lecture 5 – Access Control Lists

Download Report

Transcript lecture 5 – Access Control Lists

CIT 742: Network
Administration and
Security
DeSiaMore
Powered by DeSiaMore
1
Access Control Lists




Perimeters for security for both small and enterprise
networks include route, firewalls, internal routers, IDs
and many more.
If network vulnerabilities are exploited this can cause a
major breakdown in a company’s network
Inventions of the internet only considered it to be a
robust network, overlooking the security issue related to
it as a result a lot has been done to implement security most IP implementations are insecure
Some security threats include:
Powered by DeSiaMore
2
Cont …





Application-layer attacks
Rootkits
Exploits
Backdoors
Denial of Service (DoS) and Distributed Denial of
Service (DDoS) attacks





TCP SYN flood
“Ping of Death” attacks
IP spoofing
Man-in-the-middle attacks
Network reconnaissance
Powered by DeSiaMore
3
Cont …


Packet sniffers
Password attacks



Brute-force attack
Port redirection attacks
Trojan horse attacks and viruses
Powered by DeSiaMore
4
A typical secured network
Powered by DeSiaMore
5
Using Cisco IOS Firewall


Mitigating some of the more common security threats
can be achieved by using the IOS firewall. Features
include:
Stateful IOS firewall inspection engine




This is your perimeter protection feature
Gives your internal users secure access control on a perapplication basis.
Often called context-based access control (CBAC).
Intrusion detection

This is a deep packet inspection tool that lets you monitor,
intercept, and respond to abuse in real-time
Powered by DeSiaMore
6
Cont …

ICMP inspection


Per-user firewalls



Permits responses to ICMP packets such as ping and traceroute
that come from inside your firewall while denying other ICMP
traffic.
Personalized, user-specific, downloadable firewalls obtained
through service providers.
You can also get personalized ACLs and other settings via AAA
server profile storage.
DoS detection and prevention

This is a feature that checks packet headers and drops any
packets it finds suspicious.
Powered by DeSiaMore
7
Cont …

Policy-based, multi-interface support


Network Address Translation (NAT)


This allows you to control user access by IP address and
interface depending on your security policy.
This conceals the internal network from the outside, which
increases security.
Peer router authentication


This guarantees that routers are getting dependable routing
information from actual, trusted sources.
For this to work, you need a routing protocol that supports
authentication such as RIPv2, EIGRP, or OSPF.
Powered by DeSiaMore
8
Introduction to Access Lists

A lot like programming a series of if-then statements




if a given condition is met, then a given action is taken
If the specific condition isn’t met, nothing hap- pens, and the next
statement is evaluated
Basically packet filters that packets are compared
against, categorized by, and acted upon accordingly
Once the lists are built, they can be applied to either
inbound or outbound traffic on any interface

Applying an ACL causes the router to analyze every packet
crossing that interface in the specified direction and take the
appropriate action.
Powered by DeSiaMore
9
Cont …

A packet follows a few important rules when it’s being
compared to an access list:



It’s always compared to each line of the access list in sequential
order; in other words, it’ll always start with the first line of the
access list, then go to line 2, then line 3, and so on.
It’s compared to lines of the access list only until a match is
made. Once the packet matches the condition on a line of the
access list, the packet is acted upon, and no further comparisons
take place.
There is an implicit “deny” at the end of each access list; this
means that if a packet doesn’t match the condition on any of the
lines in the access list, the packet will be discarded.
Powered by DeSiaMore
10
Two types of ACLs
1.
Standard ACLs




2.
Use only the source IP address in an IP packet as the condition
test
All decisions are made based on the source IP address
They basically permit or deny an entire suite of protocols
They don’t distinguish between any of the many types of IP
traffic such as WWW, Telnet, UDP, and so on.
Extended ACLs



Can evaluate many of the other fields in the layer- 3 and layer-4
headers of an IP packet
Evaluate source and destination IP addresses, the protocol field
in the Network layer header, and the port number at the
Transport layer header
Make much more granular decisions when controlling traffic.
Powered by DeSiaMore
11
Cont …

Names ACLs


Can either be standard or extended
Security threats you can mitigate with ACLs:






IP address spoofing—inbound
IP address spoofing—outbound
DoS TCP SYN attacks—blocking external attacks
DoS TCP SYN attacks—using TCP intercept
Filtering ICMP messages—inbound
Filtering ICMP messages—outbound Filtering traceroute
Not wise to allow any IP packets coming into a private network
that contain the source address of any internal hosts or
networks—just don’t do it!
Powered by DeSiaMore
12
Standard ACLs




Standard IP access lists filter network traffic by
examining the source IP address in a packet.
You create a standard IP access list by using the
access-list numbers 1–99 or 1300–1999
ACLs are differentiated using a number.
Creating an Access-list and Applying it to an Interface



access-list - Configures a single access-list statement into a
router’s memory for use in a complete access list that will be
applied to an interface
ip access-group - Places an access list on a device’s physical
interface
A standard ACL should apply closest to the destination
an in an “outbound” direction
Powered by DeSiaMore
13
Standard ACLs
Option
Meaning
<ID number>
Identifies an access list by number as a
standard or extended list. Also allows the
creation and separation of multiple access
lists.
Permit or deny
Specifies the effect of the access-list
statement as allowing or blocking the traffic
specified.
hostname or IP
address
Specifies the hostname or device’s IP
address that will be acted upon in the
access-list statement.
host
Specifies a single specific host for the
statement.
any
Specifies that regardless of the host or
device IP, it will match the statement.
Powered by DeSiaMore
14
Cont …

access-list 10 deny host 172.16.30.2


This tells the list to deny any packets from host 172.16.30.2. The default
parameter is host.
the router assumes you mean host 172.16.30.2.
Wildcard Masking
 Used with access lists to specify an individual host, a
network, or a certain range of a network or networks
 An example below tells the router to match the first
three octets exactly but that the fourth octet can be
anything:


Corp(config)#access-list 10 deny 172.16.10.0 0.0.0.255
ip access-group 10 in
Powered by DeSiaMore
15
Controlling VTY (Telnet) Access



1.
2.
Standard ACLs are used to stop unwanted users from
telnet access on a large router.
You need only to control where the user is coming
from—their source IP address.
To perform this function, follow these steps:
Create a standard IP access list that permits only the
host or hosts you want to be able to telnet into the
routers.
Apply the access list to the VTY line with the accessclass command
Powered by DeSiaMore
16
Cont …

An example of allowing only host 172.16.10.3 to telnet
into a router:




Lab_A(config)#access-list 50 permit 172.16.10.3
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in
Because of the implied deny any at the end of the list,
the access list stops any host from telnetting into the
router except the host 172.16.10.3, regardless of which
individual IP address on the router is used as a target.
Powered by DeSiaMore
17
Extended ACLs

In the standard IP access list





blocking all access from the sales LAN to the finance
department
What if you needed sales to gain access to a certain server on
the finance LAN but not to other network services for security
reasons?
A standard IP access list can’t allow users to get to one
network service and not another.
A standard ACL won’t make decisions based on both
source and destination addresses
An extended ACL will
Powered by DeSiaMore
18
Extended ACLs

Extended access lists allow you to specify:


source and destination addresses
protocol and port number that identify the upper-layer protocol
or application
Powered by DeSiaMore
19
Questions
Powered by DeSiaMore