Access Control Lists for Threat Mitigation © 2012 Cisco and/or its affiliates All rights reserved Outline • Lists the benefits of ACLs • Describes the building blocks and operational framework of ACLs • Describes summarizable address blocks in the context of CIDR and VLSM environments, demonstrating how ACL wildcard masks allow for threat mitigation in those environments • Lists design considerations when deploying ACLs • Demonstrates the use of Cisco Configuration Professional and the CLI to deploy and verify a threat containment strategy using ACLs • Demonstrates the use of Cisco Configuration Professional and the CLI to correlate ACL log and alarm information in order to monitor their impact and effectiveness • Demonstrates how to configure object groups to streamline the implementation of ACLs for threat control • Demonstrates how to configure ACLs in IPv6 environments, highlighting the operational differences with IPv4 ACLs © 2012 Cisco and/or its affiliates All rights reserved ACL Fundamentals • ACLs provide packet filtering for routers and firewalls to protect internal networks from the outside world • ACLs filter network traffic in both directions by controlling whether to forward or block packets at the router interfaces, based on the criteria that you specify within the ACLs • ACL criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information © 2012 Cisco and/or its affiliates All rights reserved Filtering Host B Traffic Ingress Using an ACL Host A to access the Human Resources network but prevents Host B from accessing the Human Resources network © 2012 Cisco and/or its affiliates All rights reserved Using ACLs to mitigate many threats • IP address spoofing (inbound) • IP address spoofing (outbound) • DoS TCP SYN attacks (blocking external attacks) • DoS TCP SYN attacks (using TCP intercept) • DoS Smurf attacks • Filtering ICMP messages (inbound) • Filtering ICMP messages (outbound) • Filtering traceroute © 2012 Cisco and/or its affiliates All rights reserved ACL Operation ACLs operate in two ways: • Inbound: Incoming packets are processed before they are routed to an outbound interface An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests If the packet is permitted by the tests, it is then processed for routing • Outbound: Packets arriving on the inside interface are routed to the outbound interface, and then they are processed through the outbound ACL © 2012 Cisco and/or its affiliates All rights reserved Outbound ACL Operation © 2012 Cisco and/or its affiliates All rights reserved Top-Down Process of Tests: Deny or Permit © 2012 Cisco and/or its affiliates All rights reserved Types of IP ACLs Cisco routers support two types of IP ACLs: • Standard ACLs: Standard IP ACLs check the source addresses of packets that can be routed The result either permits or denies the output for an entire protocol suite, based on the source network, subnet, or host IP address • Extended ACLs: Extended IP ACLs check both the source and destination packet addresses They can also check for specific protocols, port numbers, and other parameters, which allows administrators more flexibility and control The two general methods you can use to create ACLs are as follows: • Numbered ACLs: Use a number for identification • Named ACLs: Use an alphanumeric string for identification © 2012 Cisco and/or its affiliates All rights reserved ACL Wildcard Bits • Wildcard mask bit 0: Match the corresponding bit value in the address • Wildcard mask bit 1: Do not check (ignore) the corresponding bit value in the address © 2012 Cisco and/or its affiliates All rights reserved 10 Enabling Logging with CCP Selecting ACEs that Will Generate Log Entries © 2012 Cisco and/or its affiliates All rights reserved 34 Monitoring ACLs with CCP © 2012 Cisco and/or its affiliates All rights reserved 35 Logged ACE Generated by the Firewall Entry © 2012 Cisco and/or its affiliates All rights reserved 36 Configuring an Object Group with CCP © 2012 Cisco and/or its affiliates All rights reserved 37 Object Group You can create two types of ACL object groups: • Network object groups: Can contain hostnames, host IP addresses, subnet masks, range of IP addresses, and other existing network object groups • Service object groups: Can contain top-level protocols, such as TCP, UDP, and TCP-UDP; ICMP types; source and destination protocol ports; and other existing service object groups © 2012 Cisco and/or its affiliates All rights reserved 38 Configuring an Object Group Using CCP © 2012 Cisco and/or its affiliates All rights reserved 39 Configuring an Object Group in the CLI Router# config t Router(config)# object-group network INTERNAL-NETS Router(config-network-group)# description Subnets inside the Firewall Router(config-network-group)# 10.10.0.0 255.255.255.0 Router(config-network-group)# 10.10.1.0 255.255.255.0 Router(config-network-group)# 10.10.2.0 255.255.255.0 Router(config-network-group)# 10.10.10.0 255.255.255.0 © 2012 Cisco and/or its affiliates All rights reserved 40 Assigning Object Groups to ACLs © 2012 Cisco and/or its affiliates All rights reserved 41 Using ACLs in IPv6 Environments © 2012 Cisco and/or its affiliates All rights reserved 42 Using ACLs in IPv6 Environments IPv6 ACLs can help mitigate the following threats, among others: • Header extension threats; for instance, amplification attacks based on Routing Header (RH 0) • Threats based on misuse and abuse of IPv6 ICMP • Reconnaissance based on multicast IPv6 addresses • Threats that exploit tunneling solutions such as those used in IPv6 migration environments © 2012 Cisco and/or its affiliates All rights reserved 43 Examples of IPv6 Potential Attacks © 2012 Cisco and/or its affiliates All rights reserved 44 Advance IPv6 ACL Reflexive ACLs and time-based ACLs are also available in IPv6 An IPv6 ACL can match the following IPv6 headers: • routing: Matches any route header • mobility: Matches any mobility header • dest-option-type: Matches any destination option header • auth: Matches IPsec’s AH • undetermined-transport: Matches any packet whose Layer protocol cannot be determined (fragmented or unknown extension header) (available only with the deny command) © 2012 Cisco and/or its affiliates All rights reserved 45 RFC 4890 ICMP ACL ipv6 access-list RFC4890 permit icmp any any echo-reply permit icmp any any echo-request permit icmp any any permit icmp any any permit icmp any any packet-too-big permit icmp any any time-exceeded permit icmp any any parameter-problem permit icmp any any mld-query permit icmp any any mld-reduction permit icmp any any mld-report permit icmp any any nd-na permit icmp any any nd-ns permit icmp any any router-solicitation IPv6 ACL Implicit Entries permit icmp any any nd-na permit icmp any any nd-na deny ipv6 any any © 2012 Cisco and/or its affiliates All rights reserved 46 References For additional information, refer to these Cisco.com resources: “Identifying Incidents Using Firewall and Cisco IOS Router Syslog Events,” http:// www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html “IP Access List Entry Sequence Numbering,” http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html “Understanding Access Control List Logging,” http://www.cisco.com/web/about/security/intelligence/acl-logging.html © 2012 Cisco and/or its affiliates All rights reserved 47 © 2011 Cisco and/or its affiliates All rights reserved 48 ... with vty Access Router(config-line)# access- class access- list-number {in | out} Example : R1(config)# access- list 12 permit 192.1 68.1 .0 0.0.0.255 ! R1(config)# line vty R1(config-line)# access- class... Group access- list 100 deny tcp host 10.6.252.65 host 171 .8.2 .12 eq www access- list 100 deny tcp host 10.6.252.65 host 171 .8.2 .12 eq ftp access- list 100 deny tcp host 10.6.252.65 host 171 .8.2 .13... eq www access- list 100 deny tcp host 10.6.252.65 host 171 .8.2 .13 eq ftp access- list 100 deny tcp host 10.6.252.66 host 171 .8.2 .12 eq www access- list 100 deny tcp host 10.6.252.66 host 171 .8.2 .12