Wireless Filtering and Firewalling

Similar documents
Console Server. Con. Cisco Aironet Port Figure 1: Aironet configuration

7 Filtering and Firewalling

Wireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.

8 VLANs. 8.1 Introduction. 8.2 vlans. Unit 8: VLANs 1

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Configuring a Wireless LAN Connection

Configuring the Access Point/Bridge for the First Time

Prof. Bill Buchanan Room: C.63

Configuring the WMIC for the First Time

Configuring a Basic Wireless LAN Connection

Using Cisco Workgroup Bridges

Prof. Bill Buchanan Room: C.63

Configuring Multiple SSIDs

Configuring VLANs CHAPTER

Securing Wireless LAN Controllers (WLCs)

Workgroup Bridges. Cisco WGBs. Information About Cisco Workgroup Bridges. Cisco WGBs, page 1 Third-Party WGBs and Client VMs, page 9

Contents. Introduction

Cisco Unified Communications Manager Express 7921 Push-to-talk

Integration Guide. Trakker Antares 2400 Family and Cisco Aironet 123X

Bridging Traffic CHAPTER3

LEAP Authentication on a Local RADIUS Server

Wireless Client Isolation. Overview. Bridge Mode Client Isolation. Configuration

Configuring Commonly Used IP ACLs

ISR Wireless Configuration Example

Configuring Repeater and Standby Access Points

Securing a Wireless LAN

2 Wireless Networks. 2.1 Introduction. 2.2 IEEE b. Unit 2: Wireless Networks 1

3 Wireless Emulator (Challenges)

cable modem dhcp proxy nat on Cisco Cable Modems

Configuring Cipher Suites and WEP

HOW TURBO ACL S WORK

Asymmetric Routing with Bridge Groups on Catalyst 2948G L3 and 4908G L3 Switches

EAP FAST with the Internal RADIUS Server on the Autonomous Access Point Configuration Example

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Configure Flexconnect ACL's on WLC

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

DWS-4000 Series DWL-3600AP DWL-6600AP

Object Groups for ACLs

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

TACACS+ on an Aironet Access Point for Login Authentication Configuration Example

CCNA Access List Questions

Lab Configuring LEAP/EAP using Cisco Secure ACS (OPTIONAL)

Integration Guide. CK30/CK31 and Cisco Aironet 1231/1242

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Configuring the WT-4 for ftp (Infrastructure Mode)

Configuring Spanning Tree Protocol

Cisco EXAM CCNA Cisco Certified Network Associate. Buy Full Product.

Configuring OfficeExtend Access Points

Click on Close button to close Network Connection Details. You are back to the Local Area Connection Status window.

Enabling Remote Access to the ACE

Configuring WEP and WEP Features

Cisco Exam Questions & Answers

Object Groups for ACLs

Introduction to the Packet Tracer Interface using a Hub Topology

Access Rules. Controlling Network Access

CS 326e Lab 2, Edmondson-Yurkanan, Spring 2004 Router Configuration, Routing and Access Lists

Configuring Wireless Distribution System (WDS) on the WAP131 and WAP351

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Catalyst Switches for Microsoft Network Load Balancing Configuration Example

Configuring VLANs CHAPTER

FEATURES HARDWARE CONNECTION

CCNA MCQS with Answers Set-1

Basic Wireless Settings on the CVR100W VPN Router

Lab Catalyst 2950 and 3550 Series Intra-VLAN Security

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

Access Control List Overview

5. Write a capture filter for question 4.

AWAP02O-1W Installation Guide

Cisco CCNA ACL Part II

!! Configuration of RFS4000 version R!! version 2.3!! ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10

Security Setup CHAPTER

Configuring the WT-4 for ftp (Infrastructure Mode)

Activity Configuring and Securing a Wireless LAN in Packet Tracer

accounting (SSID configuration mode) through encryption mode wep accounting (SSID configuration mode) through

Configuring SNMP CHAPTER. This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point.

ezconfig User s Manual

Settings Settings

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

WPA Migration Mode: WEP is back to haunt you

2016 Braindump2go Valid Cisco Exam Preparation Materials:

Quick guide for configuring a system with multiple IP-LINKs

On the left hand side of the screen, click on Setup Wizard and go through the Wizard.

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

iconnect625w Copyright Disclaimer Enabling Basic Wireless Security

MW155R 150Mbps Wireless N Router

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

Lab Configure Basic AP security through GUI

Xirrus WDS Configuration Guide

Wireless LAN Controller Web Authentication Configuration Example

Configuring WLAN Security

Network Security. Thierry Sans

accounting (SSID configuration mode) through encryption mode wep

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

TECHNICAL NOTE UWW & CLEARPASS HOW-TO: CONFIGURE UNIFIED WIRELESS WITH CLEARPASS. Version 2

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0

Security SSID Selection: Broadcast SSID:

Configuring VLAN Interfaces

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Extended ACL Configuration Mode Commands

Transcription:

Wireless Filtering and Firewalling Outline: The objective of this lab is demonstrate the principles of creating filtering rules on the wireless access point. At the start of the lab, the access point settings will be reset, thus the defaults will be: SSID Type Channel Access IP UserID Password tsunami Aironet 10.0.0.1 cisco Cisco You will be assigned a group named APskills1, APskills2 or APskills3. Open authentication 1. Setup a network with five nodes which has an SSID of APskills, where the access point has an address of 192.168.1.110. The details are: Wireless Access Point SSID: APskills1 or APskills2 or APskills3 Wireless Access Point IP: 192.168.1.110 Authentication: Open WEP key: AAAAAAAAAA Channel: 11 Node 1: 192.168.1.1 Node 2: 192.168.1.2 Node 3: 192.168.1.3 Node 4: 192.168.1.4 Node 5: 192.168.1.5 Figure 1 shows an example of the configuration on the client, and the following is an example of the configuration: int bvi1 ip address 192.168.1.110 255.255.255.0 exit interface d0 channel 11 station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 no ssid tsunami ssid APskills1 authentication open guest-mode end Can all the nodes connect to the wireless network, and can ping each other: Use the command show dot11 assoc on the access point. What is the output: Author: W.Buchanan 1

Figure 1: Open authentication setup MAC address filtering 2. The wireless access point can be used to filter mac addresses for a source and destination. Its format is: access-list [<700-799> <1100-1199>] [deny permit] [source ac] [source mask] [dest mac] [dest mask] For example to disallow the node with the mac address of 0090.4b54.d83a access to 0060.b39f.cae1: access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0 access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff and it is applied with the following: int d0 l2-filter bridge-group-acl bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 output-pattern 1101 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled in this case an example of the ARP cache is: ap#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.1.110-000d.65a9.cb1b ARPA BVI1 Internet 192.168.1.101 1 0060.b39f.cae1 ARPA BVI1 Internet 192.168.1.103 2 0009.7c85.87f1 ARPA BVI1 Internet 192.168.1.115 1 0090.4b54.d83a ARPA BVI1 ap# Author: W.Buchanan 2

Determine all the mac addresses on your network: IP: 192.168.1.1 MAC address: IP: 192.168.1.2 MAC address: IP: 192.168.1.3 MAC address: IP: 192.168.1.4 MAC address: IP: 192.168.1.5 MAC address: Block the access of one computer to another. What is the access-list used: What is the output from the show arp command on the wireless access point: Is the access blocked, and can the other nodes still access each other: 3. Next remove the access list with: no access-list 1101 and now add a new one which blocks access from one computer to two of the hosts on the network. Is the block successful: 4. Next, remove the access list, and bar a node access to the complete network. Is the block successful: IP filtering 5. The access point supports IP-based access-lists. For example, the following blocks a host at 192.168.1.1 access to 192.168.1.110, and is applied to the D0 port: ip access-list extended Test deny ip host 192.168.1.1 host 192.168.1.110 permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 Author: W.Buchanan 3

no ssid tsunami ssid APskills authentication open guest-mode end Apply this configuration. Can the 192.168.1.1 node communicate with the wireless access point: 6. Write an access-list which blocks access from 192.168.1.1 to 192.168.1.3, and blocks access from 192.168.1.2 to 192.168.1.4. The rest of the communications should be ALLOWED. REMEMBER, before you start, to remove the old access-list (no accesslist extended Test). Do the blocks work, and can the other nodes still communicate: 7. Write an access-list which allows access from 192.168.1.1 access to 192.168.1.3, and allows access from 192.168.1.2 to 192.168.1.4. The rest of the communications should be BLOCKED. REMEMBER, before you start, to remove the old access-list (no access-list extended Test). Do the allows work, and are the other nodes blocked: TCP filtering 8. Along with IP filtering, it is possible to filter for the TCP port. For example the following blocking of any source host to any destination on port 80: ip access-list extended Test deny tcp any any eq 80 permit ip any any interface d0 channel 11 ip access-group Test in station-role root encryption key 1 size 40bit aaaaaaaaaa transmit-key encryption mode ciphers tkip wep40 ssid APskills authentication open guest-mode end Author: W.Buchanan 4

9. Test the above script and make sure that none of the nodes can access the web server on the access point: Is web access blocked: 10. Modify the access-list so that the node which has an IP address of 192.168.1.2 cannot access the web server on the access point: Is web access blocked: 11. Using the client and the server program, write an access-list which will block communications between two of the nodes on the network for client-server communications on port 1001: Is the access blocked: 12. Remove the previous access-list, and determine if the nodes can now connect to each other on port 1001: Is the access allowed: ICMP filters 13. It is possible to block ICMP in the filtering, such as blocking a ping from 192.168.1.1 to 192.168.1.110: ip access-list extended Test deny icmp 192.168.1.111 0.0.0.0 192.168.1.110 0.0.0.0 permit ip any any Is it possible to ping the access-point (192.168.1.110) from 192.168.1.1: Is it possible to ping the access-point (192.168.1.110) from other nodes: 14. Now block ping access from 192.168.1.1 to 192.168.1.2. Is it possible to ping the access-point (192.168.1.111) from 192.168.1.112: Is it possible to ping all the other nodes: Author: W.Buchanan 5

Tutorial 15. Create a firewall that bars telnet access from 192.168.1.2 to the wireless access point. All other nodes should be able to telnet into the access point. 16. Create a network of wireless clients where the access point has an address of 192.168.1.110, and create a firewall which blocks all the address which have even numbered IP addresses access to the web server on the access point, such as: 192.168.1.2 cannot access the wireless access point web server. 192.168.1.4 cannot access the wireless access point web server. And so on. Does it work: 17. Create a network of wireless clients where the access point has an address of 192.168.1.110, and create a firewall which blocks all the address which have odd numbered IP addresses access to the web server on the access point, such as: 192.168.1.1 cannot access the wireless access point web server. 192.168.1.3 cannot access the wireless access point web server. And so on. Does it work: 18. Create a network of wireless clients, which have the address: 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.64, and 192.168.1.65. Define a firewall rule that hosts with an IP address above 192.168.1.64 are allowed access to the web server on the access point, but ones below this are barred. Does it work: Author: W.Buchanan 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback