Post on 03-Apr-2018
transcript
Access Control Lists (Beyond Standard and Extended)
www.ine.com
Copyright © www.INE.com
Course Prerequisites and Assumptions » Prerequisite = CCNA ACL Videos » ACLs are used as a classification tool by many
different features…this course will concentrate on using ACLs purely for packet filtering.
Copyright © www.INE.com
Agenda
»Using L4/ L5 Extensions in Access-Lists »Reflexive Access-Lists »Dynamic Access-Lists »Using Object-Groups with ACLs »Time-Based Access-Lists »Access-List Logging Options
Copyright © www.INE.com
Review Quiz #1
» Shown below are some examples of the first few IOS commands to configure various access-lists.
» Which of these, if completed, will only allow matching on the source IP address of a packet?
access-list 85 permit …….. A access-list 100 permit …….. B access-list 156 permit …….. C access-list 1450 permit …….. D access-list 2420 permit …….. E
Copyright © www.INE.com
Review Quiz #2 » Given the following access-list and topology, which of the statements are true?
None of these PCs will be able to reach the server. A All of these PCs will be able to reach the server. B Only PC-A and PC-C will be able to reach the server. C Only PC-A and PC-B will be able to reach the server. D Only PC-B will be able to reach the server. E
access-list 1 permit 150.75.1.0 255.255.254.254 interface FastEthernet0/0 ip access-group 1 in
Copyright © www.INE.com
Review Quiz #3
21.45.0.242 88.243.0.138 178.101.0.135
» The three IP addreses below share some common bits. Create a named, standard access-list called, “INE” that contains only a single ACE which will permit any packet from these source addresses and any other addresses matching only these common bits:
Using L4/ L5 extensions in ACLs
www.ine.com
Copyright © www.INE.com
Accessing Layer-4/ 5 ACL Options
» Extended ACLs provide ability to match on Layer-4 and/ or Layer-5 information.
» Must supply “TCP” or “UDP” keywords as top-level protocol.
Only L3 options are available.
L3-L5 options are available.
Copyright © www.INE.com
Matching on TCP/ UDP Port Numbers
»Session-Layer Port Numbers may be matched in a variety of ways: • eq 23 (matching on an exact port number that “equals” the supplied
value) • lt 1000 (matching on any value “less than” the supplied value). • gt 500 (matching on any value “greater than” the supplied value). • neq 20 (matching on any value “not equal to” the supplied value). • range 100-200 (matching on any value in the supplied range of
values).
Copyright © www.INE.com
How would you do this?
» Network Engineers within the Corporate Intranet should be able to open TCP sessions to devices within the Testing Lab.
» Deny any devices from within lab from init iating outbound TCP sessions to the Corporate Intranet.
Testing Lab
Corporate Intranet
200.1.x.x /16
Fast0/0 200.1.199.1 /30 A
Copyright © www.INE.com
How would you do this? » When TCP segments are received on Fast0/ 0 as a response
from sessions init iated from within the Corporate Intranet, what will they all have in common?
Testing Lab
Corporate Intranet
200.1.x.x /16
Fast0/0 200.1.199.1 /30
TCP Flags=Sync TCP Flags=Sync+ACK
TCP Flags=ACK
TCP Flags=ACK All Subsequent Permitted Traffic
TCP Flags=Reset
A
Copyright © www.INE.com
Solution #1
RouterA(config)#access-list 101 permit tcp any any ack RouterA(config)#access-list 101 permit tcp any any rst RouterA(config)#interface FastEthernet0/ 0 RouterA(config)#ip access-group 101 in
Testing Lab
Corporate Intranet
200.1.x.x /16
Fast0/0 200.1.199.1 /30
TCP Flags=ACK All Permitted Traffic
TCP Flags=Reset
A
Copyright © www.INE.com
Solution #2
RouterA(config)#access-list 101 permit tcp any any established RouterA(config)#interface FastEthernet0/ 0 RouterA(config)#ip access-group 101 in
Testing Lab
Corporate Intranet
200.1.x.x /16
Fast0/0 200.1.199.1 /30
TCP Flags=ACK All Permitted Traffic
TCP Flags=Reset
A
Reflexive Access-Lists (IP Session Filtering)
www.ine.com
Copyright © www.INE.com
How would you do this?
» Network Engineers within the Corporate Intranet should be able to transmit any type of data to devices within the Testing Lab.
» If the Testing Lab is compromised, deny any devices from within lab from initiating outbound sessions to the Corporate Intranet.
Testing Lab
Corporate Intranet
200.1.x.x /16
Fast0/0 200.1.199.1 /30 A
Copyright © www.INE.com
The Solution – Reflexive Access Lists » Reflexive ACLs monitor for permitted, outgoing data of any type.
Testing Lab Corporate Intranet
200.1.1.1/30 Fast0/0 200.1.199.1 /30 A
1 ICMP Echo-Request from 200.2.1.1 to 200.1.1.1 (IP Protocol = 1)
200.2.1.1
» Reflexive ACLs create a mirror-image of transmitted traffic which will be permitted upon return.
Permit from 200.1.1.1 to 200.2.1.1 (IP Protocol = 1) 2
3 ICMP Echo-Response from 200.1.1.1 to 200.2.1.1 (IP Protocol = 1)
» Reflexive entries expire after configurable timeout value.
4
Copyright © www.INE.com
Reflexive ACL Configuration (1)
» Create a Named, Extended ACL for monitoring egress traffic from trusted sources.
Testing Lab
Corporate Intranet
200.1.x.x /16
Fast0/0 200.1.199.1 /30 A
RouterA(config)#ip access-list extended EGRESS RouterA(config-ext-nacl)#permit ip any any reflect Mirror
Can be any name.
Copyright © www.INE.com
Reflexive ACL Configuration (2)
» Create a Named, Extended ACL for monitoring ingress traffic from untrusted sources.
Testing Lab
Corporate Intranet Fast0/0 200.1.199.1 /30 A
200.1.x.x /16
RouterA(config)#ip access-list extended INGRESS RouterA(config-ext-nacl)#evaluate Mirror
Can be any name.
Name must match the name previously supplied after “reflect” keyword.
Copyright © www.INE.com
Reflexive ACL Configuration (3) » Apply both ACLs to interface facing untrusted networks.
Testing Lab
Corporate Intranet Fast0/0 200.1.199.1 /30 A
200.1.x.x /16
RouterA(config)#ip access-list extended INGRESS RouterA(config-ext-nacl)#evaluate Mirror
RouterA(config)#ip access-list extended EGRESS RouterA(config-ext-nacl)#permit ip any any reflect Mirror
RouterA(config)#interface FastEthernet0/ 0 RouterA(config-if)#ip access-group EGRESS out RouterA(config-if)#ip access-group INGRESS in
Copyright © www.INE.com
Reflexive ACL Timeout Values
»Reflexive ACLs have timeout values. A. Graceful TCP Close (2-segments seen with FIN flags): Timeout=5-secs B. TCP Reset: Timeout = immediate C. TCP packets no longer seen? Timeout = 300-seconds D. UDP, ICMP and all others? Timeout = 300-seconds after last packet seen.
»Changing the t imeout value. • Values for “A” and “B” above cannot be changed. • Values for “C” and “D” above can be changed per ACE or
globally.
Copyright © www.INE.com
Configuring Timeout Values
» Modifying Global Reflexive ACL Timeout value.
» Modifying Reflexive Timeout within ACE entries.
Copyright © www.INE.com
Monitoring Reflexive ACLs
»Before the dynamic entry is created by the reflexive ACL:
»After the Reflexive ACL entry is created:
Dynamic Access Lists “Lock and Key”
www.ine.com
Copyright © www.INE.com
The Objective…
Corporate Intranet
Internet
Fast0/0 A Project-X Temporary
Contractor
» You’ve hired a contractor for the next 3-months to work on Project-X.
» This project requires that the contractor be allowed access to certain devices/ subnets…but not others.
» Access should be denied after 5-minutes of inactivity, or an absolute timeout of 15-minutes.
Copyright © www.INE.com
Solution #1
Authentication Server
Internet
Fast0/0 A Project-X Temporary
Contractor
» Every authentication request offloaded to a central authentication database.
» Might require manual configuration of each device.
Copyright © www.INE.com
Solution #2 – Dynamic ACLs 1. User must first telnet to router.
1
I’ll allow that user to access those resources
for 5-minutes!
2
2. After successful authentication, Telnet session closed and dynamic ACL created on interface.
3. Dynamic ACL removed from interface after configurable, absolute-timeout (or idle-timeout) value.
15-minutes are up! User is no longer allowed!
3
Copyright © www.INE.com
Dynamic ACL Configuration (1) username bob password 0 projX username bob autocommand access-enable t imeout 5
Line vty 0 4 autocommand access-enable t imeout 5
Or…
Copyright © www.INE.com
Dynamic ACL Configuration (2)
access-list 101 dynamic Project timeout 15 permit ip any 2.4.0.0 0.0.0.255 access-list 101 permit tcp any host 1.1.1.1 eq telnet ! line vty 0 4 login local Named ACLs can also be used.
Copyright © www.INE.com
Dynamic ACL Configuration (3)
interface FastEthernet0/0 ip address 1.1.1.1 255.255.255.252 ip access-group 101 in ! interface FastEthernet0/ 1 ip address 1.2.1.1 255.255.255.252 !
Copyright © www.INE.com
Monitoring Dynamic ACLs
»Before the Dynamic ACL is applied…
»After successful authentication…
Copyright © www.INE.com
Clearing Dynamic ACL Entries
» If you ever need to manually delete a Dynamic ACL entry:
Copyright © www.INE.com
Extending Dynamic ACL Entries » IOS command allows users to extend the life of
their Dynamic ACE by an additional 6-minutes;
Copyright © www.INE.com
Dynamic ACL Rules
» Cannot be used to provide different access rights to different users.
» Dynamic ACLs may use either an “idle-timeout” or “absolute-timeout” value.
» “autocommand access-enable” may be configured either; • At the “username” level • Within the VTY line
Object Groups in IOS
www.ine.com
Copyright © www.INE.com
Object Groups
» Originally designed for Cisco ASA Firewalls » Command Syntax slightly different on IOS Routers than
ASA Firewalls » Object Groups simplify ACL management by grouping
similar “objects” together. • E.g. Public_Web_Servers Group
» Allows for more modular changes • A change to an Object Group dynamically affects all ACE’s referencing that group.
<output ommitted>
Copyright © www.INE.com
Types of Object Groups in Routers
»Cisco routers provide two types of Object Groups: • Network Group: For defining IP Address-related objects • Service Group: For defining Protocols and Ports
Copyright © www.INE.com
Simplification with Object Groups (1)
» From this… 200.0.0.1
200.0.0.2
x.x.x.x
10.0.0.100
10.0.0.101
OK!!
OK!! NO!!
Copyright © www.INE.com
Simplification with Object Groups (2) » To this…
200.0.0.1
200.0.0.2
x.x.x.x
10.0.0.100
10.0.0.101
OK!!
OK!! NO!!
Time-Based Access-Lists
www.ine.com
Copyright © www.INE.com
The Objective
» Employees should NOT be allowed to surf the Internet during work hours.
Corporate Intranet
Internet Fast0/0 A
2.2.x.x /16
Copyright © www.INE.com
The Solution: Time-Based ACLs
» Time-Based ACLs activate ACEs during times you define.
» Times defined within a global “Time-range” » May be periodic or absolute.
Corporate Intranet
Internet Fast0/0 A
2.2.x.x /16
Copyright © www.INE.com
Time-Based ACL Configuration (1)
» Ensure your router/ switch has an accurate clock:
» Create a global t ime-range:
Copyright © www.INE.com
Time-Based ACL Configuration (2)
» Decide on either absolute or periodic
Copyright © www.INE.com
Time-Based ACL Configuration (3) » Complete the command by defining the time interval (s)
» Apply the time-range to your ACL
Copyright © www.INE.com
Monitoring Time-Based ACLs
Access-List Logging
www.ine.com
Copyright © www.INE.com
Logging » ACE entries can be appended with Logging-related
keywords • Access-list x ………….log • Access-list x …………..log-input
» Logging allows for Syslogs to be displayed providing hit-counts and evidence of ACL activity.
» Logging forces packets matching ACE entries to be process-switched = increased CPU load.
Copyright © www.INE.com
Log and Log-Input Access-list 101 permit icmp any host 22.22.22.22 log
Access-list 101 permit icmp any host 22.22.22.22 log-input
Access-list 101 xxxxxxxxxxx log-input EmailServer Optional “cookie”
Copyright © www.INE.com
How often is logging displayed? (1) » Individual ACEs can have the “log” or “log-input”
keywords. » When an ACL is applied to an interface, syslogs are
generated: • Once every 5-minutes for packets matching a particular ACE. • If any log-enabled ACE in any ACL on any interface matches a
packet within one second of the init ial log message, the match or matches are counted for five minutes and then reported.
Copyright © www.INE.com
How often is logging displayed? (2) 5-minutes
1-second
ACE#2 match ACE#3 match
Syslog for ACE#1
Syslog for ACE#2
Syslog for ACE#3
ACE#1 match #2 ACE#1 match #3 ACE#1 match #4
Syslog for ACE#1 Initial ACE#1 match
Copyright © www.INE.com
Decreasing the Log Interval
» If you want logs for ACEs to be displayed MORE frequently than every 5-minutes…it can be done.
»Use caution…this INCREASES the CPU load.
Copyright © www.INE.com
Save my CPU!!!
»Even though logs for individual ACEs are only displayed every 5-minutes…EVERY packet that matches the ACE must be process-switched.
»This can result in heavy CPU load »How to reduce this?
Copyright © www.INE.com
Filtering on log output (1)
» ACL syslogs have different identifiers depending on type of traffic that triggered the log.
Copyright © www.INE.com
Filtering on log output (2) » When sending ACL Syslogs to logging buffer, one can filter
on these identifiers.
Copyright © www.INE.com
Filtering on log output (3) » From this (yuck!!)…
Copyright © www.INE.com
Filtering on log output (3) » To this (YAY!!)…
Copyright © INE Inc. All rights reserved.
Q&A