Download Extended access lists

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
Document related concepts

Telecommunication wikipedia , lookup

Transcript 
Sybex CCENT 100-101
Chapter 12: Security
Instructor & Todd Lammle
Chapter 12 Objectives
• The CCENT Topics Covered in this chapter
include:
•
IP Services
–
Describe the types, features, and applications of ACLs
•
•
•
•
•
•
–
–
Log option
Configure and verify ACLs in a network environment
•
•
•
•
Named
Numbered
Log option
Network Device Security
–
–
•
Standard
Sequence numbers
Editing
Extended
Named
Numbered
Configure and verify ACLs to filter network traffic
Configure and verify an ACLs to limit telnet and SSH access to the router
Troubleshooting
–
Troubleshoot and Resolve ACL issues
•
•
•
•
Statistics
Permitted networks
Direction
Interface
2
Figure 12.1: A typical secured network
The demilitarized zone (DMZ) can be global (real) Internet addresses or private
addresses, depending on how you configure your firewall, but this is typically where
you’ll find the HTTP, DNS, email, and other Internet-type corporate servers.
Introduction to Access Control Lists
• An access control list (ACL) is essentially a list
of conditions that categorize packets
• Allows you to exercise control over network
traffic
– Ex: Filter unwanted packets when implementing
security policies
• An ACL is like a series of if-then statements
– If a given condition is met a given action is taken
– If a the specific condition isn’t met, nothing happens
and the next statement is evaluated
Introduction to Access Control Lists
cont.
• ACLs can apply to either inbound or outbound traffic on any
interface
– An ACL causes the router to analyze every packet crossing that
interface in the specified direction and take the appropriate action
• Rules that a packet follows when it’s being compared with an ACL
Types of ACLs
There are two main types of access lists:
Standard access lists
These ACLs use only the source IP address in an IP packet as the condition test. All
decisions are made based on the source IP address. This means that standard access
lists basically permit or deny an entire suite of protocols. They don’t distinguish
between any of the many types of IP traffic such as Web, Telnet, UDP, and so on.
Extended access lists
Extended access lists can evaluate many of the other fields in the layer 3 and layer 4
headers of an IP packet. They can evaluate source and destination IP addresses, the
Protocol field in the Network layer header, and the port number at the Transport layer
header. This gives extended access lists the ability to make much more granular
decisions when controlling traffic.
Named access lists
Hey, wait a minute—I said there were only two types of access lists but listed three!
Well, technically there really are only two since named access lists are either standard
or extended and not actually a distinct type. I’m just distinguishing them because
they’re created and referred to differently than standard and extended access lists are,
but they’re still functionally the same.
Direction
• To use an ACL as a packet filter, you need to apply it
to an interface on the router where you want
• You also need to specify which direction of traffic
you want the ACL applied to
– You may want different control for inbound and outbound
traffic
– By specifying the direction of traffic, you can and must use
different access lists for inbound and outbound traffic on a
single interface:
Direction cont.
• Inbound access lists
– When an access list is applied to inbound packets on an
interface, those packets are processed through the access list
before being routed to the outbound interface. Any packets that
are denied won’t be routed because they’re discarded before the
routing process is invoked.
• Outbound access lists
– When an access list is applied to outbound packets on an
interface, packets are routed to the outbound interface and then
processed through the access list before being queued
• General guidelines
– You can assign only on ACL per interface per protocol per
direction
Notes
Notes cont.
Security threats ACLs can mitigate
ACLs configuration rules
• When configuring ACLs from the Internet to your
internal network to mitigate security problems
Standard Access Lists
• Filter network traffic by examining the source ID
address in a packet
• Use the access-list numbers 1-99 or in the
expanding range of 1300 – 1999
– The type of ACL is differentiated using a number
• Based on the number, the router knows which type of
syntax to expect as the list is entered
– By using the numbers1-99 or 1300-1999, you’re telling
the router to create a standard IP access list
– The router will expect syntax specifying only the
source IP address in the test lines
The protocols you can specify access for
Syntax of standard access lists
• Once you’ve chosen the access-list number, you need
to decide whether you’re creating a permit or deny
statement
Syntax of standard access lists cont.
Syntax of standard access lists cont.
Wildcard masking
• Wildcards are used with access lists to
specify
– An individual host, a network or a range of networks
• You have to specify the range of values in a block size
– Ex: the range can be 16,32, but not 20
• Whenever a zero is present, it indicates that octet in the
address must match the corresponding reference octet
exactly
• The value 255 specifies that an octet can be any value
Wildcard masking examples
Wildcard masking examples
Figure 12.2: IP access list example with
three LANs and a WAN connection
In Figure 12.2, a router has three LAN connections and one WAN connection to the
Internet. Users on the Sales LAN should not have access to the Finance LAN, but they
should be able to access the Internet and the marketing department files. The Marketing
LAN needs to access the Finance LAN for application services.
Lab_A#config t
Lab_A(config)#access-list 10 deny 172.16.40.0 0.0.0.255
Lab_A(config)#access-list 10 permit any
Lab_A(config)#int fa0/1
Lab_A(config-if)#ip access-group 10 out
Doing this completely stops traffic from 172.16.40.0
from getting out FastEthernet0/1. It has no effect on
the hosts from the Sales LAN accessing the
Marketing LAN and the Internet because traffic to
those destinations doesn’t go through interface
Fa0/1.
Figure 12.3: IP standard access list
example 2
Now we’re going to stop the Accounting users from accessing the Human Resources server
attached to the Lab_B router but allow all other users access to that LAN using a standard
ACL.
Lab_B#config t
Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31
Lab_B(config)#access-list 10 permit any
Lab_B(config)#interface Ethernet 0
Lab_B(config-if)#ip access-group 10 out
Keep in mind that to be able to answer this question correctly, you really need
to understand subnetting, wildcard masks, and how to configure and implement
ACLs. The accounting subnet is the 192.168.10.128/27, which is a 255.255.255.224,
with a block size of 32 in the fourth octet.
Figure 12.4: IP standard access list
example 3
Okay—you need to write an access list that will stop access from each of the four LANs shown
in the diagram to the Internet.
Here is an example of what your
answer should look like, beginning with
the network on E0 and working through to
E3:
Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255
Router(config)#access-list 1 deny 172.16.48.0 0.0.15.255
Router(config)#access-list 1 deny 172.16.192.0 0.0.63.255
Router(config)#access-list 1 deny 172.16.88.0 0.0.7.255
Router(config)#access-list 1 permit any
Router(config)#interface serial 0
Router(config-if)#ip access-group 1 out
Extended Access Lists
• Allow to specify source and destination
address as well as the protocol and port
number that identify the upper layer
protocol or applications
– Allow users services access to a physical LAN
while denying them access to specific hosts
even specific services on those hosts
• Number range: 100—199, 2000--2699
Extended Access Lists: syntax
Extended Access Lists: syntax 2
Extended Access Lists: syntax 3
• If you want to filter by application layer protocol, you
have to chose the appropriate layer 4 transport protocol
after the permit or deny statement
• Ex: to filter telnet or FTP, choose TCP
Extended Access Lists: syntax 4
Figure 12.5: Extended ACL example 1
What do we need to do to deny access to a host at 172.16.50.5 on the
finance department LAN for both Telnet and FTP services? All other services
on this and all other hosts are acceptable for the sales and marketing
departments to access.
Lab_A#config t
Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21
Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23
Lab_A(config)#access-list 110 permit ip any any
Lab_A(config)#int fa0/1
Lab_A(config-if)#ip access-group 110 out
The access-list 110 tells the router we’re creating an extended IP
ACL. The tcp is the protocol field in the Network layer header. If the
list doesn’t say tcp here, you cannot filter by TCP port numbers 21 and
23 as shown in the example.
Extended ACL example 2
Extended ACL example 3
Extended ACL example 3 cont.
Named ACLs
• Allow us to use names for creating and applying either
standard or extended access lists
• Ex: Re-create the standard access list in Figure 12.2
using a named ACL
ip access-list: enter a named access list
Named ACLs cont.
Named ACLs cont. 2
Remark
• A keyword used for comments
Table 12.1: Commands used to
verify access-list configuration
Written Labs and Review
Questions
– Read through the Exam Essentials
section together in class
– Open your books and go through all the
written labs and the review questions.
– Review the answers in class.
42
Related documents
Chapter 12
Chapter 12
Create a standard ACL that will deny traffic from 192
Create a standard ACL that will deny traffic from 192
Sample Quiz
Sample Quiz
access control list
access control list
Lab 5.5.2: Access Control Lists Challenge
Lab 5.5.2: Access Control Lists Challenge
C H A B O T O L L E G E
C H A B O T O L L E G E
Transcript: Network Hardening Techniques Part 1
Transcript: Network Hardening Techniques Part 1
Network Security
Network Security
No Slide Title
No Slide Title
Access Control Lists Lecture 1
Access Control Lists Lecture 1
Configuring RIP
Configuring RIP
Chapter 1
Chapter 1