CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists.

CIT 384: Network Administration Slide #1

CIT 384: Network Administration

Access Lists


Topics

1. Access Lists

2. Wildcard Masks

3. Standard ACLs

4. Extended ACLs

5. Examples

6. Named ACLs

7. Reflexive ACLs


Access Control Lists

ACLs cause routers to filter packets– Packets specified by IP address, protocol, etc.– Used to protect network from attacks.


What You Can Do

Filter packets based on: IP address packet is coming from IP address packet is going to Network protocol (ICMP, TCP, BGP, etc.) TCP/UDP port packet is coming from TCP/UDP port packet is going to TCP flags (SYN,ACK,RST,etc.) set in packet


What You Can Do

Using packet filtering you can: Prevent any outside IP address from connecting

to the telnet port on any of your networks. Allow certain IP addresses to connect to the ssh

port on a single server on your network. Allow anyone to connect via HTTP or HTTPS to

your web server.


What You Can’t Do

Basic packet filtering isn’t powerful enough to: Specify which users can login via telnet from the

outside. Limit which files can be transferred out of your

network. Prevent people from tunneling IM protocols over

outbound HTTP connections.


Where Can ACLs Be Used

On each interfaceinbound: before routing decisions

outbound: after reouting decisions


Wildcard Masks

Wildcard masks– Define portion of IP address to be ignored.

– 0s for matching bits, 1s for wildcard bits

– Logical inverse of a subnet mask

Wildcard Mask Binary Description

0.0.0.0 00000000.00000000.00000000.00000000 Entire IP must match

0.0.0.255 00000000.00000000.00000000.11111111 1st 24 bits must match




Computing Wildcard Masks

Take network address + netmask to block 172.16.8.0 255.255.252.0

Subtract subnet mask from 255.255.255.255 255.255.255.255

- 255.255.252.0

0. 0. 3.255


Types of Cisco ACLs

Standard ACLsFilter based on source IP address.

Extended ACLsFilter based on source + destination IP address.Filter based on protocol and port information.

Time-based ACLsFilter based on date and time.

Context-based ACLsStateful packet filtering with dynamic ACLs


Access List Numbering

Numeric Range Access List Type

1-99 Standard ACLs

100-199 Extended ACLs

200-299 Ethernet Type Code

700-799 Transparent Bridging

1100-1199 Extended Transparent

1300-1999 Standard ACLs

2000-2699 Extended ACLs

2700-2999 SS7 (voice) ACLs


Standard ACLsaccess-list # action source [wildcard_mask]

access-list 1 remark Stop traffic from Bob.

access-list 1 deny 172.16.3.10 0.0.0.0

access-list 1 permit 0.0.0.0 255.255.255.255

interface fa0/1

ip address 172.16.1.1 255.255.255.0

ip access-group 1 outBob

172.16.3.10fa0/0

172.16.3.0/24

fa0/1

172.16.1.0/24


Standard ACLs

access-list 1 remark Stop traffic from Bob.

access-list 1 deny host 172.16.3.10

access-list 1 permit any

interface fa0/1

ip address 172.16.1.1 255.255.255.0

ip access-group 1 out

Bob

172.16.3.10fa0/0

172.16.3.0/24

fa0/1

172.16.1.0/24


Extended ACLs

access-list # action protocol source [source_wildcard] [s-port] destination [dest_wildcard] [d-port] [precedence #] [tos #] [established]

access-list 101 remark Stop A from telneting to B.

access-list 101 deny tcp any any eq 23

access-list 101 permit ip any any

interface fa0/0

ip access-group 101 infa0/0 fa0/1

A B


Specifying Ports

lt nAll ports less than n

gt nAll ports greater than n

eq nPort n

neq nAll ports except for n

range n mAll ports from n through m, inclusive.


established keywordUsed to matched established TCP connections

– Matches packets with either ACK or RST set.

– Only 1st TCP packet does not have these flags.

– Used to allow response packets to outgoing connections.

access-list 110 permit tcp any any established access-list 110 deny ip any any access-list 111 permit tcp any any eq telnet access-list 111 deny ip any any interface fa0/0 access-group 110 in access-group 111 out


ACL Processing

Access lists processed sequentially1. If rule matches, permit or deny action is taken.

2. If not, processing goes on to next list.

3. Last entry typically permit or denies any.

4. Router adds a deny all to the end of all ACLs.

For best perf, place most used entries at top.


Example: outbound telnet

Client on internal net telnets to external server.– Must allow outgoing packets to send commands.– Must allow incoming packets to receive

responses.


Outgoing Packets Source IP of packets is client’s IP address. Dest IP of packets is server’s IP address. Protocol type is TCP. TCP destination port is 23. TCP source port is a random port X >1023. 1st outgoing packet will establish connect with SYN flag set. Remaining outgoing packets will have ACK flag set.


Incoming Packets Source IP of packets is server’s IP address. Dest IP of packets is client’s IP address. Protocol type is TCP. TCP source port is 23. TCP destination port is same random port X >1023. All incoming packets will have ACK flag set.


Example: outbound telnet

Dir Src Dest Proto S.Port D.Port ACK? Action

Out Int Any TCP >1023 23 Either Accept

In Any Int TCP 23 >1023 Yes Accept

Either Any Any Any Any Any Either Deny

1. Rule allows outgoing telnet packets.

2. Rule allows response packets back in.

3. Rule denies all else, following Principle of Fail-Safe Defaults.


Example: outbound telnetaccess-list 110 permit tcp any gt 1023 any eq telnet access-list 110 deny ip any any access-list 111 permit tcp any eq telnet any gt 1023 established access-list 111 deny ip any any interface fa0/1 access-group 110 out access-group 111 in


Preventing IP SpoofingMust occur on Internet gateway router. Incoming packets from your IP range are spoofed. Or there’s an unexpected egress to your network.

! ACL to block IP address spoofing

access-list 111 deny ip 170.170.7.0 0.0.0.255 any

access-list 111 permit ip any any

! Internet interface; to block spoofing

interface serial0

ip access-group 111 in


Editing Access Lists

Adding a new lineaccess list 1 deny host 10.10.10.1

Added to end of ACL (before implicit deny)

Any other modification1. Create access list with new number

2. Change interface to use new ACL

3. Delete old ACL (no access list 1)

4. Create copy of new ACL with old number

5. Change interface to use old ACL #

6. Delete new ACL #


Named ACLsAdvantages

– Use names to identify purpose of ACLs.– Can insert, delete, and modify entries in ACL.

Router(config)#ip access-list extended barneyRouter(config-ext-nacl)#permit tcp host 10.1.1.2 eq www anyRouter(config-ext-nacl)#deny udp host 10.1.1.1 10.1.2.0 0.0.0.255Router(config-ext-nacl)#deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255! The next statement is purposefully wrong so that the process of changing! the list can be seen.Router(config-ext-nacl)#deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255Router(config-ext-nacl)#deny ip host 10.1.1.130 host 10.1.3.2Router(config-ext-nacl)#deny ip host 10.1.1.28 host 10.1.3.2Router(config-ext-nacl)#permit ip any anyRouter(config-ext-nacl)#interface serial


Editing Named ACLsRouter(config)#ip access-list extended barneyRouter(config-ext-nacl)#no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255Router(config-ext-nacl)#^ZRouter#show access-listExtended IP access list barney 10 permit tcp host 10.1.1.2 eq www any 20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255 30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 50 deny ip host 10.1.1.130 host 10.1.3.2 60 deny ip host 10.1.1.28 host 10.1.3.2 70 permit ip any any

Note that no 40 would have performed the same deletion.


Applying ACLs to Lines

Use access-class instead of access-group

line vty 0 4

login

password cisco

access-class 10 in


Reflexive ACLs

Allow creation of dynamic ACLs.– Outbound list creates entries in temporary ACL– Inbound list filters based on temporary ACL

Use to manage user sessions– Opens filter for response packets to connection.– Unlike established, only opens filter for packets

that are responses to current sessions.– Established always allows ACK|RST from any IP– Reflexive entries timeout if no traffic for 300s.


Reflexive ACLs

Outbound Listip access-list extended outlist ! Allow all and add to reflexive list tmplist permit tcp any any reflect tmplist

Inbound Listip access-list extended inlist ! allow TCP port 80 to internal web server permit tcp any host 10.10.10.1 eq www ! evaluate temporary reflexive list created by outlist evaluate tmplist ! deny anything that reaches this point deny ip any any


Logging ACL Use

Use log keyword to log usage of ACL.

Router1(config)# access-list 120 permit ip any any log

Router1(config)# interface fa0/1

Router1(config-if)# ip access-group 150 in

Apr 6 20:33:17: %SEC-6-IPACCESSLOGRP: list 120 permitted ospf 1.1.1.1 -> 224.0.0.5, 9 packets

Apr 6 20:33:17: %SEC-6-IPACCESSLOGDP: list 120 permitted

icmp 1.1.1.1 -> 1.1.1.2 (0/0), 4 packets


References1. James Boney, Cisco IOS in a Nutshell, 2nd edition,

O’Reilly, 2005. 2. D. Brent Chapman, Simon Cooper, and Elizabeth D.

Zwicky, Building Internet Firewalls, 2nd edition, O’Reilly, 2000.

3. Cisco, Cisco Connection Documentation, http://www.cisco.com/univercd/home/home.htm

4. Cisco, Internetworking Basics, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm

5. Gary A. Donahue, Network Warrior, O’Reilly, 2007.6. Wendell Odom, CCNA Official Exam Certification

Library, 3rd edition, Cisco Press, 2007.7. Jeff Sedayao, Cisco IOS Access Lists, O’Reilly, 2001.

http://www.cisco.com/univercd/home/home.htm

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm

Date post:	03-Jan-2016
Category:	Documents
Upload:	pamela-black
View:	239 times
Download:	2 times

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration Access Lists.

Documents