Introduction
Download
Report
Transcript Introduction
CIT 384: Network Administration
Access Lists
CIT 384: Network Administration
Slide #1
Topics
1.
2.
3.
4.
5.
6.
7.
Access Lists
Wildcard Masks
Standard ACLs
Extended ACLs
Examples
Named ACLs
Reflexive ACLs
CIT 384: Network Administration
Slide #2
Access Control Lists
ACLs cause routers to filter packets
– Packets specified by IP address, protocol, etc.
– Used to protect network from attacks.
CIT 384: Network Administration
Slide #3
What You Can Do
Filter packets based on:
IP address packet is coming from
IP address packet is going to
Network protocol (ICMP, TCP, BGP, etc.)
TCP/UDP port packet is coming from
TCP/UDP port packet is going to
TCP flags (SYN,ACK,RST,etc.) set in packet
CIT 384: Network Administration
Slide #4
What You Can Do
Using packet filtering you can:
Prevent any outside IP address from connecting
to the telnet port on any of your networks.
Allow certain IP addresses to connect to the ssh
port on a single server on your network.
Allow anyone to connect via HTTP or HTTPS to
your web server.
CIT 384: Network Administration
Slide #5
What You Can’t Do
Basic packet filtering isn’t powerful enough to:
Specify which users can login via telnet from the
outside.
Limit which files can be transferred out of your
network.
Prevent people from tunneling IM protocols over
outbound HTTP connections.
CIT 384: Network Administration
Slide #6
Where Can ACLs Be Used
On each interface
inbound: before routing decisions
outbound: after reouting decisions
CIT 384: Network Administration
Slide #7
Wildcard Masks
Wildcard masks
– Define portion of IP address to be ignored.
– 0s for matching bits, 1s for wildcard bits
– Logical inverse of a subnet mask
Wildcard Mask
Binary
Description
0.0.0.0
00000000.00000000.00000000.00000000
Entire IP must match
0.0.0.255
00000000.00000000.00000000.11111111
1st 24 bits must match
0.0.15.255
00000000.00000000.00001111.11111111
1st 20 bits must match
0.0.3.255
00000000.00000000.00000011.11111111
1st 22 bits must match
CIT 384: Network Administration
Slide #8
Computing Wildcard Masks
Take network address + netmask to block
172.16.8.0 255.255.252.0
Subtract subnet mask from 255.255.255.255
-
255.255.255.255
255.255.252.0
0. 0. 3.255
CIT 384: Network Administration
Slide #9
Types of Cisco ACLs
Standard ACLs
Filter based on source IP address.
Extended ACLs
Filter based on source + destination IP address.
Filter based on protocol and port information.
Time-based ACLs
Filter based on date and time.
Context-based ACLs
Stateful packet filtering with dynamic ACLs
CIT 384: Network Administration
Slide #10
Access List Numbering
Numeric Range
Access List Type
1-99
Standard ACLs
100-199
Extended ACLs
200-299
Ethernet Type Code
700-799
Transparent Bridging
1100-1199
Extended Transparent
1300-1999
Standard ACLs
2000-2699
Extended ACLs
2700-2999
SS7 (voice) ACLs
CIT 384: Network Administration
Slide #11
Standard ACLs
access-list # action source [wildcard_mask]
access-list 1 remark Stop traffic from Bob.
access-list 1 deny 172.16.3.10 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255
interface fa0/1
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out
fa0/1
172.16.1.0/24
CIT 384: Network Administration
fa0/0
Bob
172.16.3.10
172.16.3.0/24
Slide #12
Standard ACLs
access-list 1 remark Stop traffic from Bob.
access-list 1 deny host 172.16.3.10
access-list 1 permit any
interface fa0/1
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out
Bob
fa0/1
172.16.1.0/24
CIT 384: Network Administration
fa0/0
172.16.3.10
172.16.3.0/24
Slide #13
Extended ACLs
access-list # action protocol source [source_wildcard]
[s-port] destination [dest_wildcard] [d-port]
[precedence #] [tos #] [established]
access-list 101 remark Stop A from telneting to B.
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
interface fa0/0
ip access-group 101 in
fa0/0
A
CIT 384: Network Administration
fa0/1
B
Slide #14
Specifying Ports
lt n
All ports less than n
gt n
All ports greater than n
eq n
Port n
neq n
All ports except for n
range n m
All ports from n through m, inclusive.
CIT 384: Network Administration
Slide #15
established keyword
Used to matched established TCP connections
– Matches packets with either ACK or RST set.
– Only 1st TCP packet does not have these flags.
– Used to allow response packets to outgoing connections.
access-list
access-list
access-list
access-list
110
110
111
111
permit tcp any any established
deny ip any any
permit tcp any any eq telnet
deny ip any any
interface fa0/0
access-group 110 in
access-group 111 out
CIT 384: Network Administration
Slide #16
ACL Processing
Access lists processed sequentially
1.
2.
3.
4.
If rule matches, permit or deny action is taken.
If not, processing goes on to next list.
Last entry typically permit or denies any.
Router adds a deny all to the end of all ACLs.
For best perf, place most used entries at top.
CIT 384: Network Administration
Slide #17
Example: outbound telnet
Client on internal net telnets to external server.
– Must allow outgoing packets to send commands.
– Must allow incoming packets to receive responses.
CIT 384: Network Administration
Slide #18
Outgoing Packets
Source IP of packets is client’s IP address.
Dest IP of packets is server’s IP address.
Protocol type is TCP.
TCP destination port is 23.
TCP source port is a random port X >1023.
1st outgoing packet will establish connect with SYN flag set.
Remaining outgoing packets will have ACK flag set.
CIT 384: Network Administration
Slide #19
Incoming Packets
Source IP of packets is server’s IP address.
Dest IP of packets is client’s IP address.
Protocol type is TCP.
TCP source port is 23.
TCP destination port is same random port X >1023.
All incoming packets will have ACK flag set.
CIT 384: Network Administration
Slide #20
Example: outbound telnet
1. Rule allows outgoing telnet packets.
2. Rule allows response packets back in.
3. Rule denies all else, following Principle of FailSafe Defaults.
Dir
Src
Dest
Proto S.Port
D.Port ACK? Action
Out
Int
Any
TCP
>1023
23
Either
Accept
In
Any
Int
TCP
23
>1023
Yes
Accept
Any
Any
Any
Any
Either
Deny
Either Any
CIT 384: Network Administration
Slide #21
Example: outbound telnet
access-list 110 permit tcp any gt 1023 any eq telnet
access-list 110 deny ip any any
access-list 111 permit tcp any eq telnet any gt 1023 established
access-list 111 deny ip any any
interface fa0/1
access-group 110 out
access-group 111 in
CIT 384: Network Administration
Slide #22
Preventing IP Spoofing
Must occur on Internet gateway router.
Incoming packets from your IP range are spoofed.
Or there’s an unexpected egress to your network.
! ACL to block IP address spoofing
access-list 111 deny ip 170.170.7.0 0.0.0.255 any
access-list 111 permit ip any any
! Internet interface; to block spoofing
interface serial0
ip access-group 111 in
CIT 384: Network Administration
Slide #23
Editing Access Lists
Adding a new line
access list 1 deny host 10.10.10.1
Added to end of ACL (before implicit deny)
Any other modification
1.
2.
3.
4.
5.
6.
Create access list with new number
Change interface to use new ACL
Delete old ACL (no access list 1)
Create copy of new ACL with old number
Change interface to use old ACL #
Delete new ACL #
CIT 384: Network Administration
Slide #24
Named ACLs
Advantages
– Use names to identify purpose of ACLs.
– Can insert, delete, and modify entries in ACL.
Router(config)#ip access-list extended barney
Router(config-ext-nacl)#permit tcp host 10.1.1.2 eq www any
Router(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
! The next statement is purposefully wrong so that the process of changing
! the list can be seen.
Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2
Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2
Router(config-ext-nacl)#permit ip any any
Router(config-ext-nacl)#interface serial
CIT 384: Network Administration
Slide #25
Editing Named ACLs
Router(config)#ip access-list extended barney
Router(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Router(config-ext-nacl)#^Z
Router#show access-list
Extended IP access list barney
10 permit tcp host 10.1.1.2 eq www any
20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
50 deny ip host 10.1.1.130 host 10.1.3.2
60 deny ip host 10.1.1.28 host 10.1.3.2
70 permit ip any any
Note that no 40 would have performed the same deletion.
CIT 384: Network Administration
Slide #26
Applying ACLs to Lines
Use access-class instead of access-group
line vty 0 4
login
password cisco
access-class 10 in
CIT 384: Network Administration
Slide #27
Reflexive ACLs
Allow creation of dynamic ACLs.
– Outbound list creates entries in temporary ACL
– Inbound list filters based on temporary ACL
Use to manage user sessions
– Opens filter for response packets to connection.
– Unlike established, only opens filter for packets
that are responses to current sessions.
– Established always allows ACK|RST from any IP
– Reflexive entries timeout if no traffic for 300s.
CIT 384: Network Administration
Slide #28
Reflexive ACLs
Outbound List
ip access-list extended outlist
! Allow all and add to reflexive list tmplist
permit tcp any any reflect tmplist
Inbound List
ip access-list extended inlist
! allow TCP port 80 to internal web server
permit tcp any host 10.10.10.1 eq www
! evaluate temporary reflexive list created by outlist
evaluate tmplist
! deny anything that reaches this point
deny ip any any
CIT 384: Network Administration
Slide #29
Logging ACL Use
Use log keyword to log usage of ACL.
Router1(config)# access-list 120 permit ip any any log
Router1(config)# interface fa0/1
Router1(config-if)# ip access-group 150 in
Apr 6 20:33:17: %SEC-6-IPACCESSLOGRP: list 120
permitted ospf 1.1.1.1 -> 224.0.0.5, 9 packets
Apr 6 20:33:17: %SEC-6-IPACCESSLOGDP: list 120
permitted icmp 1.1.1.1 -> 1.1.1.2 (0/0), 4 packets
CIT 384: Network Administration
Slide #30
References
1.
2.
3.
4.
5.
6.
7.
James Boney, Cisco IOS in a Nutshell, 2nd edition,
O’Reilly, 2005.
D. Brent Chapman, Simon Cooper, and Elizabeth D.
Zwicky, Building Internet Firewalls, 2nd edition, O’Reilly,
2000.
Cisco, Cisco Connection Documentation,
http://www.cisco.com/univercd/home/home.htm
Cisco, Internetworking Basics,
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc
/introint.htm
Gary A. Donahue, Network Warrior, O’Reilly, 2007.
Wendell Odom, CCNA Official Exam Certification
Library, 3rd edition, Cisco Press, 2007.
Jeff Sedayao, Cisco IOS Access Lists, O’Reilly, 2001.
CIT 384: Network Administration
Slide #31