Class Power Points for Chapter #10
Download
Report
Transcript Class Power Points for Chapter #10
Sybex CCNA 640-802
Chapter 10: Security
1
Chapter 10 Objectives
The CCNA Topics Covered in this chapter include:
• Introduction to Security
– Types of attacks
– Mitigating attacks
– Types of hardware used for defense: Firewalls
• Application Layer Gateways (ALGs)
• Packet Filtering
• Stateful Packet Filtering
• Access-lists
–
–
–
–
Standard
Extended
Named
Monitoring Access-lists
2
Earliest firewalls
?
What is the air-speed
velocity of an unladen swallow?
(c) University of Technology, Sydney
2000 - 2004
3
Introduction to Security
ACLs
sometimes
go here
Any server that handles a
lot of internet traffic should
be placed in the DMZ.
This allows the “trusted”,
inner network to be
protected from the dangers
of the Internet.
The web and email servers
above are placed here, as
well as DNS, proxy, reverse
proxy, FTP and VoIP servers.
ACLs
normally
go here
DMZ between Internet and Network
(between the barbarians and the Keep)
Web server
DMZ
(c) University of Technology, Sydney
2000 - 2004
5
Firewalls: Application Layer Gateway
• The ALG intercepts and establishes connections to the Internet
hosts on behalf of the client.
• See notes
Firewalls: Stateful Packet Filtering
• Stateless ACLs filter traffic based on source and destination IP addresses,
TCP and UDP port numbers, TCP flags, and ICMP types and codes.
• Stateful inspection then remembers certain details, or the state of that
request.
• See notes
Attacks
•
•
•
•
•
APPLICATION-LAYER ATTACKS
AUTOROOTERS
BACKDOORS
DENIAL OF SERVICE (DOS) AND
DISTRIBUTED DENIAL OF SERVICE
(DDOS) ATTACKS
– (AND MANY OTHERS) - (see text pp 612-13)
– Note: The underlying reason why so many attacks against networks are
successful is that when networking in general and the Internet specifically
were being developed, security was simply not an issue.
– Not only the structure of networks, but the applications themselves were
created with no thought that they might someday be exploited by hackers.
For examples try “googling” “network security structure” or some such
combination of words
Mitigating Attacks
• The book mentions ASA (Adaptive Security Appliance) products.
They are the best thing going but they run on expensive hardware
and are beyond the scope of the CCNA exam.
– Cisco firewalls have their own IOS. Some hardware
and features are:
– Appliances
• IDS: Intrusion Detection System
• IPS: Intrusion Prevention System
– the book rolls the description of both of these appliances into the
IDS blurb, so beware; the IDS detects the threat and sends a
message. You need an IPS or some other device to actually
respond to the intrusion.
– Stateful IOS Firewall Inspection Engine (AKA CBAC,
for context-based access control)
• Allows you to use ACLs efficiently to filter traffic, detect intrusions, etc.
• (See: power point on CBAC)
Mitigating Attacks
– Firewall Voice Traversal
• a VoIP feature
– ICMP Inspection
• An ACL can be a blunt instrument, either allowing or
denying all ICMP packets (PING, Traceroute, etc.) This
feature allows you to respond to internal ICMP packets
while blocking external ones
– Authentication Proxy
• HTTP, HTTPS, FTP, and Telnet
authentication
• Provides dynamic, per-user
authentication and authorization
via TACACS+ and RADIUS
protocols
Access Lists
Purpose:
• Used to permit or deny packets
moving through the router
• Permit or deny Telnet (VTY)
access to or from a router
• Create dial-on demand (DDR)
“interesting traffic” that triggers
dialing to a remote location
Important Rules
• Packets are compared to each line of the assess list
in sequential order
• Packets are compared with lines of the access list
only until a match is made
– Once a match is made & acted upon no further
comparisons take place!
• An implicit “deny” is at the end of each access list
– If no matches have been made, the packet will be
discarded
Two Types of Access Lists
• Standard Access List
– Filter by source IP addresses only
• Extended Access List
– Filter by
•
•
•
•
Source IP,
Destination IP,
Protocol Field,
Port Number
• Named Access List
– Functionally the same as standard and extended access
lists.
Application of Access Lists
• Inbound Access Lists
– Packets are processed before being routed to the
outbound interface.
– Any packets that are denied won’t be routed
because they are discarded before the routing
process.
• Outbound Access Lists
– Packets are routed to the outbound interface &
then processed through the access list
ACL Guidelines
• One access list per interface, per protocol, per
direction
• Place more specific tests at the top of the ACL
• New lists are placed at the bottom of the ACL
• Individual lines cannot be removed – (must start over!)
– So, save your ACLs to a text file; when finished, copy it to the
router. If you have to edit the ACL, do it in the text file.
• End ACLs with a permit any command (this prevents
you from shutting down an interface accidentally)
• Create ACLs & then apply them to an interface
• ACLs do not filter traffic originated from the router
• Put Standard ACLs close to the destination (SAD)
• Put Extended ACLs close the source
(EAD)
Standard IP Access Lists
Router# config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299>
Protocol type-code access list
<300-399>
DECnet access list
<600-699>
Appletalk access list
<700-799>
48-bit MAC address access list
<800-899>
IPX standard access list
<900-999>
IPX extended access list
These numbers are ranges of specific types of ACLs
Standard IP Access Lists
• Creating a standard IP access list:
Router(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
• Permit or deny?
Router(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any
any source host
host
A single host address
• Using the host command
Router(config)#access-list 10 deny host 172.16.30.2
Wildcards
• What are they ???
– Used with access lists to specify a….
• Host
• Network
• Part of a network
• A wildcard mask is a 32-bit quantity that is divided
into four octets (like an IP address or a subnet mask,
although it has nothing to do with subnet masking).
• A wildcard mask is paired with an IP address.
• Wildcards are used when you don’t want the ACL to
apply to a single address, or to an entire network (or
subnet).
• Wildcards let you specify which group of addresses
the ACL should apply to.
Block Sizes
64
32
16
8
4
• Rules:
– When specifying a range of addresses, choose the closest block size
• For example, if you want to block a range of 12 addresses, choose a block
size of 16, provided the 16 numbers cover the entire 12 addresses that you
want to block.
– Each block size must start at 0
• Because of this, the number in the wildcard mask will always be one number
less than the associated block size; e.g., for a block size of 8 in the last
octet, the wildcard mask would be 0.0.0.7 See next page for more
examples.
– A ‘0’ in a wildcard means that octet must match exactly
– A ‘255’ in a wildcard means that octet can be any value
– The command any is the same thing as writing out the wildcard:
0.0.0.0 255.255.255.255
Specifying a Range of Subnets
(Remember: specify a range of values in a block size)
Requirement: Block access in the range from 172.16.8.0
through 172.16.15.0 = block size 8
Network number = 172.16.8.0
Wildcard
= 0.0.7.255
**The wildcard is always one number less than the block size
Standard ACL Example 1:
Prevent Sales users accessing Finance
Lab_A(config)#access-list 10 deny Sales
Lab_A(config)#access-list 10 permit any
Lab_A(config)#int e1
Lab_A(config)#ip access-group 10 out
Standard ACL example 2:
Prevent Accounting users accessing HR server
Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31
Lab_B(config)#access-list 10 permit any
Lab_B(config)#int e0
Lab_B(config)#ip access-group 10 out
Standard ACL Example 3:
Prevent the four LAN users accessing the Internet
R(config)#access-list 10 deny 172.16.88.0 0.0.7.255
R(config)#access-list 10 deny 172.16.192.0 0.0.63.255
R(config)#access-list 10 deny 172.16.48.0 0.0.15.255
R(config)#access-list 10 deny 172.16.128.0 0.0.31.255
R(config)#access-list 10 permit any
R(config)#int s0
R(config)#ip access-group 10 out
Controlling VTY (Telnet) Access
• Why??
– Without an ACL any user can Telnet into the
router via VTY and gain access
• Controlling access
– Create a standard IP access list
• Permitting only the host/hosts authorized to Telnet into
the router
– Apply the ACL to the VTY line with the
access-class command
Example
Lab_A(config)#access-list 50 permit 172.16.10.3
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in
(implied deny)
(in other words, only the host at 172.16.10.3 can telnet into the router;
all other hosts are denied.)
Extended IP Access Lists
• Allows you to choose...
•
•
•
•
IP Source Address
IP Destination Address
Protocol
Port number
Extended IP ACLs
Router(config)#access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299>
Protocol type-code access list
<300-399>
DECnet access list
<600-699>
Appletalk access list
<700-799>
48-bit MAC address access list
<800-899>
IPX standard access list
<900-999>
IPX extended access list
Router(config)# access-list 110 ?
deny
Specify packets to reject
dynamic
Specify a DYNAMIC list of PERMITs or DENYs
permit
Specify packets to forward
Extended IP ACLs
Router(config)# access-list 110 deny ?
<0-255>
ahp
eigrp
esp
gre
icmp
igmp
igrp
ip
ipinip
nos
ospf
pcp
tcp
udp
An IP protocol number
Authentication Header Protocol
Cisco's EIGRP routing protocol
Encapsulation Security Payload
Cisco's GRE tunneling
Internet Control Message Protocol
Internet Gateway Message Protocol
Cisco's IGRP routing protocol
Any Internet Protocol
IP in IP tunneling
KA9Q NOS compatible IP over IP tunneling
OSPF routing protocol
Payload Compression Protocol
Transmission Control Protocol
User Datagram Protocol
Router(config)# access-list 110 deny tcp ?
A.B.C.D
Source address
any
Any source host
host
A single source host
Extended IP ACL Steps
#1: Select the access list:
RouterA(config)#access-list 110
#2: Decide on deny or permit:
RouterA(config)#access-list 110 deny
#3: Choose the protocol type:
RouterA(config)#access-list 110 deny tcp
#4: Choose source IP address of the host or network:
RouterA(config)#access-list 110 deny tcp any
#5: Choose destination IP address
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2
#6: Choose the type of service, port, & logging
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
Steps (cont.)
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
(continued from previous slide)
Next (second) line in the ACL:
RouterA(config)#access-list 110 permit ip any any
Now, place the ACL on an interface, either inbound or outbound:
RouterA(config)#ip access-group 110 in
or
RouterA(config)#ip access-group 110 out
Named Access Lists
• Another way to create standard and extended access lists.
• Allows the use of descriptive names to ease network management.
• Syntax changes:
– Lab_A(config)#ip access-list standard BlockSales
»
(Or: “extended” BlockSales)
– Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255
– Lab_A(config-std-nacl)#permit any
• Advantages:
– The IOS does not limit the number of named ACLs that
can be configured.
• Although the number of standard and extended ACLs is no longer
100 each. With the addition of numbers in the 2000-range, this is
really no big deal.
– Named ACLs provide the ability to modify ACLs without
deletion and reconfiguration.
• But, a named access list will only allow for statements to be
inserted at the end of a list, so the utility of this “advantage” is
Monitoring IP ACLs: Show Commands
• Display all access lists & their parameters
show access-list
• Show only the parameters for the access list 110
show access-list 110
• Shows only the IP access lists configured
show ip access-list
• Shows which interfaces have access lists set
show ip interface
• Shows the access lists & which interfaces have access lists set
show running-config
The End
33