Post on 03-Jan-2016
transcript
CIT 384: Network Administration Slide #2
Topics
1. Access Lists
2. Wildcard Masks
3. Standard ACLs
4. Extended ACLs
5. Examples
6. Named ACLs
7. Reflexive ACLs
CIT 384: Network Administration Slide #3
Access Control Lists
ACLs cause routers to filter packets– Packets specified by IP address, protocol, etc.– Used to protect network from attacks.
CIT 384: Network Administration Slide #4
What You Can Do
Filter packets based on: IP address packet is coming from IP address packet is going to Network protocol (ICMP, TCP, BGP, etc.) TCP/UDP port packet is coming from TCP/UDP port packet is going to TCP flags (SYN,ACK,RST,etc.) set in packet
CIT 384: Network Administration Slide #5
What You Can Do
Using packet filtering you can: Prevent any outside IP address from connecting
to the telnet port on any of your networks. Allow certain IP addresses to connect to the ssh
port on a single server on your network. Allow anyone to connect via HTTP or HTTPS to
your web server.
CIT 384: Network Administration Slide #6
What You Can’t Do
Basic packet filtering isn’t powerful enough to: Specify which users can login via telnet from the
outside. Limit which files can be transferred out of your
network. Prevent people from tunneling IM protocols over
outbound HTTP connections.
CIT 384: Network Administration Slide #7
Where Can ACLs Be Used
On each interfaceinbound: before routing decisions
outbound: after reouting decisions
CIT 384: Network Administration Slide #8
Wildcard Masks
Wildcard masks– Define portion of IP address to be ignored.
– 0s for matching bits, 1s for wildcard bits
– Logical inverse of a subnet mask
Wildcard Mask Binary Description
0.0.0.0 00000000.00000000.00000000.00000000 Entire IP must match
0.0.0.255 00000000.00000000.00000000.11111111 1st 24 bits must match
0.0.15.255 00000000.00000000.00001111.11111111 1st 20 bits must match
0.0.3.255 00000000.00000000.00000011.11111111 1st 22 bits must match
CIT 384: Network Administration Slide #9
Computing Wildcard Masks
Take network address + netmask to block 172.16.8.0 255.255.252.0
Subtract subnet mask from 255.255.255.255 255.255.255.255
- 255.255.252.0
0. 0. 3.255
CIT 384: Network Administration Slide #10
Types of Cisco ACLs
Standard ACLsFilter based on source IP address.
Extended ACLsFilter based on source + destination IP address.Filter based on protocol and port information.
Time-based ACLsFilter based on date and time.
Context-based ACLsStateful packet filtering with dynamic ACLs
CIT 384: Network Administration Slide #11
Access List Numbering
Numeric Range Access List Type
1-99 Standard ACLs
100-199 Extended ACLs
200-299 Ethernet Type Code
700-799 Transparent Bridging
1100-1199 Extended Transparent
1300-1999 Standard ACLs
2000-2699 Extended ACLs
2700-2999 SS7 (voice) ACLs
CIT 384: Network Administration Slide #12
Standard ACLsaccess-list # action source [wildcard_mask]
access-list 1 remark Stop traffic from Bob.
access-list 1 deny 172.16.3.10 0.0.0.0
access-list 1 permit 0.0.0.0 255.255.255.255
interface fa0/1
ip address 172.16.1.1 255.255.255.0
ip access-group 1 outBob
172.16.3.10fa0/0
172.16.3.0/24
fa0/1
172.16.1.0/24
CIT 384: Network Administration Slide #13
Standard ACLs
access-list 1 remark Stop traffic from Bob.
access-list 1 deny host 172.16.3.10
access-list 1 permit any
interface fa0/1
ip address 172.16.1.1 255.255.255.0
ip access-group 1 out
Bob
172.16.3.10fa0/0
172.16.3.0/24
fa0/1
172.16.1.0/24
CIT 384: Network Administration Slide #14
Extended ACLs
access-list # action protocol source [source_wildcard] [s-port] destination [dest_wildcard] [d-port] [precedence #] [tos #] [established]
access-list 101 remark Stop A from telneting to B.
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
interface fa0/0
ip access-group 101 infa0/0 fa0/1
A B
CIT 384: Network Administration Slide #15
Specifying Ports
lt nAll ports less than n
gt nAll ports greater than n
eq nPort n
neq nAll ports except for n
range n mAll ports from n through m, inclusive.
CIT 384: Network Administration Slide #16
established keywordUsed to matched established TCP connections
– Matches packets with either ACK or RST set.
– Only 1st TCP packet does not have these flags.
– Used to allow response packets to outgoing connections.
access-list 110 permit tcp any any established access-list 110 deny ip any any access-list 111 permit tcp any any eq telnet access-list 111 deny ip any any interface fa0/0 access-group 110 in access-group 111 out
CIT 384: Network Administration Slide #17
ACL Processing
Access lists processed sequentially1. If rule matches, permit or deny action is taken.
2. If not, processing goes on to next list.
3. Last entry typically permit or denies any.
4. Router adds a deny all to the end of all ACLs.
For best perf, place most used entries at top.
CIT 384: Network Administration Slide #18
Example: outbound telnet
Client on internal net telnets to external server.– Must allow outgoing packets to send commands.– Must allow incoming packets to receive
responses.
CIT 384: Network Administration Slide #19
Outgoing Packets Source IP of packets is client’s IP address. Dest IP of packets is server’s IP address. Protocol type is TCP. TCP destination port is 23. TCP source port is a random port X >1023. 1st outgoing packet will establish connect with SYN flag set. Remaining outgoing packets will have ACK flag set.
CIT 384: Network Administration Slide #20
Incoming Packets Source IP of packets is server’s IP address. Dest IP of packets is client’s IP address. Protocol type is TCP. TCP source port is 23. TCP destination port is same random port X >1023. All incoming packets will have ACK flag set.
CIT 384: Network Administration Slide #21
Example: outbound telnet
Dir Src Dest Proto S.Port D.Port ACK? Action
Out Int Any TCP >1023 23 Either Accept
In Any Int TCP 23 >1023 Yes Accept
Either Any Any Any Any Any Either Deny
1. Rule allows outgoing telnet packets.
2. Rule allows response packets back in.
3. Rule denies all else, following Principle of Fail-Safe Defaults.
CIT 384: Network Administration Slide #22
Example: outbound telnetaccess-list 110 permit tcp any gt 1023 any eq telnet access-list 110 deny ip any any access-list 111 permit tcp any eq telnet any gt 1023 established access-list 111 deny ip any any interface fa0/1 access-group 110 out access-group 111 in
CIT 384: Network Administration Slide #23
Preventing IP SpoofingMust occur on Internet gateway router. Incoming packets from your IP range are spoofed. Or there’s an unexpected egress to your network.
! ACL to block IP address spoofing
access-list 111 deny ip 170.170.7.0 0.0.0.255 any
access-list 111 permit ip any any
! Internet interface; to block spoofing
interface serial0
ip access-group 111 in
CIT 384: Network Administration Slide #24
Editing Access Lists
Adding a new lineaccess list 1 deny host 10.10.10.1
Added to end of ACL (before implicit deny)
Any other modification1. Create access list with new number
2. Change interface to use new ACL
3. Delete old ACL (no access list 1)
4. Create copy of new ACL with old number
5. Change interface to use old ACL #
6. Delete new ACL #
CIT 384: Network Administration Slide #25
Named ACLsAdvantages
– Use names to identify purpose of ACLs.– Can insert, delete, and modify entries in ACL.
Router(config)#ip access-list extended barneyRouter(config-ext-nacl)#permit tcp host 10.1.1.2 eq www anyRouter(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255! The next statement is purposefully wrong so that the process of changing! the list can be seen.Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2Router(config-ext-nacl)#permit ip any anyRouter(config-ext-nacl)#interface serial
CIT 384: Network Administration Slide #26
Editing Named ACLsRouter(config)#ip access-list extended barneyRouter(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255Router(config-ext-nacl)#^ZRouter#show access-listExtended IP access list barney 10 permit tcp host 10.1.1.2 eq www any 20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 50 deny ip host 10.1.1.130 host 10.1.3.2 60 deny ip host 10.1.1.28 host 10.1.3.2 70 permit ip any any
Note that no 40 would have performed the same deletion.
CIT 384: Network Administration Slide #27
Applying ACLs to Lines
Use access-class instead of access-group
line vty 0 4
login
password cisco
access-class 10 in
CIT 384: Network Administration Slide #28
Reflexive ACLs
Allow creation of dynamic ACLs.– Outbound list creates entries in temporary ACL– Inbound list filters based on temporary ACL
Use to manage user sessions– Opens filter for response packets to connection.– Unlike established, only opens filter for packets
that are responses to current sessions.– Established always allows ACK|RST from any IP– Reflexive entries timeout if no traffic for 300s.
CIT 384: Network Administration Slide #29
Reflexive ACLs
Outbound Listip access-list extended outlist ! Allow all and add to reflexive list tmplist permit tcp any any reflect tmplist
Inbound Listip access-list extended inlist ! allow TCP port 80 to internal web server permit tcp any host 10.10.10.1 eq www ! evaluate temporary reflexive list created by outlist evaluate tmplist ! deny anything that reaches this point deny ip any any
CIT 384: Network Administration Slide #30
Logging ACL Use
Use log keyword to log usage of ACL.
Router1(config)# access-list 120 permit ip any any log
Router1(config)# interface fa0/1
Router1(config-if)# ip access-group 150 in
Apr 6 20:33:17: %SEC-6-IPACCESSLOGRP: list 120 permitted ospf 1.1.1.1 -> 224.0.0.5, 9 packets
Apr 6 20:33:17: %SEC-6-IPACCESSLOGDP: list 120 permitted
icmp 1.1.1.1 -> 1.1.1.2 (0/0), 4 packets
CIT 384: Network Administration Slide #31
References1. James Boney, Cisco IOS in a Nutshell, 2nd edition,
O’Reilly, 2005. 2. D. Brent Chapman, Simon Cooper, and Elizabeth D.
Zwicky, Building Internet Firewalls, 2nd edition, O’Reilly, 2000.
3. Cisco, Cisco Connection Documentation, http://www.cisco.com/univercd/home/home.htm
4. Cisco, Internetworking Basics, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm
5. Gary A. Donahue, Network Warrior, O’Reilly, 2007.6. Wendell Odom, CCNA Official Exam Certification
Library, 3rd edition, Cisco Press, 2007.7. Jeff Sedayao, Cisco IOS Access Lists, O’Reilly, 2001.