Access Control Lists (ACLs)Accessing the WAN – Chapter 5

Chia sẻ: Nguyễn Văn Chiến | Ngày: | Loại File: PDF | Số trang:70

Thêm vào BST

Báo xấu

110
lượt xem 10
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Explain how ACLs are used to secure a medium-size enterprise branch office network, including the concept of packet filtering, the purpose of ACLs, how ACLs are used to control access, and the types of Cisco ACLs. – Configure standard ACLs in a medium-size enterprise branch office network, including defining filtering criteria, configuring standard ACLs to filter traffic, and applying standard ACLs to router interfaces.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Access Control Lists (ACLs)Accessing the WAN – Chapter 5

Access Control Lists (ACLs) Accessing the WAN – Chapter 5 1 ITE I Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy Objectives In this chapter, you will learn to: – Explain how ACLs are used to secure a medium-size enterprise branch office network, including the concept of packet filtering, the purpose of ACLs, how ACLs are used to control access, and the types of Cisco ACLs. – Configure standard ACLs in a medium-size enterprise branch office network, including defining filtering criteria, configuring standard ACLs to filter traffic, and applying standard ACLs to router interfaces. – Configure extended ACLs in a medium-size enterprise branch office network, including configuring extended ACLs and named ACLs, configuring filters, verifying and monitoring ACLs, and troubleshooting extended ACL issues. – Describe complex ACLs in a medium-size enterprise branch office network, including configuring dynamic, reflexive, and timed ACLs, verifying and troubleshooting complex ACLs, and explaining relevant caveats. 2 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy Objectives These are examples of IP ACLs that can be configured in Cisco IOS Software: –Standard ACLs –Extended ACLs –Dynamic (lock and key) ACLs –IP-named ACLs –Reflexive ACLs –Time-based ACLs that use time ranges –Commented IP ACL entries –Context-based ACLs http://www.cisco.com/en/US/tech/tk648/tk3 –Authentication proxy 61/technologies_configuration_example09 186a0080100548.shtml –Turbo ACLs –Distributed time-based ACLs 3 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy A TCP Conversation ACLs enable you to control traffic in and out of your network. –ACL control can be as simple as permitting or denying network hosts or addresses. –However, ACLs can also be configured to control network traffic based on the TCP port being used. –[Tony] Also, UDP, ICMP, time, and …….. To understand how an ACL works, let us look at the dialogue when you download a webpage. –The TCP data segment identifies the port matching the requested service. For example, HTTP is port 80, SMTP is port 25, and FTP is port 20 and port 21. –TCP packets are marked with flags: •a SYN starts (synchronizes) the session; •an ACK is an acknowledgment that an expected packet was received, •a FIN finishes the session. •A SYN/ACK acknowledges that the transfer is synchronized. 4 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy Packet Filtering Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. –These rules are defined using ACLs. –An ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on: –Source IP address –Destination IP address –ICMP message type –TCP/UDP source port –TCP/UDP destination port –And ………. 5 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy Packet Filtering Router(config)#access-list 101 deny ? An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol 6 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy Packet Filtering Example For example, you could say, –Only permit web access to users from network A. –Deny web access to users from network B, but permit them to have all other access." This is just a simple example. You can configure multiple rules to further permit or deny services to specific users. You can also filter packets at the port level using an extended ACL, which is covered in Section 3. 7 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy What is an ACL? By default, a router does not have any ACLs configured and therefore does not filter traffic. –Traffic that enters the router is routed according to the routing table. An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. –As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet. •[Tony]: It stops when it finds a matching statement. –The ACL applying a permit or deny rule to determine the fate of the packet. •[Tony]: If ACL cannot find a matching statement from the list, the default action is deny the traffic. –ACLs can be configured to control access to a network or subnet. •[Tony]: It can control into and out of the network, or subnet, or, single host. 8 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy What is an ACL? Here are some guidelines for using ACLs: –Use ACLs in firewall routers positioned between your internal network and an external network •such as the Internet. –Use ACLs on a router positioned between two parts of your network •to control traffic entering or exiting a specific part of your internal network. –Configure ACLs on border routers •routers situated at the edges of your networks. •This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. –Configure ACLs for each network protocol configured on the border router interfaces. •You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both. 9 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy ACL: The Three Ps ACL: The Three Ps: –One ACL per protocol - An ACL must be defined for each protocol enabled on the interface. –One ACL per direction - ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic. –One ACL per interface - ACLs control traffic for an interface, for example, Fast Ethernet 0/0. The router in the example has two interfaces configured for IP: AppleTalk and IPX. –This router could require 12 separate ACLs • one ACL for each protocol, • times two for each direction, • times two for the number of ports. • 3 protocols X 2 directions X 2 directions = 12 10 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy ACLs perform the following tasks Limit network traffic to increase network performance. –If corporate policy does not allow video traffic, ACLs can block video traffic. Provide traffic flow control. –ACLs can restrict the delivery of routing updates. –If updates are not required because of network conditions, bandwidth is preserved. Provide a basic level of security for network access. –ACLs can allow one host to access a part of the network and prevent others from accessing the same area. Decide which types of traffic to forward or block at the router interfaces. –For example, an ACL can permit e-mail traffic, but block all Telnet traffic. Control which areas a client can access on a network. Screen hosts to permit or deny access to network services. –ACLs can permit or deny a user to access file types, such as FTP or HTTP. ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers. ACL can classify traffic to enable priority processing down the line. 11 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy ACL Operation ACLs are configured either to apply to inbound traffic or to apply to outbound traffic. –Inbound ACLs - An inbound ACL is efficient • it saves the overhead of routing lookups if packet is discarded. • If the packet is permitted by the tests, it is then processed for routing. –Outbound ACLs - Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. ACLs do not act on packets that originate from the router itself. 12 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy ACL Operation - Inbound ACLs ACL statements operate in sequential order. –They evaluate packets against the ACL, from the top down, one statement at a time. If a packet header and an ACL statement match, the rest of the statements in the list are skipped, –and the packet is permitted or denied as determined by the matched statement. If a packet header does not match an statement, the packet is tested against the next statement in the list. –This matching process continues until the end of the list. A final implied (IMPLICIT) statement covers all packets for which conditions did not test true. –This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement. –Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic. 13 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy ACL Operation - Outbound ACLs Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable. –If the packet is not routable, it is dropped. Next, the router checks to see whether the outbound interface is grouped to an ACL. If the outbound interface is not grouped to an ACL, –The packet is sent directly to the outbound interface. If the outbound interface is grouped to an ACL, –the packet is not sent out on the outbound interface until it is tested by the combination of ACL statements that are associated with that interface. A final implied (IMPLICIT) statement covers all packets for which conditions did not test true. –This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement. 14 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy ACL and Routing and ACL Processes on a Router As a frame enters an interface, the router checks the destination Layer 2 address. If the frame is accepted and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is now tested against the statements in the list. – If the packet matches a statement, the packet is either accepted or rejected. If the packet is accepted in the interface, it is then checked against routing table entries to determine the destination interface and switched to that interface. Next, the router checks whether the destination interface has an ACL. – If an ACL exists, the packet is tested against the statements in the list. If there is no ACL or the packet is accepted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device. 15 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy 2 Types of Cisco ACLs: standard and extended Standard ACLs – Standard ACLs allow you to permit or deny traffic from source IP addresses. – The destination of the packet and the ports involved do not matter. – The example allows all traffic from network 192.168.30.0/24 network. • Because of the implied "deny any" at the end, all other traffic is blocked with this ACL. Extended ACLs – Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control. – In the figure, ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP). 16 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy How a Standard ACL Works A standard ACL is a sequential collection of permit and deny conditions that apply to source IP addresses. – The destination of the packet and the ports involved are not covered. – Because the software stops testing conditions after the first match, the order of the conditions is critical. – If no conditions match, the address is rejected. The two main tasks involved in using ACLs are as follows: – Step 1. Create an access list by specifying an access list number or name and access conditions. – Step 2. Apply the ACL to interfaces or terminal lines. 17 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy Example of the order of the conditions is critical. Because the software stops testing conditions after the first match, the order of the conditions is critical. access-list 101 permit IP host 10.1.1.2 host 172.16.1.1 access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 access-list 101 permit udp host 10.1.1.2 host 172.16.1.1 18 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy Numbering and Naming ACLs Using numbered ACLs is an effective method for determining the ACL type on smaller networks. –Regarding numbered ACLs, in case you are wondering why numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols. –This course focuses only on IP ACLs. For example, numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX. –However, a number does not inform you of the purpose of the ACL. Starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL. 19 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Cisco Thai Nguyen Networking Academy Numbering and Naming ACLs When configuring ACLs on a router, each ACL must be uniquely identified by assigning a number to it. –(the number scheme) Access-list 5 permit … Access-list 1 permit … Access-list 5 permit … Access-list 2 permit … Access-list 5 permit … OR Access-list 3 permit … Access-list 5 permit … Access-list 4 permit … Access-list 5 permit … Access-list 5 permit … 5 different groups One group with the number 5 20 ITE 1 Chapter 6 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public