Exploration_Accessing_WAN_Chapter5
Download
Report
Transcript Exploration_Accessing_WAN_Chapter5
Access Control Lists
Accessing the WAN – Chapter 5
ITE I Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Objectives
Explain how ACLs are used to secure a medium-size
Enterprise branch office network.
Configure standard ACLs in a medium-size Enterprise
branch office network.
Configure extended ACLs in a medium-size
Enterprise branch office network.
Describe complex ACLs in a medium-size Enterprise
branch office network.
Implement, verify and troubleshoot ACLs in an
enterprise network environment.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
How ACLs are Used to Secure a Medium-Size
Enterprise Branch Office Network
What is ACL?
An ACL is a router configuration script that controls whether a router
permits or denies packets to pass based on criteria found in the packet
header.
Steps that occur in a complete TCP conversation
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Conti…
ACLs control access to networks
Packet filtering works at Network Layer.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Conti…
Flow chart to show how ACLs operate
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
A general rule for applying ACLs
One ACL per protocol One ACL per direction
One ACL per interface
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
Conti…
ACLs perform the following tasks:
– Limit network traffic to increase network performance
– Provide a basic level of security for network access.
– Decide which types of traffic to forward or block at the router interfaces.
– Control which areas a client can access on a network.
– Screen hosts to permit or deny access to network services.
– ACLs inspect network packets based on criteria, such as source address, destination
address, protocols, and port numbers.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
How ACLs Work
Inbound ACLs
Outbound ACLs
ACL statements operate in sequential order. They evaluate packets
against the ACL, from the top down, one statement at a time.
A final implied statement covers all packets for which conditions did not
test true. This final test condition matches all other packets and results in
a "deny" instruction.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Types of ACLs
Standard ACLs
Standard ACLs allow you to permit or deny traffic from source IP
addresses. The destination of the packet and the ports involved do not
matter. Range from 1-99
Extended ACLs
Extended ACLs filter IP packets based on several attributes, for example,
protocol type, source and destination IP address, destination IP address,
source TCP or UDP ports, destination TCP or UDP ports
Naming ACLs
Using numbered ACLs is an effective method for determining the ACL
type on smaller networks with more homogeneously defined traffic.
However, a number does not inform you of the purpose of the ACL. For
this reason, starting with Cisco IOS Release 11.2, you can use a name to
identify a Cisco ACL.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
Conti…
The two main tasks involved in using ACLs are as follows:
Step 1. Create an access list by specifying an access list number or name
and access conditions.
Step 2. Apply the ACL to interfaces or terminal lines.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Where to place ACLs
Every ACL should be placed where it has the greatest impact on
efficiency. The basic rules are:
– Locate extended ACLs as close as possible to the source of the traffic denied. This way,
undesirable traffic is filtered without crossing the network infrastructure.
– Because standard ACLs do not specify destination addresses, place them as close to the
destination as possible.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
General Guide Lines for Creating ACLs
Base your ACLs on the security policy of the organization.
Prepare a description of what you want your ACLs to do.
Use a text editor to create, edit and save ACLs.
Test your ACLs on a development network before implementing them on a
production network.
Benefits
This will ensure you implement organizational security guidelines.
This will help you avoid inadvertently creating potential access problems.
This will help you create a library of reusable ACLs.
This will help you avoid costly errors.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Configuring Standard ACL
Router(config)#access-list access-list-number [deny | permit | remark]
source [source-wildcard]
E.g
R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255
The any and host Keywords
After a standard ACL is configured, it is linked to an interface using the ip
access-group command:
Router(config-if)#ip access-group 1 out
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Host and Any
Example 1
R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)#access-list 10 permit any
Example 2
R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)#access-list 10 permit host 192.168.10.10
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Conti…
Cisco ACLs can be identified using standardized
numbering or names
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Conti…
Where ACLs should be placed in a network
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Applying ACL
Apply a standard ACL to an interface
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Controlling VTY Access
R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255
R1(config)#access-list 10 permit 192.168.11. 0.0.0.255
R1(config)#access-list 10 deny any
Implementing ACL on vty
R1(config)#line vty 0 4
R1(config-line)#password secret
R1(config-line)#login
R1(config-line)#access-class 10 in
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Named ACLs
R1(config)#ip access-list standard NO_ACCESS
R1(config-std-nacl)#deny host 192.168.11.10
R1(config-std-nacl)#permit 192.168.11.0 0.0.0.255
R1(config)#interface fa0/0
R1(config-if)#ip access-group NO_ACCESS out
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Testing for ports and services
Using port numbers
R1(config)#access-list 101 permit tcp any eq 23
R1(config)#access-list 101 permit tcp any eq 21
R1(config)#access-list 101 permit tcp any eq 20
Using service name
R1(config)#access-list 101 permit tcp any eq telnet
R1(config)#access-list 101 permit tcp any eq ftp
R1(config)#access-list 101 permit tcp any eq ftp-data
Or
R1(config)#access-list 101 permit tcp any eq ?
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Types of Complex ACLs
Dynamic ACLs
Lock-and-key is a traffic filtering security feature that uses dynamic ACLs,
which are sometimes referred to as lock-and-key ACLs. Lock-and-key is
available for IP traffic only.
Users who want to traverse the router are blocked by the extended ACL
until they use Telnet to connect to the router and are authenticated. The
Telnet connection is then dropped, and a single-entry dynamic ACL is
added to the extended ACL that exists.
Reflexive ACLs
Network administrators use reflexive ACLs to allow IP traffic for sessions
originating from their network while denying IP traffic for sessions
originating outside the network.
Time-based ACLs
Time-based ACLs allow for access control based on time. To implement
time-based ACLs, you create a time range that defines specific times of
the day and week.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Verifying ACLs
How to monitor and verify ACLs
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
22
Describe Complex ACLs in a Medium-Size
Enterprise Branch Office Network
Describe how to troubleshoot common ACL problems
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Implement, Verify and Troubleshoot ACLs
in an Enterprise Network Environment
Create, place and verify a standard/ extended ACL and
verify its placement.
Verify ACL’s functionality and troubleshoot as needed.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Summary
An Access List (ACL) is:
A series of permit and deny statements that are used to filter
traffic
Standard ACL
–Identified by numbers 1 - 99 and 1300 - 1999
–Filter traffic based on source IP address
Extended ACL
–Identified by number 100 -199 & 2000 - 2699
–Filter traffic based on
•Source IP address
•Destination IP address
•Protocol
•Port number
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
25
Summary
Named ACL
–Used with IOS 11.2 and above
–Can be used for either standard or extended ACL
ACL’s use Wildcard Masks (WCM)
–Described as the inverse of a subnet mask
•Reason
–0 check the bit
–1 ignore the bit
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Summary
Implementing ACLs
–1st create the ACL
–2nd place the ACL on an interface
•Standard ACL are placed nearest the destination
•Extended ACL are placed nearest the source
Use the following commands for verifying &
troubleshooting an ACL
–Show access-list
–Show interfaces
–Show run
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Summary
Complex ACL
–Dynamic ACL
–Reflexive ACL
–Time based ACL
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
28
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
29