Download Security and Access Control Lists (ACLs)

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts

Computer network wikipedia , lookup

Airborne Networking wikipedia , lookup

Deep packet inspection wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wake-on-LAN wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Network tap wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Transcript 
Security and
Access Control Lists (ACLs)
Malin Bornhager
Halmstad University
Session Number
Version 2002-1
© 2002, Svenska-CNAP Halmstad University
1
Objectives
• Security Threats
• Access Control List Fundamentals
• Access Control Lists (ACLs)
Configuration
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
2
Why is network security important?
• Networks have grown in both size and
importance
• Loss of privacy, theft of information, legal
liability
• The types of potential threats to network
security are always evolving
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
3
Common Security Threats
Three common factors in network security:
• Vulnerability
– Degree of weakness in routers, switches,
desktops, servers, and security devices
– Technological, configuration and security
policy weaknesses
• Threat
– People interested and qualified in taking
advantage of each weakness
• Attack
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
4
Types of Network Attacks
• Reconnaissance
– Unauthorized discovery and mapping of systems,
services or vulnerabilities
• Access
– Gain access to a device
• Denial of Service (DoS)
– Disables or corrupts networks
• Worms, viruses and Trojan horses
– Damage or corrupt a system
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
5
Host and Server Based Security
• Antivirus software
• Personal firewalls
• OS patches
• Intrusion Detection Systems (IDS) can
detect attacks against a network and send
logs to a management console
• Intrusion Prevention Systems (IPS) can
prevent attacks from being executed
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
6
Router Security
• Manage router security
• Secure remote access
• Logging router activity
• Secure vulnerable router services and
interfaces
• Secure routing protocols
• Control and filter network traffic
• SDM can be used to configure security
features on Cisco IOS based routers
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
7
Security Device Manager - SDM
• Cisco Router and Security Device Manager
that simplifies router and security
configuration
• Easy-to-use, web-based devicemanagement tool
• Automatic router security management
• Supports a wide range of Cisco IOS
software releases
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
8
What are ACLs?
• ACLs are lists of instructions you apply to
a router's interface to tell the router what
kinds of packets to accept and what kinds
to deny.
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
9
Introduction to ACLs
• Lists of conditions
• Filter network traffic
• Accept or Deny
• Secure access to and from a network
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
10
Introduction to ACLs
• Per protocol
– IP
– IPX
– AppleTalk
• Per direction
– In
– Out
• Per port
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
11
Example
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
12
ACLs can be used to:
• Limit network traffic and increase network
performance
• Provide traffic flow control (restrict
routing updates)
• Basic level of security for network access
• Traffic types forwarded or blocked
• Control access to areas
• Permit or deny host access to network
segment
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
13
How ACLs Work
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
14
Protocols with ACLs Specified by
Numbers
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
15
The Function of a Wildcard Mask
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
16
Standard ACLs
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
17
Extended ACLs
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
18
Named ACLs
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
19
Placing ACLs
• Standard ACLs should be placed close to the
destination.
• Extended ACLs should be placed close to the source.
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
20
Creating ACLs
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
21
Verifying ACLs
• There are many show commands that will
verify the content and placement of ACLs
on the router.
–show ip interface
–show access-lists
–Show running-config
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
22
Restricting Virtual Terminal Access
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
23
Example
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
RouterB
s1
.1
.1 e0
e0
Sales
Administration
172.16.10.3/24
172.16.10.2/24
172.16.40.0/24
Port
80
172.16.30.3/24
172.16.30.2/24
s0
.2 RouterC
.1 e0
Engineering
172.16.50.3/24
172.16.50.2/24
Task
•
What if we want to deny only the Engineering workstation 172.16.50.2 to be able
to access the web server in Administrative network with the IP address
172.16.10.2 and port address 80.
•
All other traffic is permitted.
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
24
Example
172.16.20.0/24
RouterA
.1
s0
s0
.1
.2
172.16.40.0/24
RouterB
s0
.2 RouterC
.1 e0
.1 e0
e0
Sales
Administration
Port
80
172.16.10.3/24
172.16.10.2/24
s1
.1
Engineering
172.16.30.3/24
172.16.30.2/24
172.16.50.3/24
172.16.50.2/24
RouterC(config)#access-list 110 deny tcp host 172.16.50.2 host
172.16.10.2 eq 80
RouterC(config)#permit any any
RouterC(config)#interface e 0
RouterC(config-if)#ip access-group 110 in
•
•
Why is better to place the ACL on RouterC instead of RouterA?
Why is the e0 interface used instead of s0 on RouterC?
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
25
Summary
• List of permit and deny statements
• Order of statements important
• Placement of ACLs important
• 32-bit wildcard mask
• Standard ACLs check the source
• Extended ACLs provides a greater range
of control
Version 2002-1
© 2002, Svenska-CNAP / Halmstad University.
26
Related documents
Ecology and Environmental Science
Ecology and Environmental Science
does geographic distance always translate to
does geographic distance always translate to
Lab 5.5.2: Access Control Lists Challenge
Lab 5.5.2: Access Control Lists Challenge
Security: Protection Mechanisms, Trusted Systems
Security: Protection Mechanisms, Trusted Systems
Extended access lists
Extended access lists
Spanning Tree Protocol Inter-VLAN Routing
Spanning Tree Protocol Inter-VLAN Routing
common network terms - Amazon Web Services
common network terms - Amazon Web Services
Packet Tracer Scenario
Packet Tracer Scenario
C H A B O T O L L E G E
C H A B O T O L L E G E
CARDIAC ARREST CARD
CARDIAC ARREST CARD
6.4.3.3 Packet Tracer - EdTechnology, educational technology
6.4.3.3 Packet Tracer - EdTechnology, educational technology
Chapter 1 - William Stallings, Data and Computer Communications
Chapter 1 - William Stallings, Data and Computer Communications
EC310: Applications of Cyber Engineering Alpha: ____________________ Exam #2
EC310: Applications of Cyber Engineering Alpha: ____________________ Exam #2
Lecture 2 - Adresses and subnet masks
Lecture 2 - Adresses and subnet masks
3 Router Configuration - Cisco Networking Academy
3 Router Configuration - Cisco Networking Academy