Wireless Filtering and Firewalling Outline: The objective of this lab is demonstrate the principles of creating filtering rules on the wireless access point. At the start of the lab, the access point settings will be reset, thus the defaults will be: SSID Type Channel Access IP UserID Password tsunami Aironet 10.0.0.1 cisco Cisco You will be assigned a group named APskills1, APskills2 or APskills3. Open authentication 1. Setup a network with five nodes which has an SSID of APskills, where the access point has an address of 192.168.1.110. The details are: Wireless Access Point SSID: APskills1 or APskills2 or APskills3 Wireless Access Point IP: 192.168.1.110 Authentication: Open WEP key: AAAAAAAAAA Channel: 11 Node 1: 192.168.1.1 Node 2: 192.168.1.2 Node 3: 192.168.1.3 Node 4: 192.168.1.4 Node 5: 192.168.1.5 Figure 1 shows an example of the configuration on the client, and the following is an example of the configuration: int bvi1 ip address 192.168.1.110 255.255.255.0 exit interface d0 channel 11 station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 no ssid tsunami ssid APskills1 authentication open guest-mode end Can all the nodes connect to the wireless network, and can ping each other: Use the command show dot11 assoc on the access point. What is the output: Author: W.Buchanan 1
Figure 1: Open authentication setup MAC address filtering 2. The wireless access point can be used to filter mac addresses for a source and destination. Its format is: access-list [<700-799> <1100-1199>] [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of 0090.4b54.d83a access to 0060.b39f.cae1: access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0 access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff and it is applied with the following: int d0 l2-filter bridge-group-acl bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 output-pattern 1101 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled in this case an example of the ARP cache is: ap#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.1.110-000d.65a9.cb1b ARPA BVI1 Internet 192.168.1.101 1 0060.b39f.cae1 ARPA BVI1 Internet 192.168.1.103 2 0009.7c85.87f1 ARPA BVI1 Internet 192.168.1.115 1 0090.4b54.d83a ARPA BVI1 ap# Author: W.Buchanan 2
Determine all the mac addresses on your network: IP: 192.168.1.1 MAC address: IP: 192.168.1.2 MAC address: IP: 192.168.1.3 MAC address: IP: 192.168.1.4 MAC address: IP: 192.168.1.5 MAC address: Block the access of one computer to another. What is the access-list used: What is the output from the show arp command on the wireless access point: Is the access blocked, and can the other nodes still access each other: 3. Next remove the access list with: no access-list 1101 and now add a new one which blocks access from one computer to two of the hosts on the network. Is the block successful: 4. Next, remove the access list, and bar a node access to the complete network. Is the block successful: IP filtering 5. The access point supports IP-based access-lists. For example, the following blocks a host at 192.168.1.1 access to 192.168.1.110, and is applied to the D0 port: ip access-list extended Test deny ip host 192.168.1.1 host 192.168.1.110 permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 Author: W.Buchanan 3
no ssid tsunami ssid APskills authentication open guest-mode end Apply this configuration. Can the 192.168.1.1 node communicate with the wireless access point: 6. Write an access-list which blocks access from 192.168.1.1 to 192.168.1.3, and blocks access from 192.168.1.2 to 192.168.1.4. The rest of the communications should be ALLOWED. REMEMBER, before you start, to remove the old access-list (no accesslist extended Test). Do the blocks work, and can the other nodes still communicate: 7. Write an access-list which allows access from 192.168.1.1 access to 192.168.1.3, and allows access from 192.168.1.2 to 192.168.1.4. The rest of the communications should be BLOCKED. REMEMBER, before you start, to remove the old access-list (no access-list extended Test). Do the allows work, and are the other nodes blocked: TCP filtering 8. Along with IP filtering, it is possible to filter for the TCP port. For example the following blocking of any source host to any destination on port 80: ip access-list extended Test deny tcp any any eq 80 permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 ssid APskills authentication open guest-mode end Author: W.Buchanan 4
9. Test the above script and make sure that none of the nodes can access the web server on the access point: Is web access blocked: 10. Modify the access-list so that the node which has an IP address of 192.168.1.2 cannot access the web server on the access point: Is web access blocked: 11. Using the client and the server program, write an access-list which will block communications between two of the nodes on the network for client-server communications on port 1001: Is the access blocked: 12. Remove the previous access-list, and determine if the nodes can now connect to each other on port 1001: Is the access allowed: ICMP filters 13. It is possible to block ICMP in the filtering, such as blocking a ping from 192.168.1.1 to 192.168.1.110: ip access-list extended Test deny icmp 192.168.1.111 0.0.0.0 192.168.1.110 0.0.0.0 permit ip any any Is it possible to ping the access-point (192.168.1.110) from 192.168.1.1: Is it possible to ping the access-point (192.168.1.110) from other nodes: 14. Now block ping access from 192.168.1.1 to 192.168.1.2. Is it possible to ping the access-point (192.168.1.111) from 192.168.1.112: Is it possible to ping all the other nodes: Author: W.Buchanan 5
Tutorial 15. Create a firewall that bars telnet access from 192.168.1.2 to the wireless access point. All other nodes should be able to telnet into the access point. 16. Create a network of wireless clients where the access point has an address of 192.168.1.110, and create a firewall which blocks all the address which have even numbered IP addresses access to the web server on the access point, such as: 192.168.1.2 cannot access the wireless access point web server. 192.168.1.4 cannot access the wireless access point web server. And so on. Does it work: 17. Create a network of wireless clients where the access point has an address of 192.168.1.110, and create a firewall which blocks all the address which have odd numbered IP addresses access to the web server on the access point, such as: 192.168.1.1 cannot access the wireless access point web server. 192.168.1.3 cannot access the wireless access point web server. And so on. Does it work: 18. Create a network of wireless clients, which have the address: 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.64, and 192.168.1.65. Define a firewall rule that hosts with an IP address above 192.168.1.64 are allowed access to the web server on the access point, but ones below this are barred. Does it work: Author: W.Buchanan 6