CCNA Exp4 - Chapter05 - ACLs

Chapter 5 - ACLs
CCNA Exploration 4.0
Please purchase a personal license.
Introduction
H c vi n m ng Bach Khoa - Website: www.bkacad.com
Using ACLs to Secure Networks
A TCP Conversation
ACLs enable you to control traffic into and out of your network. This control can be as simple as permitting or denying network hosts or addresses. ACLs can also be configured to control network traffic based on the TCP port being used.
A TCP Conversation
Packet Filtering
Packet filtering, sometimes called static packet filtering, controls

access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. Packet filtering works at the network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 6
Packet Filtering
The ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on: 1. Source IP address 2. Destination IP address 3. ICMP message type The ACL can also extract upper layer information and test it against its rules. Upper layer information includes: 1. TCP/UDP source port 2. TCP/UDP destination port
Packet Filtering Example
What is an ACL ?
An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.
What is an ACL ?
The Three Ps You can configure one ACL per protocol, per direction, per interface.
Here are some guidelines for using ACLs: 1. Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. 2. Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. 3. Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. 4. Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.
What is an ACL ?
ACLs perform the following tasks: 1. Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance. 2. Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. 3. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to select users. 4. Decide which types of traffic to forward or block at the router interfaces. For example, an ACL can permit e-mail traffic, but block all Telnet traffic. 5. Control which areas a client can access on a network. 6. Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
11
ACL Operation
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. Inbound ACLs -Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.
ACL Operation
Outbound ACLs -Incoming packets are routed to the outbound

interface, and then they are processed through the outbound ACL.
ACL Operation
ACL statements operate in sequential order. They evaluate packets
against the ACL, from the top down, one statement at a time. If a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as determined by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. A final implied statement covers all packets for which conditions did not test true.Instead of proceeding into or out of an interface, the router drops all of these remaining packets. This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement. Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic.
14
ACL Operation
There is a key caveat associated with this "deny all" behavior: For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list.
Types of Cisco ACLs
The two main tasks involved in using ACLs are as follows: Step 1. Create an access list by specifying an access list number or name and access conditions. Step 2. Apply the ACL to interfaces or terminal lines.
How a Standard ACL works ?
17
Numbering and Naming ACLs
Using numbered ACLs is an effective method for determining the ACL

type on smaller networks with more homogeneously defined traffic. a number does not inform you of the purpose of the ACL. starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL.
Where to place ACLs
The basic rules are: Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
General Guidelines for Creating ACLs
20
Activity 5.1.9.2
21
Activity 5.1.9.2
22
Activity 5.1.9.2
23
Configuring Standard ACLs
24
Entering Criteria Statements
A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked.
Configuring a Standard ACL
26
27
28
ACL Wildcard Masking
A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at. Although wildcard masks have no functional relationship with subnet masks, they do provide a similar function. The mask determines how much of an IP source or destination address to apply to the address match. The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits.
Subnet masks start from the left side of an IP address and work towards the right to extend the network field by borrowing bits from the host field. Wildcard masks are designed to filter individual or groups of IP addresses permitting or denying access to resources based on the address. Wildcard masks and subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the following rules to match binary 1s and 0s: Wildcard mask bit 0 - Match the corresponding bit value in the address Wildcard mask bit 1 - Ignore the corresponding bit value in the address
30
31
32
For example, assume you wanted to permit access to all users in the 192.168.3.0 network. Because the subnet mask is 255.255.255.0, you could take the 255.255.255.255 and subtract from the subnet mask 255.255.255.0 as is indicated in the figure. The solution produces the wildcard mask 0.0.0.255.
To simplify this task, the keywords host and any help identify the most common uses of wildcard masking. The host option substitutes for the 0.0.0.0 mask. This mask states that all IP address bits must match or only one host is matched. The any option substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire IP address or to accept any addresses.
35
Applying Standard ACLs to Interfaces
Standard ACL Configuration Procedures After a standard ACL is configured, it is linked to an interface using the ip access-group command: Router(config-if)#ip access-group {access-list-number | access-listname} {in | out}
36
37
38
39
The access-class command in line configuration mode restricts

incoming and outgoing connections between a particular VTY (into a Cisco device) and the addresses in an access list.
Editing Numbered ACLs
When configuring an ACL, the statements are added in the order that they are entered at the end of the ACL. There is no built-in editing feature that allows you to edit a change in an ACL. You cannot selectively insert or delete lines. It is strongly recommended that any ACL be constructed in a text editor such as Microsoft Notepad.
41
Editing Numbered ACLs
You can use the remark keyword to include comments (remarks)

about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
Creating Standard Named ACLs
Naming an ACL makes it easier to understand its function. For example, an ACL to deny FTP could be called NO_FTP. When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different.
43
Monitoring and Verifying ACLs
44
Editing Named ACLs
Named ACLs have a big advantage over numbered ACLs in that they are easier to edit. Starting with Cisco IOS Software Release 12.3, named IP ACLs allow you to delete individual entries in a specific ACL. You can use sequence numbers to insert statements anywhere in the named ACL. If you are using an earlier Cisco IOS software version, you can add statements only at the bottom of the named ACL.
45
Configuring Extended ACLs
46
Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a greater range of control and, therefore, add to your security solution. Like standard ACLs, extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services).
47
Extended ACLs
Using the appropriate port number, you can specify an application by

configuring either the port number or the name of a well-known port.
49
The nature of HTTP requires that traffic flow back into the network, but the network administrator wants to restrict that traffic to HTTP exchanges from requested websites. The security solution must deny any other traffic coming into the network. ACL 104 does that by blocking all incoming traffic, except for the established connections. The established parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to return inbound on the s0/0/0. A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. Without the established parameter in the ACL statement, clients could send traffic to a web server, but would not receive traffic from the web server.
Extra: established parameter
51
Applying Extended ACLs to Interfaces
52
Remember that FTP requires ports 20 and 21, therefore you need to
specify both eq 20 and eq 21 to deny FTP.
54
Creating Named Extended ACLs
55
Creating Named Extended ACLs
56
Configure Complex ACLs
57
What are Complex ACLs ?
58
Dynamic ACLs
What are Dynamic ACLs? Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs.
Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular period; idle and absolute timeouts are possible.
Dynamic ACLs
When to Use Dynamic ACLs When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user and then permits limited access through your firewall router for a host or subnet for a finite period. When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local hosts. Lock-and-key requires the users to authenticate through a AAA, TACACS+ server, or other security server before it allows their hosts to access the remote hosts. Benefits of Dynamic ACLs Use of a challenge mechanism to authenticate individual users Simplified management in large internetworks In many cases, reduction of the amount of router processing that is required for ACLs Reduction of the opportunity for network break-ins by network hackers Creation of dynamic user access through a firewall, without compromising other configured security restrictions
60
Dynamic ACLs
61
Dynamic ACLs
62
Reflexive ACLs
What are Reflexive ACLs? Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists. Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. These ACLs allow the router to manage session traffic dynamically. The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in. Reflexive ACLs contain only temporary entries. These entries are automatically created when a new IP session begins, for example, with an outbound packet, and the entries are automatically removed when the session ends.
63
Reflexive ACLs
Benefits of Reflexive ACLs Help secure your network against network hackers and can be included in a firewall defense. Provide a level of security against spoofing and certain DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked. Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.
Reflexive ACLs
65
Reflexive ACLs
66
Time-based ACLs
What are Time-based ACLs? Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. Time-based ACLs have many benefits, such as: Offers the network administrator more control over permitting or denying access to resources. Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without analyzing the many logs that are generated during peak hours.
67
Time-based ACLs
68
Troubleshooting Common ACL Errors
69
70
71
72
73
Activity 5.4.5.2
74
Activity 5.4.5.2
75
Activity 5.4.5.2
76
Activity 5.4.5.2
77
Labs
78
Summary
79

CCNA Exp4 - Chapter05 - ACLs

Uploaded by

Copyright:

Available Formats

You might also like

CCNA Exp4 - Chapter05 - ACLs

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Exp4 - Chapter05 - ACLs

Uploaded by

Copyright:

Available Formats

Chapter 5 - ACLs

CCNA Exploration 4.0

Please purchase a personal license.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Using ACLs to Secure Networks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Packet filtering, sometimes called static packet filtering, controls

Packet Filtering Example

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Outbound ACLs -Incoming packets are routed to the outbound

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Types of Cisco ACLs

How a Standard ACL works ?

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Numbering and Naming ACLs

Using numbered ACLs is an effective method for determining the ACL

Where to place ACLs

General Guidelines for Creating ACLs

H c vi n m ng Bach Khoa - Website: www.bkacad.com

General Guidelines for Creating ACLs

H c vi n m ng Bach Khoa - Website: www.bkacad.com

General Guidelines for Creating ACLs

H c vi n m ng Bach Khoa - Website: www.bkacad.com

General Guidelines for Creating ACLs

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Configuring Standard ACLs

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Entering Criteria Statements

Configuring a Standard ACL

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Configuring a Standard ACL

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Configuring a Standard ACL

H c vi n m ng Bach Khoa - Website: www.bkacad.com

ACL Wildcard Masking

ACL Wildcard Masking

H c vi n m ng Bach Khoa - Website: www.bkacad.com

ACL Wildcard Masking

H c vi n m ng Bach Khoa - Website: www.bkacad.com

ACL Wildcard Masking

H c vi n m ng Bach Khoa - Website: www.bkacad.com

ACL Wildcard Masking

ACL Wildcard Masking

ACL Wildcard Masking

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Applying Standard ACLs to Interfaces

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Applying Standard ACLs to Interfaces

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Applying Standard ACLs to Interfaces

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Applying Standard ACLs to Interfaces

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Applying Standard ACLs to Interfaces