Access Control Lists (Beyond Standard and Extended)

Transcription

1 Access Control Lists (Beyond Standard and Extended)

2 Course Prerequisites and Assumptions» Prerequisite = CCNA ACL Videos» ACLs are used as a classification tool by many different features this course will concentrate on using ACLs purely for packet filtering.

3 Agenda» Using L4/ L5 Extensions in Access-Lists» Reflexive Access-Lists» Dynamic Access-Lists» Using Object-Groups with ACLs» Time-Based Access-Lists» Access-List Logging Options

4 Review Quiz #1» Shown below are some examples of the first few IOS commands to configure various access-lists.» Which of these, if completed, will only allow matching on the source IP address of a packet? A B C D E access-list 85 permit.. access-list 100 permit.. access-list 156 permit.. access-list 1450 permit.. access-list 2420 permit..

5 Review Quiz #2» Given the following access-list and topology, which of the statements are true? access-list 1 permit interface FastEthernet0/0 ip access-group 1 in A B C D E None of these PCs will be able to reach the server. All of these PCs will be able to reach the server. Only PC-A and PC-C will be able to reach the server. Only PC-A and PC-B will be able to reach the server. Only PC-B will be able to reach the server.

6 Review Quiz #3» The three IP addreses below share some common bits. Create a named, standard access-list called, INE that contains only a single ACE which will permit any packet from these source addresses and any other addresses matching only these common bits:

7 Using L4/ L5 extensions in ACLs

8 Accessing Layer-4/ 5 ACL Options» Extended ACLs provide ability to match on Layer-4 and/ or Layer-5 information.» Must supply TCP or UDP keywords as top-level protocol. Only L3 options are available. L3-L5 options are available.

9 Matching on TCP/ UDP Port Numbers» Session-Layer Port Numbers may be matched in a variety of ways: eq 23 (matching on an exact port number that equals the supplied value) lt 1000 (matching on any value less than the supplied value). gt 500 (matching on any value greater than the supplied value). neq 20 (matching on any value not equal to the supplied value). range (matching on any value in the supplied range of values).

10 How would you do this?» Network Engineers within the Corporate Intranet should be able to open TCP sessions to devices within the Testing Lab.» Deny any devices from within lab from initiating outbound TCP sessions to the Corporate Intranet x.x /16 Corporate Intranet A Fast0/ /30 Testing Lab

11 How would you do this?» When TCP segments are received on Fast0/ 0 as a response from sessions initiated from within the Corporate Intranet, what will they all have in common? TCP Flags=Sync TCP Flags=Sync+ACK TCP Flags=ACK All Subsequent Permitted Traffic TCP Flags=ACK x.x /16 TCP Flags=Reset Corporate Intranet A Fast0/ /30 Testing Lab

12 Solution #1 RouterA(config)#access-list 101 permit tcp any any ack RouterA(config)#access-list 101 permit tcp any any rst RouterA(config)#interface FastEthernet0/0 RouterA(config)#ip access-group 101 in x.x /16 All Permitted Traffic TCP Flags=ACK TCP Flags=Reset Corporate Intranet A Fast0/ /30 Testing Lab

13 Solution #2 RouterA(config)#access-list 101 permit tcp any any est ablished RouterA(config)#interface FastEthernet0/0 RouterA(config)#ip access-group 101 in x.x /16 All Permitted Traffic TCP Flags=ACK TCP Flags=Reset Corporate Intranet A Fast0/ /30 Testing Lab

14 Reflexive Access-Lists (IP Session Filtering)

15 How would you do this?» Network Engineers within the Corporate Intranet should be able to transmit any type of data to devices within the Te st ing Lab.» If the Testing Lab is compromised, deny any devices from within lab from initiating outbound sessions to the x.x /16 Corporate Intranet. Corporate Intranet A Fast0/ /30 Testing Lab

16 The Solution Reflexive Access Lists» Reflexive ACLs monitor for permitted, outgoing data of any type.» Reflexive ACLs create a mirror-image of transmitted traffic which will be permitted upon return.» Reflexive entries expire after configurable 4 timeout value. 2 ICMP Echo-Response from to (IP Protocol = 1) Permit from to (IP Protocol = 1) ICMP Echo-Request from to (IP Protocol = 1) Corporate Intranet A Fast0/ / /30 Testing Lab

17 Reflexive ACL Configuration (1)» Create a Named, Extended ACL for monitoring egress traffic from trusted sources. Can be any name. RouterA(config)#ip access-list extended EGRESS RouterA(config-ext-nacl)#permit ip any any reflect Mirror x.x /16 Corporate Intranet A Fast0/ /30 Testing Lab

18 Reflexive ACL Configuration (2)» Create a Named, Extended ACL for monitoring ingress traffic from untrusted sources. RouterA(config)#ip access-list extended INGRESS RouterA(config-ext-nacl)#evaluate Mirror Can be any name. Name must match the name previously supplied after reflect keyword x.x /16 Corporate Intranet A Fast0/ /30 Testing Lab

19 Reflexive ACL Configuration (3)» Apply both ACLs to interface facing untrusted networks. RouterA(config)#ip access-list extended EGRESS RouterA(config-ext-nacl)#permit ip any any reflect Mirror RouterA(config)#ip access-list extended INGRESS RouterA(config-ext-nacl)#evaluate Mirror RouterA(config)#interface FastEthernet0/0 RouterA(config-if)#ip access-group EGRESS out RouterA(config-if)#ip access-group INGRESS in x.x /16 Corporate Intranet A Fast0/ /30 Testing Lab

20 Reflexive ACL Timeout Values» Reflexive ACLs have timeout values. A. Graceful TCP Close (2-segments seen with FIN flags): Timeout=5-secs B. TCP Reset: Timeout = immediate C. TCP packets no longer seen? Timeout = 300-seconds D. UDP, ICMP and all others? Timeout = 300-seconds after last packet seen.» Changing the timeout value. Values for A and B above cannot be changed. Values for C and D above can be changed per ACE or globally.

21 Configuring Timeout Values» Modifying Global Reflexive ACL Timeout value.» Modifying Reflexive Timeout within ACE entries.

22 Monitoring Reflexive ACLs» Before the dynamic entry is created by the reflexive ACL:» After the Reflexive ACL entry is created:

23 Dynamic Access Lists Lock and Key

24 The Objective» You ve hired a contractor for the next 3-months to work on Project-X.» This project requires that the contractor be allowed access to certain devices/subnets but not others.» Access should be denied after 5-minutes of inactivity, or an absolute timeout of 15-minutes. Internet Project-X Temporary Contractor A Fast0/0 Corporate Intranet

25 Solution #1» Every authentication request offloaded to a central authentication database.» Might require manual configuration of each device. Internet Project-X Temporary Contractor A Fast0/0 Authentication Server

26 Solution #2 Dynamic ACLs 1. User must first telnet to router. 2. After successful authentication, Telnet session closed and dynamic ACL created on interface. 3. Dynamic ACL removed from interface after configurable, absolute-timeout (or idle-timeout) value. 2 I ll allow that user to access those resources for 5-minutes! 3 15-minutes are up! User is no longer allowed! 1

27 Dynamic ACL Configuration (1) username bob password 0 projx username bob autocommand access-enable timeout 5 Line vty 0 4 Or autocommand access-enable timeout 5

28 Dynamic ACL Configuration (2) access-list 101 dynamic Project timeout 15 permit ip any access-list 101 permit tcp any host eq telnet! line vty 0 4 login local Named ACLs can also be used.

29 Dynamic ACL Configuration (3) interface FastEthernet0/0 ip address ip access-group 101 in! interface FastEthernet0/1 ip address !

30 Monitoring Dynamic ACLs» Before the Dynamic ACL is applied» After successful authentication

31 Clearing Dynamic ACL Entries» If you ever need to manually delete a Dynamic ACL entry:

32 Extending Dynamic ACL Entries» IOS command allows users to extend the life of their Dynamic ACE by an additional 6-minutes;

33 Dynamic ACL Rules» Cannot be used to provide different access rights to different users.» Dynamic ACLs may use either an idle-timeout or absolute-timeout value.» autocommand access-enable may be configured either; At the username level Within the VTY line

34 Object Groups in IOS

35 Object Groups» Originally designed for Cisco ASA Firewalls» Command Syntax slightly different on IOS Routers than ASA Firewalls» Object Groups simplify ACL management by grouping similar objects together. E.g. Public_Web_Servers Group» Allows for more modular changes A change to an Object Group dynamically affects all ACE s referencing that group. <output ommitted>

36 Types of Object Groups in Routers» Cisco routers provide two types of Object Groups: Network Group: For defining IP Address-related objects Service Group: For defining Protocols and Ports

37 Simplification with Object Groups (1)» From this OK!! x.x.x.x OK!! NO!!

38 Simplification with Object Groups (2)» To this OK!! x.x.x.x OK!! NO!!

39 Time-Based Access-Lists

40 The Objective» Employees should NOT be allowed to surf the Internet during work hours. Internet A Fast0/0 2.2.x.x /16 Corporate Intranet

41 The Solution: Time-Based ACLs» Time-Based ACLs activate ACEs during times you define.» Times defined within a global Time-range» May be periodic or absolute. Internet A Fast0/0 2.2.x.x /16 Corporate Intranet

42 Time-Based ACL Configuration (1)» Ensure your router/ switch has an accurate clock:» Create a global time-range:

43 Time-Based ACL Configuration (2)» Decide on either absolute or periodic

44 Time-Based ACL Configuration (3)» Complete the command by defining the time interval (s)» Apply the time-range to your ACL

45 Monitoring Time-Based ACLs

46 Access-List Logging

47 Logging» ACE entries can be appended with Logging-related keywords Access-l i st x.l og Access-l i st x..l og-input» Logging allows for Syslogs to be displayed providing hitcounts and evidence of ACL activity.» Logging forces packets matching ACE entries to be process-switched = increased CPU load.

48 Log and Log-Input Access-list 101 permit icmp any host log Access-list 101 permit icmp any host log-input Access-list 101 xxxxxxxxxxx log-input Server Optional cookie

49 How often is logging displayed? (1)» Individual ACEs can have the log or log-input keywords.» When an ACL is applied to an interface, syslogs are generated: Once every 5-minutes for packets matching a particular ACE. If any log-enabled ACE in any ACL on any interface matches a packet within one second of the initial log message, the match or matches are counted for five minutes and then reported.

50 How often is logging displayed? (2) 5-minutes Syslog for ACE#1 Syslog for ACE#2 Syslog for ACE#3 ACE#1 match #4 ACE#1 match #3 ACE#1 match #2 1-second ACE#3 match ACE#2 match Initial ACE#1 match Syslog for ACE#1

51 Decreasing the Log Interval» If you want logs for ACEs to be displayed MORE frequently than every 5-minutes it can be done.» Use caution this INCREASES the CPU load.

52 Save my CPU!!!» Even though logs for individual ACEs are only displayed every 5-minutes EVERY packet that matches the ACE must be process-switched.» This can result in heavy CPU load» How to reduce this?

53 Filtering on log output (1)» ACL syslogs have different identifiers depending on type of traffic that triggered the log.

54 Filtering on log output (2)» When sending ACL Syslogs to logging buffer, one can filter on these identifiers.

55 Filtering on log output (3)» From this (yuck!!)

56 Filtering on log output (3)» To this (YAY!!)

57 Q&A Copyright INE Inc. All rights reserved.