0 Wildcard = 0.0.7.255 **The wildcard is always one number less than the block size

21 Standard ACL Example 1: Prevent Sales users accessing Finance Lab_A(config)#access-list 10 deny Sales Lab_A(config)#access-list 10 permit any Lab_A(config)#int e1 Lab_A(config)#ip access-group 10 out

22 Standard ACL example 2: Prevent Accounting users accessing HR server Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31 Lab_B(config)#access-list 10 permit any Lab_B(config)#int e0 Lab_B(config)#ip access-group 10 out

23 Standard ACL Example 3: Prevent the four LAN users accessing the Internet R(config)#access-list 10 deny 172.16.88.0 0.0.7.255 R(config)#access-list 10 deny 172.16.192.0 0.0.63.255 R(config)#access-list 10 deny 172.16.48.0 0.0.15.255 R(config)#access-list 10 deny 172.16.128.0 0.0.31.255 R(config)#access-list 10 permit any R(config)#int s0 R(config)#ip access-group 10 out

24 Controlling VTY (Telnet) Access Why?? –Without an ACL any user can Telnet into the router via VTY and gain access Controlling access –Create a standard IP access list Permitting only the host/hosts authorized to Telnet into the router –Apply the ACL to the VTY line with the access-class command

25 Example Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in (implied deny) (in other words, only the host at 172.16.10.3 can telnet into the router; all other hosts are denied.)

26 Extended IP Access Lists Allows you to choose... IP Source Address IP Destination Address Protocol Port number

27 Extended IP ACLs Router(config)#access-list ? IP standard access list IP extended access list IPX SAP access list Extended 48-bit MAC address access list IPX summary address access list Protocol type-code access list DECnet access list Appletalk access list 48-bit MAC address access list IPX standard access list IPX extended access list Router(config)# access-list 110 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward

28 Extended IP ACLs Router(config)# access-list 110 deny ? An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol tcp Transmission Control Protocol udp User Datagram Protocol Router(config)# access-list 110 deny tcp ? A.B.C.D Source address any Any source host host A single source host

29 Extended IP ACL Steps #1: Select the access list: RouterA(config)#access-list 110 #2: Decide on deny or permit: RouterA(config)#access-list 110 deny #3: Choose the protocol type: RouterA(config)#access-list 110 deny tcp #4: Choose source IP address of the host or network: RouterA(config)#access-list 110 deny tcp any #5: Choose destination IP address RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 #6: Choose the type of service, port, & logging RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log

30 Steps (cont.) RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log (continued from previous slide) Next (second) line in the ACL: RouterA(config)#access-list 110 permit ip any any Now, place the ACL on an interface, either inbound or outbound: RouterA(config)#ip access-group 110 in or RouterA(config)#ip access-group 110 out

31 Named Access Lists Another way to create standard and extended access lists. Allows the use of descriptive names to ease network management. Syntax changes: –Lab_A(config)#ip access-list standard BlockSales » (Or: “extended” BlockSales) –Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255 –Lab_A(config-std-nacl)#permit any Advantages: –The IOS does not limit the number of named ACLs that can be configured. Although the number of standard and extended ACLs is no longer 100 each. With the addition of numbers in the 2000-range, this is really no big deal. –Named ACLs provide the ability to modify ACLs without deletion and reconfiguration. But, a named access list will only allow for statements to be inserted at the end of a list, so the utility of this “advantage” is somewhat limited.

32 Monitoring IP ACLs: Show Commands Display all access lists & their parameters show access-list Show only the parameters for the access list 110 show access-list 110 Shows only the IP access lists configured show ip access-list Shows which interfaces have access lists set show ip interface Shows the access lists & which interfaces have access lists set show running-config

33 The End 33

Download ppt "1 Sybex CCNA 640-802 Chapter 10: Security. Chapter 10 Objectives The CCNA Topics Covered in this chapter include: Introduction to Security –Types of attacks."

Similar presentations

Student Guide www.visioninfosystems.org Access List.

Student Guide Access List.
Access Control List (ACL)

Access Control List (ACL)
CCENT Study Guide Chapter 12 Security.

CCENT Study Guide Chapter 12 Security.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Basic IP Traffic Management with Access Lists

Basic IP Traffic Management with Access Lists
CIT 742: Network Administration and Security Mohammed A. Saleh 1.

CIT 742: Network Administration and Security Mohammed A. Saleh 1.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.

NESCOT CATC1 Access Control Lists CCNA 2 v3 – Module 11.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.

Institute of Technology, Sligo Dept of Computing Access Control Lists Semester 3, Chapter 6.
CCNA 2 v3.1 Module 11.

CCNA 2 v3.1 Module 11.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Access Lists Lists of conditions that control access.

Access Lists Lists of conditions that control access.
Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.

Year 2 - Chapter 6/Cisco 3 - Module 6 ACLs. Objectives  Define and describe the purpose and operation of ACLs  Explain the processes involved in testing.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.

Similar presentations

Ads by Google