Chapter 12

Ace your homework & exams now with Quizwiz!

The following output displays a good example of the many access-list number ranges that you can use to filter traffic on your network. The IOS version delimits the protocols you can specify access for: Corp(config)#access-list ? <___> IP ___access list <___> IP extended access list <___> IP standard access list (expanded range) <___> IP extended access list (expanded range)

1-99, 100-199, 1300-1999, 2000-2699

You create a standard IP access list by using the access-list numbers ___or in the expanded range of ___because the type of ACL is generally differentiated using a number.

1-99, 1300-1999

We're going to take a look at the commands we have in our arsenal, but first, you need to know that you must use the extended access-list range from___. The 2000-2699 range is also available for extended IP access lists.

100 to 199

If you used a block size of 16, the wildcard would be ___

15.

Corp(config)#access-list 10 deny host ? Here's an example of how a /24 subnet is specified with a wildcard mask:

172.16.30.0 0.0.0.255

Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any Remember that instead of the host 172.16.50.5 command when we created the extended access list, we could have entered

172.16.50.5 0.0.0.0. There would be no difference in the result other than the router would change the command to host 172.16.50.5 in the running-config.

Let's say that you want to block access to the part of the network that ranges from 172.16.8.0 through 172.16.15.0. Your network number would be ___, and the wildcard would be ___

172.16.8.0, 0.0.7.255

Let's say that you want to block access to the part of the network that ranges from 172.16.8.0 through 172.16.15.0. To do that, you would go with a block size of

8,

___is essentially a list of conditions that categorize packets, and they really come in handy when you need to exercise control over network traffic.

An access list

Write an access list wildcard command that begins at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.255.

Corp(config)#access-list 10 deny 172.16.32.0 0.0.15.255

Write an access list wildcard command that starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.255.

Corp(config)#access-list 10 deny 172.16.64.0 0.0.63.255

Write an access list wildcard command that begins at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255.

Corp(config)#access-list 10 deny 192.168.160.0 0.0.31.255

Here's a list of rules to live by when configuring ACLs from the Internet to your production network to mitigate security problems:

Deny any source addresses from your internal networks, local host addresses (127.0.0.0/8), reserved private addresses, addresses in the IP multicast address range (224.0.0.0/4).

What are Extended access lists

Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the Protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic.

Here's a list of the many security threats you can mitigate with ACLs:

IP address spoofing, inbound IP address spoofing, outbound Denial of service (DoS) TCP SYN attacks, blocking external attacks DoS TCP SYN attacks, using TCP Intercept, DoS smurf attacks Denying/filtering ICMP messages, inbound Denying/Filtering ICMP messages, outbound Denying/Filtering Traceroute

Lab_A(config)#access-list 10 permit any It's very important to remember that the any command is the same thing as saying the following using wildcard masking:

Lab_A(config)#access-list 10 permit 0.0.0.0 255.255.255.255

Can you have multiple access lists applied on the same interface in the same direction for the same protocol?

Naw.

Lab_A(config)#access-list 110 permit tcp host 192.168.177.2 host 172.22.89.26 eq 80 Lab_A(config)#access-list 110 deny tcp any host 172.22.89.26 eq 80 Lab_A(config)#access-list 110 permit ip any any What does this command say

Permit 192.168.etc HTTP access to 172.22.etc. But since all other traffic must be allowed, we must detail who cannot HTTP to 172.22.etc, so the second test statement is there to deny anyone else from using HTTP on 172.22.etc. Finally, now that Host B can HTTP to the Finance server and everyone else can't, we'll permit all other traffic with our third test statement.

Command used to Display all acls and their parameters

Router#Show access-list

Command used to Display only specific acl parameters

Router#Show access-list 110

Command used to Display only ip acls

Router#Show ip access-list

Command used to Show which interfaces have acls on them

Router#Show ip int

Command used to Show acls and specific interfaces that have them

Router#Show run

I've specified a standard access list, then added the name, BlockSales. I definitely could've used a number for a standard access list, but instead, I chose to use a nice, clear descriptive name. And notice that after entering the name, I hit Enter and the router prompt changed to

Router(config-std-nacl)# This confirms that I'm now in named access list configuration mode and that I'm entering the named access list

If you want to filter by Application layer protocol, you have to choose the appropriate layer 4 transport protocol after the permit or deny statement. For example, to filter Telnet or FTP, choose ___since both Telnet and FTP use ___at the Transport layer. Selecting IP wouldn't allow you to specify a particular application protocol later and only filter based on source and destination addresses.

TCP

Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Here are the key factors to understand from this list: You must verify that the protocol field matches the upper-layer process or application, which in this case, is

TCP port 23 (Telnet). The protocol parameter must be TCP since Telnet uses TCP. If it were TFTP instead, then the protocol parameter would have to be UDP because TFTP uses UDP at the Transport layer

Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any The tcp is the protocol field in the Network layer header. If the list doesn't say tcp here, you cannot filter by ___as shown in the example.

TCP port numbers 21 and 23

What are Named access lists

Technically there really are only two since named access lists are either standard or extended and not actually a distinct type. I'm just distinguishing them because they're created and referred to differently than standard and extended access lists are, but they're still functionally the same.

___can be global (real) Internet addresses or private addresses, depending on how you configure your firewall, but this is typically where you'll find the HTTP, DNS, email, and other Internet-type corporate servers.

The demilitarized zone (DMZ)

Remember the standard and extended IP access-list number ranges.

The number ranges you can use to configure a standard IP access list are 1-99 and 1300-1999. The number ranges for an extended IP access list are 100-199 and 2000-2699.

What are Standard access lists

These ACLs use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don't distinguish between any of the many types of IP traffic such as Web, Telnet, UDP, and so on.

Try to figure out this next line: Corp(config)#access-list 10 deny 172.16.16.0 0.0.3.255

This configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would then be 172.16.16.0 through 172.16.19.255, and by the way, the Cisco objectives seem to really like this one!

What about this next one? Corp(config)#access-list 10 deny 172.16.16.0 0.0.7.255

This example reveals an access list starting at 172.16.16.0 going up a block size of 8 to 172.16.23.255.

Corp(config)#access-list 10 deny host 172.16.30.5 0.0.0.255 What does the 255 mean?

To specify that an octet can be any value, use the value 255.

Corp(config)#access-list 110 permit ip any any The IP in this line is important because it will permit the IP stack. If TCP was used instead of IP in this line, then___, etc. would all be denied.

UDP

Whats the difference between an inbound and an outbound access list?

When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won't be routed because they're discarded before the routing process is invoked. When an access list is applied to outbound packets on an interface, packets are routed to the outbound interface and then processed through the access list before being queued.

Should You Secure Your VTY Lines on a Router? You're monitoring your network and notice that someone has telnetted into your core router by using the show users command. You use the disconnect command and they're disconnected from the router, but you notice that they're right back in there a few minutes later. You consider putting an ACL on the router interfaces, but you don't want to add latency on each interface since your router is already pushing a lot of packets. At this point, you think about putting an access list on the VTY lines themselves, but not having done this before, you're not sure if this is a safe alternative to putting an ACL on each interface. Would placing an ACL on the VTY lines be a good idea for this network?

Yes—absolutely! And the access-class command covered in this chapter is the way to do it. Why? Because it doesn't use an access list that just sits on an interface looking at every packet, resulting in unnecessary overhead and latency.

Can you remove one line from an access list?

You can't remove one line from an access list. If you try to do this, you will remove the entire list. This is why it's best to copy the access list to a text editor before trying to edit the list.

Can you remove one line from a named access list?

You can't remove one line from an access list. If you try to do this, you will remove the entire list. This is why it's best to copy the access list to a text editor before trying to edit the list. The only exception is when you're using named access lists. You can edit, add, or delete a single line from a named access list.

In Appendix C, "Disabling and Configuring Network Services," I'll show you how to mitigate most security-oriented network threats. Make sure you don't skip this appendix because it is chock full of great security information, and the information it contains is part of the Cisco exam objectives as well!

___

Applying a standard IP access list won't allow users to get to one network service but not another because

a standard ACL won't allow you to make decisions based on both source and destination addresses.

___give network managers a huge amount of control over traffic flow throughout the enterprise. With access lists, we can gather basic statistics on packet flow and security policies can be implemented. These dynamic tools also enable us to protect sensitive devices from the dangers of unauthorized access.

access lists

You see this a lot—typically, in medium to large enterprise networks—the various strategies for security are based on some mix of internal and perimeter routers plus firewall devices. Internal routers provide additional security by screening traffic to various parts of the protected corporate network, and they achieve this using

access lists.

To get this going for both standard and extended ACLs, just use the ___global configuration command.

access-list access-list number remark remark

Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any This ACL says that

all IP traffic will be permitted from any host except FTP and Telnet to host 172.16.50.5 from any source.

Trying to stop users from telnetting or trying to SSH to a router is really challenging because

any active interface on a router is fair game for VTY/SSH access.

Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any The any command is the source, which means

any source IP address

Once you create an access list, it's not really going to do anything until you

apply it to an interface.

Wildcards are used with access lists to specify an individual host, a network, or a specific range of a network or networks. The ___you learned about earlier used to specify a range of addresses are key to understanding wildcards.

block sizes

Anytime a new entry is added to the access list, it will be placed at the ___of the list, which is why I highly recommend using a text editor for access lists.

bottom

This means every list should have at least one permit statement or it will

deny all traffic.

Corp(config)#access-list 10 deny host ? Hostname or A.B.C.D Host address Corp(config)#access-list 10 deny host 172.16.30.2 This tells the list to

deny any packets from host 172.16.30.2.

Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log This line says to

deny any source host trying to telnet to destination host 172.16.30.2. Keep in mind that the next line is an implicit deny by default. If you apply this access list to an interface, you might as well just shut the interface down because by default, there's an implicit deny all at the end of every access list.

Place IP standard access lists as close to the ___as possible.

destination

Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any The host is the

destination IP address.

You've got to specify which ___of traffic you want the access list applied to.

direction

Creating an extended IP ACL that limits access to every IP address on the router may sound like a solution, but if you did that, you'd have to apply it inbound on

every interface, which really wouldn't scale well if you happen to have dozens, even hundreds, of interfaces, now would it? And think of all the latency dragging down your network as a result of each and every router checking every packet just in case the packet was trying to access your VTY lines—horrible!

Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 21 Lab_A(config)#access-list 110 deny tcp any host 172.16.50.5 eq 23 Lab_A(config)#access-list 110 permit ip any any The access-list 110 tells the router we're creating an ___IP ACL.

extended

An ___is just what we need to effectively allow users access to a physical LAN while denying them access to specific hosts—even specific services on those hosts!

extended ACL

Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Here are the key factors to understand from this list: First, you need to verify that the number range is correct for the type of access list you are creating. In this example, it's___, so the range must be ___

extended, 100-199.

Since extended access lists can filter on very specific addresses and protocols, you don't want your traffic to traverse the entire network just to be denied. By placing this list as close to the source address as possible, you can

filter traffic before it uses up precious bandwidth.

One of the most common and easiest-to-understand uses of access lists is to

filter unwanted packets when implementing security policies. For example, you can set them up to make very specific decisions about regulating traffic patterns so that they'll allow only certain hosts to access web resources on the Internet while restricting others.

There is an implicit "deny" at the end of each access list—this means that

if a packet doesn't match the condition on any of the lines in the access list, the packet will be discarded.

Corp(config)#access-list 10 deny host ? Hostname or A.B.C.D Host address Corp(config)#access-list 10 deny host 172.16.30.2 The default parameter is host. In other words,

if you type access-list 10 deny 172.16.30.2, the router assumes you mean host 172.16.30.2 and that's exactly how it will show in your running-config.

But where named ACLs really shine is that they allow us to

insert, delete, or edit a single line.

You can assign only one access list per ___per ___per___.

interface, protocol, direction

Although ACLs can help with a DDoS, you really need an ___and ___to help prevent these common attacks. Cisco sells the Adaptive Security Appliance (ASA), which has IDS/IPS modules, but lots of other companies sell IDS/IPS products too.

intrusion detection system (IDS) and intrusion prevention system (IPS)

Notice that I started by typing___, not access-list. Doing this allows me to enter a named access list.

ip access-list

Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Here are the key factors to understand from this list: The test statement permit ip any any is important to have there at the end of the list because

it means to enable all packets other than Telnet packets destined for the LANs connected to Ethernet 1 and Ethernet 2.

The log command is used to

log messages every time the access list entry is hit

To specify a host, the address would look like this: Corp(config)#access-list 10 deny host 172.16.30.5 0.0.0.0 Whenever a zero is present, it indicates that octet in the address must ___the corresponding reference octet exactly.

match

To our collective relief, ___allow us to use names for creating and applying either standard or extended access lists.

named access lists

Any access list applied to an interface without access-list test statements present will___

not filter traffic.

Based on the ___used when the access list is created, the router knows which type of syntax to expect as the list is entered.

number

Access-list statements are basically ___that packets are compared against, categorized by, and acted upon accordingly.

packet filters

A handy way to make managing ACL's easier is to copy the access list to a text editor, edit the list, then

paste the new list back into the router

Unless your access list ends with a ___command, all packets will be discarded if they do not meet any of the list's tests.

permit any

Even though you have the option of placing your remarks either before or after a ___or ___statement, I totally recommend that you choose to position them consistently so you don't get confused about which remark is relevant to a specific permit or deny statement.

permit or deny

Once you've chosen the access-list number, you need to decide whether you're creating a ___or ___statement.

permit or deny

Corp(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address The next step is more detailed because there are three options available in it: 1. The first option is the any parameter is used to

permit or deny any source host or network.

Second, notice that even though I entered actual numbers for TCP ports in access list 110, the show command gives us the ___rather than TCP ports for serious clarity.

protocol names

The ___keyword is really important because it arms you with the ability to include comments—___—regarding the entries you've made in both your IP standard and extended ACLs. ___are very cool because they efficiently increase your ability to examine and understand your ACLs to superhero level!

remarks

Lab_A#show access-list Standard IP access list 10 10 deny 172.16.40.0, wildcard bits 0.0.0.255 20 permit any Standard IP access list BlockSales 10 deny 172.16.40.0, wildcard bits 0.0.0.255 20 permit any Extended IP access list 110 10 deny tcp any host 172.16.30.5 eq ftp 20 deny tcp any host 172.16.30.5 eq telnet 30 permit ip any any 40 permit tcp host 192.168.177.2 host 172.22.89.26 eq www 50 deny tcp any host 172.22.89.26 eq www The best part is those numbers on the left side: 10, 20, 30, etc. Those are called___, and they allow us to edit our named ACL.

sequence numbers

The packet is always compared with each line of the access list in ___order—it will always start with the first line of the access list, move on to line 2, then line 3, and so on.

sequential

By using numbers 1-99 or 1300-1999, you're telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the ___IP address in the test lines.

source

Place IP extended access lists as close to the ___as possible.

source

It's generally a bad idea to allow any external IP packets that contain the ___of any internal hosts into a private network.

source address

Organize your access lists so that the more ___tests are at the top.

specific

Corp(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address The next step is more detailed because there are three options available in it: 3. The last option is to use the host command to

specify a specific host only.

Corp(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address The next step is more detailed because there are three options available in it: 2. The second choice is to use an IP address to

specify either a single host or a range of them.

I'm guessing that named ACLs don't seem all that exciting or different to you, do they? Maybe not in this configuration, except that I don't need to

start every line with access-list 110, which is nice.

Router(config)#access-list 110 deny tcp any 172.16.48.0 0.0.15.255 eq 23 Router(config)#access-list 110 deny tcp any 172.16.192.0 0.0.63.255 eq 23 Router(config)#access-list 110 permit ip any any Router(config)#interface Ethernet 1 Router(config-if)#ip access-group 110 out Router(config-if)#interface Ethernet 2 Router(config-if)#ip access-group 110 out Here are the key factors to understand from this list: Verify that the destination port number matches the application you're filtering for. In this case, port 23 matches Telnet, which is correct, but know that you can also type ___at the end of the line instead of 23.

telnet

When you put the access-class in command on the VTY lines, only packets trying to

telnet into the router will be checked and compared, providing easy-to-configure yet solid security for your router!

Lab_A(config)#access-list 50 permit host 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in Because of the implied deny any at the end of the list, the ACL stops any host from ___

telnetting into the router except the host 172.16.10.3, regardless of the individual IP address on the router being used as a target.

Employ a standard IP access list to control access to the VTY lines themselves to stop users from

telnetting or trying to SSH to a router .

The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list___

the packet is acted upon and no further comparisons take place.

Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from

the router.

Employ a standard IP access list to control access to the VTY lines themselves to stop users from telnetting or trying to SSH to a router. Why does this work so well? Because

when you apply an access list to the VTY lines, you don't need to specify the protocol since access to the VTY already implies terminal access via the Telnet or SSH protocols. You also don't need to specify a destination address because it really doesn't matter which interface address the user used as a target for the Telnet session. All you really need control of is where the user is coming from, which is betrayed by their source IP address.

Corp(config)#access-list 10 deny host 172.16.30.2 To specify any range of hosts, you must use ___in the access list.

wildcard masking

This is the reason we don't really want to use standard access lists in our networks. You can't put a standard access list close to the source host or network because

you can only filter based on source address and all destinations would be affected as a result.


Related study sets

Vocabulary Workshop Enriched Edition level H unit 9 sentences

View Set

Industrialization Spreads (25.3)

View Set

Demostrativos, frutas, y vegetales

View Set

ITE115 Canvas Module 3: Take Quiz (from Textbook Module 4)

View Set

Macroeconomics- FINAL EXAM Review

View Set

2,3 DPG, how is it produced in RBC and how does it interact with Hb; what is its relevance in altitude exposure, anemia and stored blood

View Set