1. Trang chủ
  2. » Cao đẳng - Đại học

Access control lists

14 1,1K 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 14
Dung lượng 772,49 KB

Nội dung

University of Jordan Faculty of Engineering & Technology Computer Engineering Department Computer Networks Laboratory 907528 Lab.8 Access Control Lists Objectives To understand the concept of ACLs Design and apply named standard and named extended ACLs Pre-lab Preparation: Read thoroughly and prepare the experiment sheet You must bring a printed copy of this experiment with you to the lab Procedure: You can find the problem sheet on Drive D: of the lab PCs Introduction: Network security is a huge subject One of the most important skills a network administrator needs is mastery of access control lists (ACLs) Administrators use ACLs to stop traffic or permit only specified traffic while stopping all other traffic on their networks Network designers use firewalls to protect networks from unauthorized use Firewalls are hardware or software solutions that enforce network security policies Consider a lock on a door to a room inside a building The lock only allows authorized users with a key or access card to pass through the door Similarly, a firewall filters unauthorized or potentially dangerous packets from entering the network On a Cisco router, you can configure a simple firewall that provides basic traffic filtering capabilities using ACLs An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols ACLs provide a powerful way to control traffic into and out of your network You can configure ACLs for all routed network protocols An ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on: • Source IP address • Destination IP address • ICMP message type The ACL can also extract upper layer information and test it against its rules Upper layer information includes: • TCP/UDP source port • TCP/UDP destination port What is an ACL? An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways Page of 14 As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet The ACL enforces one or more corporate security policies by applying a permit or deny rule to determine the fate of the packet ACLs can be configured to control access to a network or subnet By default, a router does not have any ACLs configured and therefore does not filter traffic Traffic that enters the router is routed according to the routing table If you not use ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment Here are some guidelines for using ACLs: • Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet • Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network • Configure ACLs on border routers-routers situated at the edges of your networks This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network • Configure ACLs for each network protocol configured on the border router interfaces You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both The Three Ps A general rule for applying ACLs on a router can be recalled by remembering the three Ps You can configure one ACL per protocol, per direction, per interface: • One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface • One ACL per direction-ACLs control traffic in one direction at a time on an interface Two separate ACLs must be created to control inbound and outbound traffic • One ACL per interface-ACLs control traffic for an interface, for example, Fast Ethernet 0/0 Writing ACLs can be a challenging and complex task Every interface can have multiple protocols and directions defined The router in the example has two interfaces configured for IP: AppleTalk and IPX This router could possibly require 12 separate ACLs: one ACL for each protocol, times two for each direction, times two for the number of ports Page of 14 ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers In addition to either permitting or denying traffic, an ACL can classify traffic to enable priority processing down the line ACL Operation: How ACLs Work ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router and packets that exit outbound interfaces of the router ACLs not act on packets that originate from the router itself ACLs are configured either to apply to inbound traffic or to apply to outbound traffic Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded If the packet is permitted by the tests, it is then processed for routing Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL ACL statements operate in sequential order They evaluate packets against the ACL, from the top down, one statement at a time If a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as determined by the matched statement If a packet header does not match an ACL statement, the packet is tested against the next statement in the list This matching process continues until the end of the list is reached A final implied statement covers all packets for which conditions did not test true This final test condition matches all other packets and results in a "deny" instruction Instead of proceeding into or out of an interface, the router drops all of these remaining packets This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic Page of 14 Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable If the packet is not routable, it is dropped Next, the router checks to see whether the outbound interface is grouped to an ACL If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer Examples of outbound ACL operation are as follows: If the outbound interface is not grouped to an outbound ACL, the packet is sent directly to the outbound interface If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACL statements that are associated with that interface Based on the ACL tests, the packet is permitted or denied For outbound lists, "to permit" means to send the packet to the output buffer, and "to deny" means to discard the packet Types of ACLs: There are two types of Cisco ACLs, standard and extended Standard ACLs Standard ACLs allow you to permit or deny traffic from source IP addresses The destination of the packet and the ports involved not matter Example: access-list 10 permit 192.168.30.0 0.0.0.255 The example allows all traffic from network 192.168.30.0/24 network Because of the implied "deny any" at the end, all other traffic is blocked with this ACL Standard ACLs are created in global configuration mode Extended ACLs Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control Example: access-list 103 permit tcp 192.168.30.0 0.0.0.255any eq 80 ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP) Extended ACLs are created in global configuration mode Page of 14 Numbering and Naming ACLs: Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic However, a number does not inform you of the purpose of the ACL For this reason you can use a name to identify a Cisco ACL The rule to designate numbered ACLs and named ACLs is: Numbered ACL: You assign a number based on which protocol you want to filtered: • (1 to 99) and (1300 to 1999): Standard IP ACL • (100 to 199) and (2000 to 2699): Extended IP ACL In case you are wondering why numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols Named ACL: You assign a name by providing the name of the ACL: • Names can contain alphanumeric characters • It is suggested that the name be written in CAPITAL LETTERS • Names cannot contain spaces or punctuation and must begin with a letter • You can add or delete entries within the ACL Where to place ACLs: The proper placement of an ACL to filter undesirable traffic makes the network operate more efficiently ACLs can act as firewalls to filter packets and eliminate unwanted traffic Where you place ACLs can reduce unnecessary traffic For example, traffic that will be denied at a remote destination should not use network resources along the route to that destination Every ACL should be placed where it has the greatest impact on efficiency The basic rules are: • Locate extended ACLs as close as possible to the source of the traffic denied This way, undesirable traffic is filtered without crossing the network infrastructure • Because standard ACLs not specify destination addresses, place them as close to the destination as possible Let us consider an example of where to place ACLs in our network The interface and network location is based on what you want the ACL to In the figure below, the administrator wants to prevent traffic originating in the 192.168.10.0/24 network from getting to the 192.168.30.0/24 network An ACL on the outbound interface of R1 denies R1 the ability to send traffic to other places as well The solution is to place a standard ACL on the inbound interface of R3 to stop all traffic from the source address192.168.10.0/24 A standard ACL meets the needs because it is only concerned with source IP addresses Page of 14 Consider that administrators can only place ACLs on devices that they control Therefore, placement must be determined in the context of where the control of the network administrator extends, see figure below In this figure, the administrator of the 192.168.10.0/24 and 192.168.11.0/24 networks (referred to as Ten and Eleven, respectively, in this example) wants to deny Telnet and FTP traffic from Eleven to the 192.168.30.0/24 network (Thirty, in this example) At the same time, other traffic must be permitted to leave Ten There are several ways to this An extended ACL on R3 blocking Telnet and FTP from Eleven would accomplish the task, but the administrator does not control R3 That solution also still allows unwanted traffic to cross the entire network, only to be blocked at the destination This affects overall network efficiency One solution is to use an outbound extended ACL that specifies both source and destination addresses (Eleven and Thirty, respectively), and says, "Telnet and FTP traffic from Eleven is not allowed to go to Thirty." Place this extended ACL on the outbound S0/0/0 port of R1 A disadvantage of this solution is that traffic from Ten would also be subject to some processing by the ACL, even though Telnet and FTP traffic is allowed The better solution is to move closer to the source and place an extended ACL on the inbound Fa0/2 interface of R1 This ensures that packets from Eleven not enter R1, and subsequently cannot cross over into Ten, or even enter R2 or R3 Traffic with other destination addresses and ports is still permitted through R1 Configuring a standard ACL Standard ACL Logic In the figure below, packets that come in Fa0/0 are checked for their source addresses: access-list deny 192.168.10.1 access-list permit 192.168.10.0 0.0.0.255 access-list deny 192.168.0.0 0.0.255.255 access-list permit 192.0.0.0 0.255.255.255 If packets are permitted, they are routed through the router to an output interface If packets are not permitted, they are dropped at the incoming interface Page of 14 Configuring Standard ACLs To configure numbered standard ACLs on a Cisco router, you must first create the standard ACL and then activate the ACL on an interface The full syntax of the standard ACL command is as follows: Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log] The following table provides a detailed explanation of the syntax for a standard ACL Parameter description access-list-number Number of an ACL This is a decimal number from to 99, or 1300 to 1999 (for standard ACL) deny Denies access if the conditions are matched permit Permits access if the conditions are matched remark Add a remark about entries in an IP access list to make the list easier to understand and scan source Number of the network or host from which the packet is being sent There are two ways to specify the source: Use a 32-bit quantity in four-part, dotted- decimal format Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.55 source-wildcard (Optional) Wildcard bits to be applied to the source There are two ways to specify the source-wildcard: Use a 32-bit quantity in four-part, dotted-decimal format Place ones in the bit positions you want to ignore Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.55 Log (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console (The level of messages logged to the console is controlled by the logging console command.) The message includes the ACL number, whether the packet was permitted or denied, the source address, and the number of packets The message is generated for the first packet that matches, and then at five-minute intervals, including the number of packets permitted or denied in the prior five-minute interval Page of 14 For example, to create a numbered ACL designated 10 that would permit network 192.168.10.0 /24, you would enter: R1(config)# access-list 10 permit 192.168.10.0 To remove the ACL, the global configuration no access-list command is used Issuing the show access-list command confirms that access list 10 has been removed Typically, administrators create ACLs and fully understand each the purpose of each statement within the ACL However, when an ACL is revisited at a later time, it may no longer as obvious as it once was The remark keyword is used for documentation and makes access lists a great deal easier to understand Each remark is limited to 100 characters The ACL in the figure below, although fairly simple, is used to provide an example When reviewing the ACL in the configuration, the remark is also displayed ACL Wildcard Masking Wildcard Masking ACLs statements include masks, also called wildcard masks A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at Although wildcard masks have no functional relationship with subnet masks, they provide a similar function The mask determines how much of an IP source or destination address to apply to the address match The numbers and in the mask identify how to treat the corresponding IP address bits However, they are used for different purposes and follow different rules Page of 14 Wildcard masks and subnet masks are both 32 bits long and use binary 1s and 0s Subnet masks use binary 1s and 0s to identify the network, subnet, and host portion of an IP address Wildcard masks use binary 1s and 0s to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address By carefully setting wildcard masks, you can permit or deny a single or several IP addresses Wildcard masks and subnet masks differ in the way they match binary 1s and 0s Wildcard masks use the following rules to match binary 1s and 0s: Wildcard mask bit - Match the corresponding bit value in the address Wildcard mask bit - Ignore the corresponding bit value in the address The table below shows the results of applying a 0.0.255.255 wildcard mask to a 32-bit IP address Remember that a binary indicates a value that is matched Decimal Address Binary Address IP address to be processed 192.168.10.0 11000000.10101000.00001010.00000000 Wildcard mask 0.0.255.255 00000000.00000000.11111111.11111111 Resulting IP address 192.168.0.0 11000000.10101000.00000000.00000000 Wildcard Bit Mask Keywords Working with decimal representations of binary wildcard mask bits can be tedious To simplify this task, the keywords host and any help identify the most common uses of wildcard masking These keywords eliminate entering wildcard masks when identifying a specific host or network They also make it easier to read an ACL by providing visual clues as to the source or destination of the criteria The host option substitutes for the 0.0.0.0 mask This mask states that all IP address bits must match or only one host is matched The any option substitutes for the IP address and 255.255.255.255 mask This mask says to ignore the entire IP address or to accept any addresses Example 1: Wildcard Masking Process with a Single IP Address In the example, instead of entering 192.168.10.10 0.0.0.0, you can use host 192.168.10.10 R1(config)# access-list permit 192.168.10.10 0.0.0.0 R1(config)# access-list permit host 192.168.10.10 Example 2: Wildcard Masking Process with a Match Any IP Address In the example, instead of entering 0.0.0.0 255.255.255.255, you can use the keyword any by itself R1(config)# access-list permit 0.0.0.0 255.255.255.255 R1(config)# access-list permit any Applying Standard ACLs to Interfaces Standard ACL Configuration Procedures After a standard ACL is configured, it is linked to an interface using the ip access-group command: Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out} To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL Page of 14 Step 1: Use the access-list global configuration command to create any entry in a standard ACL R1(config)# access-list permit 192.168.10.0 0.0.0.255 Step 2: Use the interface configuration command to select an interface to which to apply the ACL R1(config)# interface FastEthernet 0/0 Step 3: Use the ip access-group interface configuration command to activate the existing ACL on an interface R1(config)# ip access-group out The following figures show examples of an ACL to permit a single network, of an ACL that denies a specific host, and an ACL that denies a specific subnet Editing Numbered ACLs When configuring an ACL, the statements are added in the order that they are entered at the end of the ACL However, there is no built-in editing feature that allows you to edit a change in an ACL You cannot selectively insert or delete lines It is strongly recommended that any ACL be constructed in a text editor such as Microsoft Notepad This allows you to create or edit the ACL and then paste it onto the router For an existing ACL, you could use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and reload it For example, assume that the host IP address of a host was incorrectly entered Instead of the 192.168.10.100 host, it should have been the 192.168.10.11 host Here are the steps to edit and correct ACL 20: Step 1: Display the ACL using the show running-config command The include keyword used to display only the ACL statements R1# show running-config | include access-list access-list 20 permit 192.168.10.100 access-list 20 deny 192.168.10 0.0.0.255 Page 10 of 14 Step 2: Highlight the ACL, copy it, and then paste it into Microsoft Notepad Edit the list as required Once the ACL is correctly displayed in Microsoft Notepad, highlight it and copy it access-list 20 permit 192.168.10.11 access-list 20 deny 192.168.10 0.0.0.255 Step 3: In global configuration mode, disable the access list using the no access-list 20 command Otherwise, the new statements would be appended to the existing ACL Then paste the new ACL into the configuration of the router R1# config t R1(config)# no access-list 20 R1(config)# access-list 20 permit 192.168.10.11 R1(config)# access-list 20 deny 192.168.10 0.0.0.255 It should be mentioned that when using the no access-list command, no ACL is protecting your network Also, be aware that if you make an error in the new list, you have to disable it and troubleshoot the problem In that case, again, your network has no ACL during the correction process Creating Standard Named ACLs Naming an ACL makes it easier to understand its function For example, an ACL to deny FTP could be called NO_FTP When you identify your ACL with a name instead of with a number, the configuration mode and command syntax are slightly different The steps to create a standard named ACL: Step 1: Starting from the global configuration mode, use the ip access-list command to create a named ACL ACL names are alphanumeric, must be unique and must not begin with a number R1(config)# ip access-list [standard | extended] name Step From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions for determining if a packet is forwarded or dropped Router(config-std-nacl)# [deny | permit | remark] source [source-wildcard] [log] Step 3: Return to the global configuration mode with the exit command Step 4: Activate the named IP ACL on an interface R1(config)# ip access-group name [in | out] When you finish an ACL configuration, use Cisco IOS show commands to verify the configuration The Cisco IOS syntax to display the contents of all ACLs R1# show access-list {access-list-number| name} Page 11 of 14 Configuring Extended ACLs The procedural steps for configuring extended ACLs are the same as for standard ACLs, you first create the extended ACL and then activate it on an interface However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs The full syntax of the extended ACL command is as follows: Router(config)#access-list access-list-number [deny | permit | remark] protocol source [sourcewildcard] [operator operand] [port port-number or name ] destination [destination-wildcard] [operator operand] [port port-number or name ] [established] The table below shows the common command syntax for extended ACLs Parameter description access-list-number Identifies the access list using a number in the range 100 to 199 (for an extended IP ACL) and 2000 to 2699 (expanded IP ACLs) deny Denies access if the conditions are matched permit Permits access if the conditions are matched remark Indicates whether this entry allows or blocks the specified address Could also be used to enter a remark protocol Name or number of an Internet protocol Common keywords include icmp, ip, tcp, or udp To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword source Number of the network or host from which the packet is being sent source-wildcard Wildcard bits to be applied to source destination Number of the network or host to which the packet is being sent destinationwildcard Wildcard bits to be applied to the destination operator (Optional) Compares source or destination ports Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range) port (Optional) The decimal number or name of a TCP or UDP port established (Optional) For the TCP protocol only: Indicates an established connection The figure shows an example of how you might create an extended ACL specific to your network needs In this example, the network administrator needs to restrict Internet access to allow only website browsing ACL 103 applies to traffic leaving the 192.168.10.0 network, and ACL 104 to traffic coming into the network Page 12 of 14 ACL 103 accomplishes the first part of the requirement It allows traffic coming from any address on the 192.168.10.0 network to go to any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only The nature of HTTP requires that traffic flow back into the network, but the network administrator wants to restrict that traffic to HTTP exchanges from requested websites The security solution must deny any other traffic coming into the network ACL 104 does that by blocking all incoming traffic, except for the established connections HTTP establishes connections starting with the original request and then through the exchange of ACK, FIN, and SYN messages The following figures show examples of an ACL of applying an ACL to an interface, an extended ACL to deny FTP from subnets, and an extended ACL to deny only Telnet from subnet An example of how to generate a list of port numbers and keywords you can use while building an ACL is: R1(config)#access-list 101 permit tcp any eq ? command Page 13 of 14 Creating Named Extended ACLs You can create named extended ACLs in essentially the same way you created named standard ACLs The commands to create a named ACL are different for standard and extended ACLs The figure below shows the named version of an extended ACL ******************************************* *** Solve associated parts in the problem sheet *** ******************************************* Page 14 of 14

Ngày đăng: 04/09/2016, 08:47

TỪ KHÓA LIÊN QUAN

w