What is ACL?

Download Report

Transcript What is ACL? 

Access Control Lists
Accessing the WAN – Chapter 5
ITE I Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Objectives

Explain how ACLs are used to secure a medium-size
Enterprise branch office network.

Configure standard ACLs in a medium-size Enterprise
branch office network.

Configure extended ACLs in a medium-size
Enterprise branch office network.

Describe complex ACLs in a medium-size Enterprise
branch office network.

Implement, verify and troubleshoot ACLs in an
enterprise network environment.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
What is ACL?
Access Control List stands for the list of packet filter
rules, that defines, whether to allow or deny specified
type of communication.
It does similar actions like complex Firewalls.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
ACL rules
 ACL is the list of the rules, which starts at the top of the list and ends
with the first match (Lunch example)
Can I eat Potato?
First matching rule
Allow
Potato
is on line 2 - ALLOW
Can I eat Hamburger?
Deny
Hamburger
First matching rule
Allow
Tomato
is on line 3 - DENY
Can I eat Tomato?
Allow
Hamburger
First matching rule
Deny
Tomato
is on line 4 - ALLOW
Can I eat Ham?
Anything not mentioned here
Implicit rule at the end
DENY
of the list - DENY
Allow
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Rice
Cisco Public
4
Explain How ACLs are Used to Secure a
Medium-Size Enterprise Branch Office Network
 Explain how a packet filter allows or blocks traffic
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
Explain How ACLs are Used to Secure a
Medium-Size Enterprise Branch Office Network
 Describe how ACLs control access to networks
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
ACL Typy
číslované
pomenované
štandardné
rozšírené
štandardné
rozšírené
• Standard – decision made only by source host/network address
• Extended – decision made by complex criteria:
• source or destination host/network address
• protocol used
• in case of TCP/UDP – service that is used (port)
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
Explain How ACLs are Used to Secure a
Medium-Size Enterprise Branch Office Network
 Explain how Cisco ACLs can be identified using
standardized numbering or names
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
ACL syntax
Before we start writing rules, we need to understand the term
wildcard mask !
Wildcard mask – tells us, which part of IP address is
necessary to check with corresponding
IP address
• 0-bit in wildcard mask represent bit, that needs to be checked
• 1-bit in wildcard mask represent bit, that can be ignored
Example:
Wildcard mask: 0.0.0.255 in binary
00000000.00000000.00000000.11111111
Tells us, that first 24 bits of IP address needs to be checked.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
Lets do the practise…
Which bits of IP address needs to be checked,
when we want to be sure,
that IP address has in last octet
number between 128-255?
Examples:
192.168.1.128
10.10.30.129
11000000.10101000.00000001.10000000
00001010.00001010.00011110.10000001
5.5.5.255
00000101.00000101.00000101.11111111
They all begin with 25th bit set to 1 in order to be greater than 128
128 – 10000000
Wildcard mask:
129 – 10000001
11111111.11111111.11111111.01111111
130 – 10000010
255.255.255.127
131 – 10000011
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Lets do the practise…
Which bits of IP address needs to be checked,
when we want to be sure,
that IP address has in last octet
number between 128-255?
Examples:
192.168.1.128
10.10.30.129
11000000.10101000.00000001.10000000
00001010.00001010.00011110.10000001
5.5.5.255
00000101.00000101.00000101.11111111
th bit setwe
They
all
with
25
to 1
in
order
to be
greater
than
128
It isWildcard
notbegin
enough,
because
need
to say
what
of that
mask
is
everytime
paired
with
an
IPvalue
address
werefference
expect! (in
our
we
expect 1)
128 – checked
10000000bitas
for
bitcase,
values
Wildcard
mask:
129 – 10000001
11111111.11111111.11111111.01111111
130 – 10000010
255.255.255.127
131 – 10000011
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Second trial…
Which combination of IP and Wildcard mask we need to use
when we want to check, whether packet has address from
address space 192.168.1.0/24
and has even number between 128-255 in last octet?
Examples:
192.168.1.128
192.168.1.130
192.168.1.132
11000000.10101000.00000001.10000000
11000000.10101000.00000001.10000010
11000000.10101000.00000001.10000100
192.168.1.254
11000000.10101000.00000001.11111110
Wildcard
mask:
11111111.11111111.11111111.11111111
00000000.00000000.00000000.01111111
Wildcard
mask:
00000000.00000000.00000000.01111110
Wildcard
mask:
00000000.00000000.00000000.11111111
ItCheck
is notfirst
necessary
to
check
any bits
Check
24
and 32nd bit
first
25bits
bitsof
ofIP
IPaddress
address
Which
bits
toCoresponding
betochecked,
wewill
willbebe
sure,
Which
bitsneeds
we need
check, sosowe
sure,
IP:
e.g.
192.168.1.136
Wildcard:
0.0.0.126
it iseven
from
192.168.1.0/24
it is the
number
between
128-255
in last octet
it is
the
number
in last octet?
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Numbered ACL
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Configure Standard ACLs in a MediumSize Enterprise Branch Office Network
 Explain the process for editing numbered ACLs
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Named ACL
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Configure Standard ACLs in a MediumSize Enterprise Branch Office Network
 Describe how to monitor and verify ACLs
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Configure Extended ACLs in a MediumSize Enterprise Branch Office Network
 Describe how to apply an extended ACL to an interface
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Configure Extended ACLs in a MediumSize Enterprise Branch Office Network
 Describe how to create named extended ACLs
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Describe Complex ACLs in a Medium-Size
Enterprise Branch Office Network
 List the three types of complex ACLs
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Describe Complex ACLs in a Medium-Size
Enterprise Branch Office Network
 Explain how and when to use dynamic ACLs
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Describe Complex ACLs in a Medium-Size
Enterprise Branch Office Network
 Explain how and when to use reflexive ACLs
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Describe Complex ACLs in a Medium-Size
Enterprise Branch Office Network
 Explain how and when to use time-based ACLs
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
22
Describe Complex ACLs in a Medium-Size
Enterprise Branch Office Network
 Describe how to troubleshoot common ACL problems
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Implement, Verify and Troubleshoot ACLs
in an Enterprise Network Environment
 Create, place and verify a standard/ extended ACL and
verify its placement.
 Verify ACL’s functionality and troubleshoot as needed.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Summary
 An Access List (ACL) is:
A series of permit and deny statements that are used to filter
traffic
 Standard ACL
–Identified by numbers 1 - 99 and 1300 - 1999
–Filter traffic based on source IP address
 Extended ACL
–Identified by number 100 -199 & 2000 - 2699
–Filter traffic based on
•Source IP address
•Destination IP address
•Protocol
•Port number
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
25
Summary
 Named ACL
–Used with IOS 11.2 and above
–Can be used for either standard or extended ACL
 ACL’s use Wildcard Masks (WCM)
–Described as the inverse of a subnet mask
•Reason
–0  check the bit
–1  ignore the bit
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Summary
 Implementing ACLs
–1st create the ACL
–2nd place the ACL on an interface
•Standard ACL are placed nearest the destination
•Extended ACL are placed nearest the source
 Use the following commands for verifying &
troubleshooting an ACL
–Show access-list
–Show interfaces
–Show run
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Summary
 Complex ACL
–Dynamic ACL
–Reflexive ACL
–Time based ACL
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
28
Záver prezentácie
Thank you for your attention
Moderné vzdelávanie pre vedomostnú
spoločnosť.
Projekt je spolufinancovaný zo zdrojov
EÚ.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
29