Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists.

Similar presentations


Presentation on theme: "CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists."— Presentation transcript:

1 CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists

2 CIT 384: Network AdministrationSlide #2 Topics 1.Access Lists 2.Wildcard Masks 3.Standard ACLs 4.Extended ACLs 5.Examples 6.Named ACLs 7.Reflexive ACLs

3 CIT 384: Network AdministrationSlide #3 Access Control Lists ACLs cause routers to filter packets –Packets specified by IP address, protocol, etc. –Used to protect network from attacks.

4 CIT 384: Network AdministrationSlide #4 What You Can Do Filter packets based on:  IP address packet is coming from  IP address packet is going to  Network protocol (ICMP, TCP, BGP, etc.)  TCP/UDP port packet is coming from  TCP/UDP port packet is going to  TCP flags (SYN,ACK,RST,etc.) set in packet

5 CIT 384: Network AdministrationSlide #5 What You Can Do Using packet filtering you can:  Prevent any outside IP address from connecting to the telnet port on any of your networks.  Allow certain IP addresses to connect to the ssh port on a single server on your network.  Allow anyone to connect via HTTP or HTTPS to your web server.

6 CIT 384: Network AdministrationSlide #6 What You Can’t Do Basic packet filtering isn’t powerful enough to:  Specify which users can login via telnet from the outside.  Limit which files can be transferred out of your network.  Prevent people from tunneling IM protocols over outbound HTTP connections.

7 CIT 384: Network AdministrationSlide #7 Where Can ACLs Be Used On each interface inbound: before routing decisions outbound: after reouting decisions

8 CIT 384: Network AdministrationSlide #8 Wildcard Masks Wildcard masks –Define portion of IP address to be ignored. –0s for matching bits, 1s for wildcard bits –Logical inverse of a subnet mask Wildcard MaskBinaryDescription 0.0.0.000000000.00000000.00000000.00000000Entire IP must match 0.0.0.25500000000.00000000.00000000.111111111 st 24 bits must match 0.0.15.25500000000.00000000.00001111.111111111 st 20 bits must match 0.0.3.25500000000.00000000.00000011.111111111 st 22 bits must match

9 CIT 384: Network AdministrationSlide #9 Computing Wildcard Masks Take network address + netmask to block 172.16.8.0 255.255.252.0 Subtract subnet mask from 255.255.255.255 255.255.255.255 - 255.255.252.0 0. 0. 3.255

10 CIT 384: Network AdministrationSlide #10 Types of Cisco ACLs Standard ACLs Filter based on source IP address. Extended ACLs Filter based on source + destination IP address. Filter based on protocol and port information. Time-based ACLs Filter based on date and time. Context-based ACLs Stateful packet filtering with dynamic ACLs

11 CIT 384: Network AdministrationSlide #11 Access List Numbering Numeric RangeAccess List Type 1-99Standard ACLs 100-199Extended ACLs 200-299Ethernet Type Code 700-799Transparent Bridging 1100-1199Extended Transparent 1300-1999Standard ACLs 2000-2699Extended ACLs 2700-2999SS7 (voice) ACLs

12 CIT 384: Network AdministrationSlide #12 Standard ACLs access-list # action source [wildcard_mask] access-list 1 remark Stop traffic from Bob. access-list 1 deny 172.16.3.10 0.0.0.0 access-list 1 permit 0.0.0.0 255.255.255.255 interface fa0/1 ip address 172.16.1.1 255.255.255.0 ip access-group 1 out Bob 172.16.3.10 fa0/0 172.16.3.0/24 fa0/1 172.16.1.0/24

13 CIT 384: Network AdministrationSlide #13 Standard ACLs access-list 1 remark Stop traffic from Bob. access-list 1 deny host 172.16.3.10 access-list 1 permit any interface fa0/1 ip address 172.16.1.1 255.255.255.0 ip access-group 1 out Bob 172.16.3.10 fa0/0 172.16.3.0/24 fa0/1 172.16.1.0/24

14 CIT 384: Network AdministrationSlide #14 Extended ACLs access-list # action protocol source [source_wildcard] [s-port] destination [dest_wildcard] [d-port] [precedence #] [tos #] [established] access-list 101 remark Stop A from telneting to B. access-list 101 deny tcp any any eq 23 access-list 101 permit ip any any interface fa0/0 ip access-group 101 in fa0/0 fa0/1 A B

15 CIT 384: Network AdministrationSlide #15 Specifying Ports lt n All ports less than n gt n All ports greater than n eq n Port n neq n All ports except for n range n m All ports from n through m, inclusive.

16 CIT 384: Network AdministrationSlide #16 established keyword Used to matched established TCP connections –Matches packets with either ACK or RST set. –Only 1 st TCP packet does not have these flags. –Used to allow response packets to outgoing connections. access-list 110 permit tcp any any established access-list 110 deny ip any any access-list 111 permit tcp any any eq telnet access-list 111 deny ip any any interface fa0/0 access-group 110 in access-group 111 out

17 CIT 384: Network AdministrationSlide #17 ACL Processing Access lists processed sequentially 1.If rule matches, permit or deny action is taken. 2.If not, processing goes on to next list. 3.Last entry typically permit or denies any. 4.Router adds a deny all to the end of all ACLs. For best perf, place most used entries at top.

18 CIT 384: Network AdministrationSlide #18 Example: outbound telnet Client on internal net telnets to external server. –Must allow outgoing packets to send commands. –Must allow incoming packets to receive responses.

19 CIT 384: Network AdministrationSlide #19 Outgoing Packets  Source IP of packets is client’s IP address.  Dest IP of packets is server’s IP address.  Protocol type is TCP.  TCP destination port is 23.  TCP source port is a random port X >1023.  1st outgoing packet will establish connect with SYN flag set.  Remaining outgoing packets will have ACK flag set.

20 CIT 384: Network AdministrationSlide #20 Incoming Packets  Source IP of packets is server’s IP address.  Dest IP of packets is client’s IP address.  Protocol type is TCP.  TCP source port is 23.  TCP destination port is same random port X >1023.  All incoming packets will have ACK flag set.

21 CIT 384: Network AdministrationSlide #21 Example: outbound telnet DirSrcDestProtoS.PortD.PortACK?Action OutIntAnyTCP>102323EitherAccept InAnyIntTCP23>1023YesAccept EitherAny EitherDeny 1.Rule allows outgoing telnet packets. 2.Rule allows response packets back in. 3.Rule denies all else, following Principle of Fail- Safe Defaults.

22 CIT 384: Network AdministrationSlide #22 Example: outbound telnet access-list 110 permit tcp any gt 1023 any eq telnet access-list 110 deny ip any any access-list 111 permit tcp any eq telnet any gt 1023 established access-list 111 deny ip any any interface fa0/1 access-group 110 out access-group 111 in

23 CIT 384: Network AdministrationSlide #23 Preventing IP Spoofing Must occur on Internet gateway router. Incoming packets from your IP range are spoofed. Or there’s an unexpected egress to your network. ! ACL to block IP address spoofing access-list 111 deny ip 170.170.7.0 0.0.0.255 any access-list 111 permit ip any any ! Internet interface; to block spoofing interface serial0 ip access-group 111 in

24 CIT 384: Network AdministrationSlide #24 Editing Access Lists Adding a new line access list 1 deny host 10.10.10.1 Added to end of ACL (before implicit deny) Any other modification 1.Create access list with new number 2.Change interface to use new ACL 3.Delete old ACL ( no access list 1 ) 4.Create copy of new ACL with old number 5.Change interface to use old ACL # 6.Delete new ACL #

25 CIT 384: Network AdministrationSlide #25 Named ACLs Advantages –Use names to identify purpose of ACLs. –Can insert, delete, and modify entries in ACL. Router(config)#ip access-list extended barney Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any Router(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 ! The next statement is purposefully wrong so that the process of changing ! the list can be seen. Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2 Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2 Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#interface serial

26 CIT 384: Network AdministrationSlide #26 Editing Named ACLs Router(config)#ip access-list extended barney Router(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 Router(config-ext-nacl)#^Z Router#show access-list Extended IP access list barney 10 permit tcp host 10.1.1.2 eq www any 20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 50 deny ip host 10.1.1.130 host 10.1.3.2 60 deny ip host 10.1.1.28 host 10.1.3.2 70 permit ip any any Note that no 40 would have performed the same deletion.

27 CIT 384: Network AdministrationSlide #27 Applying ACLs to Lines Use access-class instead of access-group line vty 0 4 login password cisco access-class 10 in

28 CIT 384: Network AdministrationSlide #28 Reflexive ACLs Allow creation of dynamic ACLs. –Outbound list creates entries in temporary ACL –Inbound list filters based on temporary ACL Use to manage user sessions –Opens filter for response packets to connection. –Unlike established, only opens filter for packets that are responses to current sessions. –Established always allows ACK|RST from any IP –Reflexive entries timeout if no traffic for 300s.

29 CIT 384: Network AdministrationSlide #29 Reflexive ACLs Outbound List ip access-list extended outlist ! Allow all and add to reflexive list tmplist permit tcp any any reflect tmplist Inbound List ip access-list extended inlist ! allow TCP port 80 to internal web server permit tcp any host 10.10.10.1 eq www ! evaluate temporary reflexive list created by outlist evaluate tmplist ! deny anything that reaches this point deny ip any any

30 CIT 384: Network AdministrationSlide #30 Logging ACL Use Use log keyword to log usage of ACL. Router1(config)# access-list 120 permit ip any any log Router1(config)# interface fa0/1 Router1(config-if)# ip access-group 150 in Apr 6 20:33:17: %SEC-6-IPACCESSLOGRP: list 120 permitted ospf 1.1.1.1 -> 224.0.0.5, 9 packets Apr 6 20:33:17: %SEC-6-IPACCESSLOGDP: list 120 permitted icmp 1.1.1.1 -> 1.1.1.2 (0/0), 4 packets

31 CIT 384: Network AdministrationSlide #31 References 1.James Boney, Cisco IOS in a Nutshell, 2 nd edition, O’Reilly, 2005. 2.D. Brent Chapman, Simon Cooper, and Elizabeth D. Zwicky, Building Internet Firewalls, 2 nd edition, O’Reilly, 2000. 3.Cisco, Cisco Connection Documentation, http://www.cisco.com/univercd/home/home.htm http://www.cisco.com/univercd/home/home.htm 4.Cisco, Internetworking Basics, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_do c/introint.htm http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_do c/introint.htm 5.Gary A. Donahue, Network Warrior, O’Reilly, 2007. 6.Wendell Odom, CCNA Official Exam Certification Library, 3 rd edition, Cisco Press, 2007. 7.Jeff Sedayao, Cisco IOS Access Lists, O’Reilly, 2001.


Download ppt "CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists."

Similar presentations


Ads by Google