Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett



Yüklə 22,5 Mb.
Pdf görüntüsü
səhifə50/69
tarix26.10.2019
ölçüsü22,5 Mb.
#29436
1   ...   46   47   48   49   50   51   52   53   ...   69
Todd Lammle CCNA Routing and Switching


Standard access lists These ACLs use only the source IP address in an

IP packet as the condition test. All decisions are made based on the

source IP address. This means that standard access lists basically permit

or deny an entire suite of protocols. They don’t distinguish between any

of the many types of IP traffic such as Web, Telnet, UDP, and so on.

Extended access lists Extended access lists can evaluate many of the

other fields in the layer 3 and layer 4 headers of an IP packet. They can

evaluate source and destination IP addresses, the Protocol field in the

Network layer header, and the port number at the Transport layer

header. This gives extended access lists the ability to make much more

granular decisions when controlling traffic.



Named access lists Hey, wait a minute—I said there were only two

types of access lists but listed three! Well, technically there really are only

two since named access lists are either standard or extended and not

actually a distinct type. I’m just distinguishing them because they’re

created and referred to differently than standard and extended access

lists are, but they’re still functionally the same.

We’ll cover these types of access lists in more depth later in

the chapter.

Once you create an access list, it’s not really going to do anything until

you apply it. Yes, they’re there on the router, but they’re inactive until you

tell that router what to do with them. To use an access list as a packet

filter, you need to apply it to an interface on the router where you want

the traffic filtered. And you’ve got to specify which direction of traffic you

want the access list applied to. There’s a good reason for this—you may

want different controls in place for traffic leaving your enterprise

destined for the Internet than you’d want for traffic coming into your

enterprise from the Internet. So, by specifying the direction of traffic, you

can and must use different access lists for inbound and outbound traffic

on a single interface:

Inbound access lists When an access list is applied to inbound packets

on an interface, those packets are processed through the access list before

being routed to the outbound interface. Any packets that are denied won’t

be routed because they’re discarded before the routing process is invoked.



Outbound access lists When an access list is applied to outbound

packets on an interface, packets are routed to the outbound interface and

then processed through the access list before being queued.

There are some general access-list guidelines that you should keep in

mind when creating and implementing access lists on a router:

You can assign only one access list per interface per protocol per

direction. This means that when applying IP access lists, you can have

only one inbound access list and one outbound access list per

interface.

When you consider the implications of the implicit deny at the

end of any access list, it makes sense that you can’t have multiple

access lists applied on the same interface in the same direction for the

same protocol. That’s because any packets that don’t match some

condition in the first access list would be denied and there wouldn’t

be any packets left over to compare against a second access list!

Organize your access lists so that the more specific tests are at the top.

Anytime a new entry is added to the access list, it will be placed at the

bottom of the list, which is why I highly recommend using a text

editor for access lists.

You can’t remove one line from an access list. If you try to do this, you

will remove the entire list. This is why it’s best to copy the access list

to a text editor before trying to edit the list. The only exception is

when you’re using named access lists.

You can edit, add, or delete a single line from a named access

list. I’ll show you how shortly.

Unless your access list ends with a

permit any

command, all packets

will be discarded if they do not meet any of the list’s tests. This means

every list should have at least one

permit

statement or it will deny all



traffic.

Create access lists and then apply them to an interface. Any access list



applied to an interface without access-list test statements present will

not filter traffic.

Access lists are designed to filter traffic going through the router. They

will not filter traffic that has originated from the router.

Place IP standard access lists as close to the destination as possible.

This is the reason we don’t really want to use standard access lists in

our networks. You can’t put a standard access list close to the source

host or network because you can only filter based on source address

and all destinations would be affected as a result.

Place IP extended access lists as close to the source as possible. Since

extended access lists can filter on very specific addresses and

protocols, you don’t want your traffic to traverse the entire network

just to be denied. By placing this list as close to the source address as

possible, you can filter traffic before it uses up precious bandwidth.

Before I move on to demonstrate how to configure basic and extended

ACLs, let’s talk about how they can be used to mitigate the security

threats I mentioned earlier.

Mitigating Security Issues with ACLs

The most common attack is a denial of service (DoS) attack. Although

ACLs can help with a DoS, you really need an intrusion detection system

(IDS) and intrusion prevention system (IPS) to help prevent these

common attacks. Cisco sells the Adaptive Security Appliance (ASA),

which has IDS/IPS modules, but lots of other companies sell IDS/IPS

products too.

Here’s a list of the many security threats you can mitigate with ACLs:

IP address spoofing, inbound

IP address spoofing, outbound

Denial of service (DoS) TCP SYN attacks, blocking external attacks

DoS TCP SYN attacks, using TCP Intercept

DoS smurf attacks

Denying/filtering ICMP messages, inbound

Denying/filtering ICMP messages, outbound


Denying/filtering Traceroute

This is not an “introduction to security” book, so you may

have to research some of the preceding terms if you don’t understand

them.


It’s generally a bad idea to allow into a private network any external IP

packets that contain the source address of any internal hosts or networks

—just don’t do it!

Here’s a list of rules to live by when configuring ACLs from the Internet

to your production network to mitigate security problems:

Deny any source addresses from your internal networks.

Deny any local host addresses (127.0.0.0/8).

Deny any reserved private addresses (RFC 1918).

Deny any addresses in the IP multicast address range (224.0.0.0/4).

None of these source addresses should be ever be allowed to enter your

internetwork. Now finally, let’s get our hands dirty and configure some

basic and advanced access lists!



Standard Access Lists

Standard IP access lists filter network traffic by examining the source IP

address in a packet. You create a standard IP access list by using the

access-list numbers 1–99 or numbers in the expanded range of 1300–

1999 because the type of ACL is generally differentiated using a number.

Based on the number used when the access list is created, the router

knows which type of syntax to expect as the list is entered. By using

numbers 1–99 or 1300–1999, you’re telling the router that you want to

create a standard IP access list, so the router will expect syntax specifying

only the source IP address in the test lines.

The following output displays a good example of the many access-list

number ranges that you can use to filter traffic on your network. The IOS

version delimits the protocols you can specify access for:

Corp(config)#



access-list ?

<1-99> IP standard access list

<100-199> IP extended access list

<1000-1099> IPX SAP access list

<1100-1199> Extended 48-bit MAC address access list

<1200-1299> IPX summary address access list

<1300-1999> IP standard access list (expanded range)

<200-299> Protocol type-code access list

<2000-2699> IP extended access list (expanded range)

<2700-2799> MPLS access list

<300-399> DECnet access list

<700-799> 48-bit MAC address access list

<800-899> IPX standard access list

<900-999> IPX extended access list

dynamic-extended Extend the dynamic ACL absolute timer

rate-limit Simple rate-limit specific access list

Wow—there certainly are lot of old protocols listed in that output! IPX

and DECnet would no longer be used in any of today’s networks. Let’s

take a look at the syntax used when creating a standard IP access list:

Corp(config)#

access-list 10 ?

deny Specify packets to reject

permit Specify packets to forward

remark Access list entry comment

As I said, by using the access-list numbers 1–99 or 1300–1999, you’re

telling the router that you want to create a standard IP access list, which

means you can only filter on source IP address.

Once you’ve chosen the access-list number, you need to decide whether

you’re creating a

permit


or

deny


statement. I’m going to create a

deny


statement now:

Corp(config)#



access-list 10 deny ?

Hostname or A.B.C.D Address to match

any Any source host

host A single host address

The next step is more detailed because there are three options available in

it:


1.  The first option is the

any


parameter, which is used to permit or deny

any source host or network.

2.  The second choice is to use an IP address to specify either a single

host or a range of them.



3.  The last option is to use the

host


command to specify a specific host

only.


The

any


command is pretty obvious—any source address matches the

statement, so every packet compared against this line will match. The

host

command is relatively simple too, as you can see here:



Corp(config)#

access-list 10 deny host ?

Hostname or A.B.C.D Host address

Corp(config)#

access-list 10 deny host 172.16.30.2

This tells the list to deny any packets from host 172.16.30.2. The default

parameter is

host


. In other words, if you type

access-list 10 deny

172.16.30.2

, the router assumes you mean host 172.16.30.2 and that’s

exactly how it will show in your running-config.

But there’s another way to specify either a particular host or a range of

hosts, and it’s known as wildcard masking. In fact, to specify any range of

hosts, you must use wildcard masking in the access list.

So exactly what is wildcard masking? Coming up, I’m going to show you

using a standard access list example. I’ll also guide you through how to

control access to a virtual terminal.

Wildcard Masking

Wildcards are used with access lists to specify an individual host, a

network, or a specific range of a network or networks. The block sizes you

learned about earlier used to specify a range of addresses are key to

understanding wildcards.

Let me pause here for a quick review of block sizes before we go any

further. I’m sure you remember that the different block sizes available are

64, 32, 16, 8, and 4. When you need to specify a range of addresses, you

choose the next-largest block size for your needs. So if you need to specify

34 networks, you need a block size of 64. If you want to specify 18 hosts,

you need a block size of 32. If you specify only 2 networks, then go with a

block size of 4.

Wildcards are used with the host or network address to tell the router a

range of available addresses to filter. To specify a host, the address would

look like this:

172.16.30.5 0.0.0.0



The four zeros represent each octet of the address. Whenever a zero is

present, it indicates that the octet in the address must match the

corresponding reference octet exactly. To specify that an octet can be any

value, use the value 255. Here’s an example of how a /24 subnet is

specified with a wildcard mask:

172.16.30.0 0.0.0.255

This tells the router to match up the first three octets exactly, but the

fourth octet can be any value.

Okay—that was the easy part. But what if you want to specify only a small

range of subnets? This is where block sizes come in. You have to specify

the range of values in a block size, so you can’t choose to specify 20

networks. You can only specify the exact amount that the block size value

allows. This means that the range would have to be either 16 or 32, but

not 20.


Let’s say that you want to block access to the part of the network that

ranges from 172.16.8.0 through 172.16.15.0. To do that, you would go

with a block size of 8, your network number would be 172.16.8.0, and the

wildcard would be 0.0.7.255. The 7.255 equals the value the router will

use to determine the block size. So together, the network number and the

wildcard tell the router to begin at 172.16.8.0 and go up a block size of

eight addresses to network 172.16.15.0.

This really is easier than it looks! I could certainly go through the binary

math for you, but no one needs that kind of pain because all you have to

do is remember that the wildcard is always one number less than the

block size. So, in our example, the wildcard would be 7 since our block

size is 8. If you used a block size of 16, the wildcard would be 15. Easy,

right?

Just to make you’ve got this, we’ll go through some examples that will



definitely help you nail it down. The following example tells the router to

match the first three octets exactly but that the fourth octet can be

anything:

Corp(config)#



access-list 10 deny 172.16.10.0 0.0.0.255

The next example tells the router to match the first two octets and that

the last two octets can be any value:


Corp(config)#

access-list 10 deny 172.16.0.0 0.0.255.255

Now, try to figure out this next line:

Corp(config)#

access-list 10 deny 172.16.16.0 0.0.3.255

This configuration tells the router to start at network 172.16.16.0 and use

a block size of 4. The range would then be 172.16.16.0 through

172.16.19.255, and by the way, the Cisco objectives seem to really like this

one!

Let’s keep practicing. What about this next one?



Corp(config)#

access-list 10 deny 172.16.16.0 0.0.7.255

This example reveals an access list starting at 172.16.16.0 going up a block

size of 8 to 172.16.23.255.

Let’s keep at it… What do you think the range of this one is?

Corp(config)#

access-list 10 deny 172.16.32.0 0.0.15.255

This one begins at network 172.16.32.0 and goes up a block size of 16 to

172.16.47.255.

You’re almost done practicing! After a couple more, we’ll configure some

real ACLs.

Corp(config)#



access-list 10 deny 172.16.64.0 0.0.63.255

This example starts at network 172.16.64.0 and goes up a block size of 64

to 172.16.127.255.

What about this last example?

Corp(config)#

access-list 10 deny 192.168.160.0 0.0.31.255

This one shows us that it begins at network 192.168.160.0 and goes up a

block size of 32 to 192.168.191.255.

Here are two more things to keep in mind when working with block sizes

and wildcards:

Each block size must start at 0 or a multiple of the block size. For

example, you can’t say that you want a block size of 8 and then start at

12. You must use 0–7, 8–15, 16–23, etc. For a block size of 32, the

ranges are 0–31, 32–63, 64–95, etc.


The command

any


is the same thing as writing out the wildcard

0.0.0.0 255.255.255.255.

Wildcard masking is a crucial skill to master when creating IP

access lists, and it’s used identically when creating standard and

extended IP access lists.

Standard Access List Example

In this section, you’ll learn how to use a standard access list to stop

specific users from gaining access to the Finance department LAN.

In


Figure 12.2

, a router has three LAN connections and one WAN

connection to the Internet. Users on the Sales LAN should not have

access to the Finance LAN, but they should be able to access the Internet

and the marketing department files. The Marketing LAN needs to access

the Finance LAN for application services.



FIGURE 12.2

IP access list example with three LANs and a WAN

connection

We can see that the following standard IP access list is configured on the

router:

Lab_A#


config t

Lab_A(config)#



access-list 10 deny 172.16.40.0 0.0.0.255

Lab_A(config)#



access-list 10 permit any

It’s very important to remember that the

any

command is the same thing



as saying the following using wildcard masking:

Lab_A(config)#



access-list 10 permit 0.0.0.0 255.255.255.255

Since the wildcard mask says that none of the octets are to be evaluated,



every address matches the test condition, so this is functionally doing the

same as using the

any

keyword.


At this point, the access list is configured to deny source addresses from

the Sales LAN to the Finance LAN and to allow everyone else. But

remember, no action will be taken until the access list is applied on an

interface in a specific direction!

But where should this access list be placed? If you place it as an incoming

access list on Fa0/0, you might as well shut down the FastEthernet

interface because all of the Sales LAN devices will be denied access to all

networks attached to the router. The best place to apply this access list is

on the Fa0/1 interface as an outbound list:

Lab_A(config)#



int fa0/1

Lab_A(config-if)#



ip access-group 10 out

Doing this completely stops traffic from 172.16.40.0 from getting out

FastEthernet0/1. It has no effect on the hosts from the Sales LAN

accessing the Marketing LAN and the Internet because traffic to those

destinations doesn’t go through interface Fa0/1. Any packet trying to exit

out Fa0/1 will have to go through the access list first. If there were an

inbound list placed on F0/0, then any packet trying to enter interface

F0/0 would have to go through the access list before being routed to an

exit interface.

Now, let’s take a look at another standard access list example.

Figure 12.3

shows an internetwork of two routers with four LANs.



FIGURE 12.3

IP standard access list example 2

Now we’re going to stop the Accounting users from accessing the Human

Resources server attached to the Lab_B router but allow all other users

access to that LAN using a standard ACL. What kind of standard access

list would we need to create and where would we place it to achieve our

goals?

The real answer is that we should use an extended access list and place it



closest to the source! But this question specifies using a standard access

list, and as a rule, standard ACLs are placed closest to the destination. In

this example, Ethernet 0 is the outbound interface on the Lab_B router

and here’s the access list that should be placed on it:

Lab_B#

config t

Lab_B(config)#



access-list 10 deny 192.168.10.128 0.0.0.31

Lab_B(config)#



access-list 10 permit any

Lab_B(config)#



interface Ethernet 0

Lab_B(config-if)#



ip access-group 10 out

Keep in mind that to be able to answer this question correctly, you really

need to understand subnetting, wildcard masks, and how to configure

and implement ACLs. The accounting subnet is the 192.168.10.128/27,

which is a 255.255.255.224, with a block size of 32 in the fourth octet.


With all this in mind and before we move on to restricting Telnet access

on a router, let’s take a look at one more standard access list example.

This one is going to require some thought. In

Figure 12.4

, you have a

router with four LAN connections and one WAN connection to the

Internet.

FIGURE 12.4

IP standard access list example 3

Okay—you need to write an access list that will stop access from each of

the four LANs shown in the diagram to the Internet. Each of the LANs

reveals a single host’s IP address, which you need to use to determine the

subnet and wildcards of each LAN to configure the access list.



Here is an example of what your answer should look like, beginning with

the network on E0 and working through to E3:

Router(config)#

access-list 1 deny 172.16.128.0 0.0.31.255

Router(config)#



access-list 1 deny 172.16.48.0 0.0.15.255

Router(config)#



access-list 1 deny 172.16.192.0 0.0.63.255

Router(config)#



access-list 1 deny 172.16.88.0 0.0.7.255

Router(config)#



access-list 1 permit any

Router(config)#



Yüklə 22,5 Mb.

Dostları ilə paylaş:
1   ...   46   47   48   49   50   51   52   53   ...   69




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin