Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
CIT 742: Network Administration and Security DeSiaMore Powered by DeSiaMore 1 Access Control Lists Perimeters for security for both small and enterprise networks include route, firewalls, internal routers, IDs and many more. If network vulnerabilities are exploited this can cause a major breakdown in a company’s network Inventions of the internet only considered it to be a robust network, overlooking the security issue related to it as a result a lot has been done to implement security most IP implementations are insecure Some security threats include: Powered by DeSiaMore 2 Cont … Application-layer attacks Rootkits Exploits Backdoors Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks TCP SYN flood “Ping of Death” attacks IP spoofing Man-in-the-middle attacks Network reconnaissance Powered by DeSiaMore 3 Cont … Packet sniffers Password attacks Brute-force attack Port redirection attacks Trojan horse attacks and viruses Powered by DeSiaMore 4 A typical secured network Powered by DeSiaMore 5 Using Cisco IOS Firewall Mitigating some of the more common security threats can be achieved by using the IOS firewall. Features include: Stateful IOS firewall inspection engine This is your perimeter protection feature Gives your internal users secure access control on a perapplication basis. Often called context-based access control (CBAC). Intrusion detection This is a deep packet inspection tool that lets you monitor, intercept, and respond to abuse in real-time Powered by DeSiaMore 6 Cont … ICMP inspection Per-user firewalls Permits responses to ICMP packets such as ping and traceroute that come from inside your firewall while denying other ICMP traffic. Personalized, user-specific, downloadable firewalls obtained through service providers. You can also get personalized ACLs and other settings via AAA server profile storage. DoS detection and prevention This is a feature that checks packet headers and drops any packets it finds suspicious. Powered by DeSiaMore 7 Cont … Policy-based, multi-interface support Network Address Translation (NAT) This allows you to control user access by IP address and interface depending on your security policy. This conceals the internal network from the outside, which increases security. Peer router authentication This guarantees that routers are getting dependable routing information from actual, trusted sources. For this to work, you need a routing protocol that supports authentication such as RIPv2, EIGRP, or OSPF. Powered by DeSiaMore 8 Introduction to Access Lists A lot like programming a series of if-then statements if a given condition is met, then a given action is taken If the specific condition isn’t met, nothing hap- pens, and the next statement is evaluated Basically packet filters that packets are compared against, categorized by, and acted upon accordingly Once the lists are built, they can be applied to either inbound or outbound traffic on any interface Applying an ACL causes the router to analyze every packet crossing that interface in the specified direction and take the appropriate action. Powered by DeSiaMore 9 Cont … A packet follows a few important rules when it’s being compared to an access list: It’s always compared to each line of the access list in sequential order; in other words, it’ll always start with the first line of the access list, then go to line 2, then line 3, and so on. It’s compared to lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon, and no further comparisons take place. There is an implicit “deny” at the end of each access list; this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded. Powered by DeSiaMore 10 Two types of ACLs 1. Standard ACLs 2. Use only the source IP address in an IP packet as the condition test All decisions are made based on the source IP address They basically permit or deny an entire suite of protocols They don’t distinguish between any of the many types of IP traffic such as WWW, Telnet, UDP, and so on. Extended ACLs Can evaluate many of the other fields in the layer- 3 and layer-4 headers of an IP packet Evaluate source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header Make much more granular decisions when controlling traffic. Powered by DeSiaMore 11 Cont … Names ACLs Can either be standard or extended Security threats you can mitigate with ACLs: IP address spoofing—inbound IP address spoofing—outbound DoS TCP SYN attacks—blocking external attacks DoS TCP SYN attacks—using TCP intercept Filtering ICMP messages—inbound Filtering ICMP messages—outbound Filtering traceroute Not wise to allow any IP packets coming into a private network that contain the source address of any internal hosts or networks—just don’t do it! Powered by DeSiaMore 12 Standard ACLs Standard IP access lists filter network traffic by examining the source IP address in a packet. You create a standard IP access list by using the access-list numbers 1–99 or 1300–1999 ACLs are differentiated using a number. Creating an Access-list and Applying it to an Interface access-list - Configures a single access-list statement into a router’s memory for use in a complete access list that will be applied to an interface ip access-group - Places an access list on a device’s physical interface A standard ACL should apply closest to the destination an in an “outbound” direction Powered by DeSiaMore 13 Standard ACLs Option Meaning <ID number> Identifies an access list by number as a standard or extended list. Also allows the creation and separation of multiple access lists. Permit or deny Specifies the effect of the access-list statement as allowing or blocking the traffic specified. hostname or IP address Specifies the hostname or device’s IP address that will be acted upon in the access-list statement. host Specifies a single specific host for the statement. any Specifies that regardless of the host or device IP, it will match the statement. Powered by DeSiaMore 14 Cont … access-list 10 deny host 172.16.30.2 This tells the list to deny any packets from host 172.16.30.2. The default parameter is host. the router assumes you mean host 172.16.30.2. Wildcard Masking Used with access lists to specify an individual host, a network, or a certain range of a network or networks An example below tells the router to match the first three octets exactly but that the fourth octet can be anything: Corp(config)#access-list 10 deny 172.16.10.0 0.0.0.255 ip access-group 10 in Powered by DeSiaMore 15 Controlling VTY (Telnet) Access 1. 2. Standard ACLs are used to stop unwanted users from telnet access on a large router. You need only to control where the user is coming from—their source IP address. To perform this function, follow these steps: Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers. Apply the access list to the VTY line with the accessclass command Powered by DeSiaMore 16 Cont … An example of allowing only host 172.16.10.3 to telnet into a router: Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in Because of the implied deny any at the end of the list, the access list stops any host from telnetting into the router except the host 172.16.10.3, regardless of which individual IP address on the router is used as a target. Powered by DeSiaMore 17 Extended ACLs In the standard IP access list blocking all access from the sales LAN to the finance department What if you needed sales to gain access to a certain server on the finance LAN but not to other network services for security reasons? A standard IP access list can’t allow users to get to one network service and not another. A standard ACL won’t make decisions based on both source and destination addresses An extended ACL will Powered by DeSiaMore 18 Extended ACLs Extended access lists allow you to specify: source and destination addresses protocol and port number that identify the upper-layer protocol or application Powered by DeSiaMore 19 Questions Powered by DeSiaMore