7 Filtering and Firewalling

Transcription

1 7 Filtering and Firewalling 7.1 Introduction Security is becoming a major concern in IT, and A major concern in networking and the Internet, and wireless systems are probably more open to abuse than any other networking system. Thus they must be designed and implemented carefully in order that security is not comprised, and that valuable bandwidth is not wasted. With the Aironet, the traffic can be filtered in a number of ways: MAC addresses. The Aironet can filter based on incoming and outgoing MAC addresses in the data frame. Source IP address. The address that the data packet was sent from. Destination IP address. The address that the data packet is destined for. Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are FTP (port 21), TELNET (port 23), and WWW (port 80). Destination TCP port. The port that the data segment is destined for. Protocol type. This filters for UDP or TCP traffic. On Cisco devices, access control lists (ACLs) are typically used to filter traffic. 7.2 MAC filters The wireless access point can be used to filter MAC addresses for a source and destination. Its format is: access-list [< > < >] [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of b54.d83a access to 0060.b39f.cae1: (config)# access-list 1101 deny b54.d83a b39f.cae (config)# access-list 1101 permit ffff.ffff.ffff ffff.ffff.ffff where the element identifies that the MAC address should match the address exactly, while the ffff.ffff.ffff defines that any address can be apply. The permit at the end is important as the device will process the access list rules one at a time, and if it does not match any of the rules, it will drop the data frame. The access list is applied to the radio port with: (config)# int d0 (config-if)# l2-filter bridge-group-acl (config-if)# bridge-group input-address-list 1101 where: Unit 7: Filtering and firewalling 1

2 - l2 filter bridge group acl. Defines that a Layer 2 access control list (ACL) filter is applied to incoming and outgoing data frames. - bridge group input address list This applies the access list to an interface (in this case, access list number 1101). An alternative is to use: (config-if)# bridge-group 1 output-pattern 1101 In this case an example of the ARP cache is: ap#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet d.65a9.cb1b ARPA BVI1 Internet b39f.cae1 ARPA BVI1 Internet c85.87f1 ARPA BVI1 Internet b54.d83a ARPA BVI1 ap# 7.3 Standard ACLs Standard ACLs filter for a source IP address, and are grouped with an access list number (as this allows one or more condition to be grouped into a single condition, which can then be applied to one or more ports). The format of the command is: (config)# access-list access-list-value {permit deny} source source-mask where the source is the source address, and source-mask defines the bits which are checked. For example is we had a network address of with a subnet mask of We could bar all the traffic from the host from gaining access to the external network with: (config)# access-list 1 deny where the part defines that all the parts of the address are checked. The source mask is know as the wild card mask, where a 0 identifies that the corresponding bit in the address field should be check, and a 1 defines that it should be ignored. Thus if we wanted to bar all the hosts on the subnet then we could use: (config)# access-list 1 deny Finally we must allow all other traffic with: (config)# access-list 1 deny (config)# access-list 1 permit any Once the access list is created it can then be applied to a number of ports with the command, such as: (config)# interface D0 (config-if)# ip address (config-if)# ip access-group 1 in 2 Wireless LANs - W.Buchanan

3 which will bar all the access from the subnet from the D0 port on incoming traffic (Figure 7.1). E0 D Traffic from any address rather than can pass Match this part Router# access-list 1 deny Router# access-list 1 permit any Ignore this part Router (config)# interface D0 Router (config-if)# ip address Router (config-if)# ip access-group 1 in Figure 7.1: Standard ACL example ACLs should be placed in the optimal place, so that they reduce the amount of unwanted traffic on the network/internet. As a standard ACL cannot determine the destination address, it should be places as near as the destination that is barred, as possible. If it was placed at the source it would block other traffic, which is not barred (Figure 7.2) E0 interface E0 ip address ip access-group 1 in access-list 1 deny access-list 1 permit any Standard ACLs are applied as near to the destination as possible, so that they do not affect any other traffic Figure 7.2: Placing a standard ACL Unit 7: Filtering and firewalling 3

4 7.3.1 Named standard ACL An improved method of generating a standard ACL is to use a named ACL. The format is: (config)#ip access-list standard? <1-99> Standard IP access-list number < > Standard IP access-list number (expanded range) WORD Access-list name where WORD is the name of the access list is be defined. For example: (config)#ip access-list standard Test (config-std-nacl)#? Standard Access List configuration commands: deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward and to define a standard access list: (config-std-nacl)#deny (config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address (config-std-nacl)#permit? Hostname or A.B.C.D Address to match any Any source host host A single host address (config-std-nacl)#permit any? log Log matches against this entry <cr> (config-std-nacl)#permit any It can then be applied with: (config)#int e0 (config-if)#ip access-group? <1-199> IP access list (standard or extended) < > IP expanded access list (standard or extended) WORD Access-list name (config-if)#ip access-group Test? in inbound packets out outbound packets (config-if)#ip access-group Test in which applies the named standard ACL on the incoming port of E0. 4 Wireless LANs - W.Buchanan

5 7.4 Extended ACLs Extended ACLs are a natural extension to ACLs, and allow source and destination address to be specified. Standard ACLs uses the access list values from 0 to 99, whereas extended ACLs use the values above 100. The format of the command is: # access-list access-list-value {permit deny} {test-conditions} For example: (config)# access-list 100 deny ip host (config)# access-list 100 permit ip any any This creates an access list group with a value of 100. The first line has the syntax which defines that the source host of is not allowed to access the destination of , and the last part ( ) defines that the firewall should match all of the bits in the destination address. Thus, in this case, the host with an IP address of is not allowed to access the remote computer of It can access any other computer thought, as the second line allows all other accesses. We can expand this to be able to check a whole range of bits in the address. This is achieved by defining a wild card mask. With this we use 0 s in the positions of the address that we want to match, and 1 s in the parts which are not checked. Thus if we wanted to bar all the hosts on the subnet from accessing the subnet we would use the following (Figure 7.3): (config)# access-list 100 deny ip (config)# access-list 100 permit ip any any Thus an address from to 54 will not be able to access any address from network. If we have a Class B address with a subnet in the third field (such as ) and we define that we shall allow all odd IP addresses to pass though to a given destination (such as ), and bar all even IP addresses we could implement the following: (config)# access-list 100 deny ip host (config)# access-list 100 permit ip any any This will allow any host with an odd number (such as 1, 3, 5, and so on), to access the host, but as we check the least significant bit of the address (with the wildcard mask of ) and if it is a 0 then the condition passes, and we will deny traffic from the even numbered hosts to We can also bar access to complete parts of destination addresses. For example, if we wanted to bar all odd addresses from access the subnet: (config)# access-list 100 deny ip (config)# access-list 100 permit ip any any Unit 7: Filtering and firewalling 5

6 Once the access list is created it can then be applied to a number of ports with the command, such as: Router (config)# interface D0 Router (config-if)# ip address Router (config-if)# ip access-group 100 in which allows the access list of a value of 100 to port D0 on incoming traffic (that is, traffic which is coming into this router port). E0 D from to (config)#access-list 100 deny ip host (config)#access-list 100 permit ip any any Denies traffic from to the network (config)#access-list 100 deny ip (config)#access-list 100 permit ip any any Denies traffic from any host on to the network Figure 7.3: Extended ACL example The firewall can also filter on TCP/UDP ports, and is defined with the TCP or UDP It has a similar syntax. (config)# access-list access-list-value { permit deny } {tcp udp igrp} source source-mask destination destination-mask {eq neq lt gt} port For example: access-list 101 deny tcp eq telnet host eq telnet access-list 101 permit ip any any Denies telnet traffic from even addresses from the subnet to the host, with is also destined for the telnet port (port 23). As previously defined, ACLs should be placed in the optimal place, so that they reduce the amount of unwanted traffic on the network/internet. As an extended ACL allows us to check the source and the destination, the extended ACL should be placed as near as possible to the source of the traffic (Figure 7.4). 6 Wireless LANs - W.Buchanan

7 Traffic blocked to the barred site All other traffic can flow interface D0 ip address ip access-group 100 in access-list 100 deny ip access-list 100 permit ip any any Extended ACLs are applied as near to the source as possible, as they are more targeted Named extended ACL Figure 7.4: Placing an extended ACL An improved method of generating a standard ACL is to use a named ACL. The format is: (config)#ip access-list extended? < > Extended IP access-list number < > Extended IP access-list number (expanded range) WORD Access-list name where WORD is the name of the access list is be defined. For example: (config)#ip access-list standard Test1 (config-std-nacl)#? Standard Access List configuration commands: deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward and to define a standard access list: (config)#ip access-list extended Test1 (config-ext-nacl)#? Ext Access List configuration commands: default Set a command to its defaults deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs evaluate Evaluate an access list exit Exit from access-list configuration mode Unit 7: Filtering and firewalling 7

8 no permit remark Negate a command or set its defaults Specify packets to forward Access list entry comment (config-ext-nacl)#deny? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol (config-ext-nacl)#deny tcp? A.B.C.D Source address any Any source host host A single source host (config-ext-nacl)#deny tcp ? A.B.C.D Source wildcard bits (config-ext-nacl)#deny tcp ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers (config-ext-nacl)#deny tcp It can then be applied with: (config)#int e0 (config-if)#ip access-group? <1-199> IP access list (standard or extended) < > IP expanded access list (standard or extended) WORD Access-list name (config-if)#ip access-group Test? 8 Wireless LANs - W.Buchanan

9 in inbound packets out outbound packets (config-if)#ip access-group Test in which applies the named standard ACL on the incoming port of E ICMP filters A major security weakness in many networks is the usage of network discovery tools from outside the network, which allows intruders methods to discover the nodes within a network. Thus ping and traceroute functionality is often blocked for outside access. For this an ACL can be created which blocks ICMP access. An example of blocking a ping from to : ip access-list extended Test deny icmp permit ip any any 7.6 ACL examples Figure 7.5 shows an example router running configuration. It can be seen that the Dot11Radio0 port has the access list for 104 applied to its input port (ip access-group 104 in). This denies all the even IP address on the subnet ( with a wild card of ) access to the telnet port on (host eq telnet). It is thus barring all the nodes on its own subnet from accessing the server, as traffic from the nodes enters this port (the in direction). The Ethernet0 port has the 102 access list applied to it, on the input to the port. This denies WWW access for IP addresses from (deny tcp eq www): xxx xxxb as the wildcard mask is: b and the address to check against is: which is: b Thus if we compare the two: Unit 7: Filtering and firewalling 9

10 Address b b b b Wild card b b b b Resulting range ( b) to 191 ( b) The range of barred address will thus be from to These will be barred WWW access on the subnet (from to using eq www) Line no Access point configuration version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname AP enable secret 5 $1$op7P$LCHOURx5hc4Mns741ORvl/ ip subnet-zero interface BVI1 ip address interface Dot11Radio0 ip access-group 104 in channel 11 station-role root ssid APskills authentication open guest-mode interface Etherent0 ip access-group 102 in access-list 100 deny ip host host access-list 100 permit ip any any access-list 101 deny tcp host eq www access-list 101 permit ip any any access-list 102 deny tcp eq www access-list 102 permit ip any any access-list 103 deny ip access-list 103 permit ip any any access-list 104 deny tcp host eq telnet access-list 104 permit ip any any line con 0 transport input none line aux 0 line vty 0 4 Figure 7.5: Access point configuration program 7.7 Open and closed firewalls Typically, firewalls can be defined as an open or closed firewall. An open firewall will generally allow most traffic through, but bar certain addresses or ports (Figure 7.6). The typical style will be to deny traffic, and then permit everything else, such as: 10 Wireless LANs - W.Buchanan

11 access-list 100 deny ip host host access-list 100 permit ip any any Whereas a closed firewall will restrict traffic, and only allow certain network addresses and/or ports, such as: access-list 100 permit ip host host access-list 100 deny ip any any access-list 101 permit. access-list 101 deny ip any any E0 D A closed firewall, permits some things, and denies everything else access-list 101 deny. access-list 101 permit ip any any E0 D An open firewall, denies some things, and permits everything else Figure 7.6: Open and closed firewalls 7.8 Tutorial For a network which has an access point at and five wireless clients from to , with an SSID of APskills, complete the following: Create a firewall that blocks ping access to all other nodes on the network. Test it, and then restore ping access Create a firewall that bars TELNET access from to the wireless access point. All other nodes should be able to telnet into the access point. Next do the opposite where only the node is allowed to TELNET into the access point, and the rest are not. Unit 7: Filtering and firewalling 11

12 6.8.3 Create a firewall that bars SNMP access from all the nodes on the network to the wireless access point. All other nodes should be able to telnet into the access point Enable the small servers on the wireless access point, and access the time server port (port 7), and prove that it works from each of the clients. Implement a firewall on the wireless access point to bar time server access from to the access point. Make sure that all the other nodes can still access the port Create a firewall which blocks all the address which have even numbered IP addresses access to the web server on the access point, such as: cannot access the wireless access point web server cannot access the wireless access point web server. And so on Create a network of wireless clients where the access point has an address of , and create a firewall which blocks all the address which have odd numbered IP addresses access to the web server on the access point, such as: cannot access the wireless access point web server cannot access the wireless access point web server. And so on Create a network of wireless clients, which have the address: , , , , and Define a firewall rule that hosts with an IP address above are allowed access to the web server on the access point, but ones below this are barred. For a network which has an access point at and five wireless clients from to , with an SSID of APskills, complete the following: Create a firewall rule which allows hosts with address from to access to the Web server on the access point, and bars the rest of the nodes Create a firewall rule which allows hosts with address from to access to the Web server on the access point, and bars the rest of the nodes. 12 Wireless LANs - W.Buchanan