Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett
Yüklə 22,5 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Mitigating Security Issues with ACLs
- Standard Access List Example
|
Standard access lists These ACLs use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such as Web, Telnet, UDP, and so on.
other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the Protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic. Named access lists Hey, wait a minute—I said there were only two types of access lists but listed three! Well, technically there really are only two since named access lists are either standard or extended and not actually a distinct type. I’m just distinguishing them because they’re created and referred to differently than standard and extended access lists are, but they’re still functionally the same. We’ll cover these types of access lists in more depth later in the chapter. Once you create an access list, it’s not really going to do anything until you apply it. Yes, they’re there on the router, but they’re inactive until you tell that router what to do with them. To use an access list as a packet filter, you need to apply it to an interface on the router where you want the traffic filtered. And you’ve got to specify which direction of traffic you want the access list applied to. There’s a good reason for this—you may want different controls in place for traffic leaving your enterprise destined for the Internet than you’d want for traffic coming into your enterprise from the Internet. So, by specifying the direction of traffic, you can and must use different access lists for inbound and outbound traffic on a single interface:
on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won’t be routed because they’re discarded before the routing process is invoked. Outbound access lists When an access list is applied to outbound packets on an interface, packets are routed to the outbound interface and then processed through the access list before being queued. There are some general access-list guidelines that you should keep in mind when creating and implementing access lists on a router: You can assign only one access list per interface per protocol per direction. This means that when applying IP access lists, you can have only one inbound access list and one outbound access list per interface. When you consider the implications of the implicit deny at the end of any access list, it makes sense that you can’t have multiple access lists applied on the same interface in the same direction for the same protocol. That’s because any packets that don’t match some condition in the first access list would be denied and there wouldn’t be any packets left over to compare against a second access list! Organize your access lists so that the more specific tests are at the top. Anytime a new entry is added to the access list, it will be placed at the bottom of the list, which is why I highly recommend using a text editor for access lists. You can’t remove one line from an access list. If you try to do this, you will remove the entire list. This is why it’s best to copy the access list to a text editor before trying to edit the list. The only exception is when you’re using named access lists. You can edit, add, or delete a single line from a named access list. I’ll show you how shortly. Unless your access list ends with a permit any command, all packets will be discarded if they do not meet any of the list’s tests. This means every list should have at least one permit statement or it will deny all traffic. Create access lists and then apply them to an interface. Any access list applied to an interface without access-list test statements present will not filter traffic. Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from the router. Place IP standard access lists as close to the destination as possible. This is the reason we don’t really want to use standard access lists in our networks. You can’t put a standard access list close to the source host or network because you can only filter based on source address and all destinations would be affected as a result. Place IP extended access lists as close to the source as possible. Since extended access lists can filter on very specific addresses and protocols, you don’t want your traffic to traverse the entire network just to be denied. By placing this list as close to the source address as possible, you can filter traffic before it uses up precious bandwidth. Before I move on to demonstrate how to configure basic and extended ACLs, let’s talk about how they can be used to mitigate the security threats I mentioned earlier.
The most common attack is a denial of service (DoS) attack. Although ACLs can help with a DoS, you really need an intrusion detection system (IDS) and intrusion prevention system (IPS) to help prevent these common attacks. Cisco sells the Adaptive Security Appliance (ASA), which has IDS/IPS modules, but lots of other companies sell IDS/IPS products too. Here’s a list of the many security threats you can mitigate with ACLs: IP address spoofing, inbound IP address spoofing, outbound Denial of service (DoS) TCP SYN attacks, blocking external attacks DoS TCP SYN attacks, using TCP Intercept DoS smurf attacks Denying/filtering ICMP messages, inbound Denying/filtering ICMP messages, outbound
Denying/filtering Traceroute This is not an “introduction to security” book, so you may have to research some of the preceding terms if you don’t understand them.
It’s generally a bad idea to allow into a private network any external IP packets that contain the source address of any internal hosts or networks —just don’t do it! Here’s a list of rules to live by when configuring ACLs from the Internet to your production network to mitigate security problems: Deny any source addresses from your internal networks. Deny any local host addresses (127.0.0.0/8). Deny any reserved private addresses (RFC 1918). Deny any addresses in the IP multicast address range (224.0.0.0/4). None of these source addresses should be ever be allowed to enter your internetwork. Now finally, let’s get our hands dirty and configure some basic and advanced access lists! Standard Access Lists Standard IP access lists filter network traffic by examining the source IP address in a packet. You create a standard IP access list by using the access-list numbers 1–99 or numbers in the expanded range of 1300– 1999 because the type of ACL is generally differentiated using a number. Based on the number used when the access list is created, the router knows which type of syntax to expect as the list is entered. By using numbers 1–99 or 1300–1999, you’re telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines. The following output displays a good example of the many access-list number ranges that you can use to filter traffic on your network. The IOS version delimits the protocols you can specify access for: Corp(config)# access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <2000-2699> IP extended access list (expanded range) <2700-2799> MPLS access list <300-399> DECnet access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list dynamic-extended Extend the dynamic ACL absolute timer rate-limit Simple rate-limit specific access list Wow—there certainly are lot of old protocols listed in that output! IPX and DECnet would no longer be used in any of today’s networks. Let’s take a look at the syntax used when creating a standard IP access list: Corp(config)#
deny Specify packets to reject permit Specify packets to forward remark Access list entry comment As I said, by using the access-list numbers 1–99 or 1300–1999, you’re telling the router that you want to create a standard IP access list, which means you can only filter on source IP address. Once you’ve chosen the access-list number, you need to decide whether you’re creating a permit
or deny
statement. I’m going to create a deny
statement now: Corp(config)# access-list 10 deny ? Hostname or A.B.C.D Address to match any Any source host host A single host address The next step is more detailed because there are three options available in it:
1. The first option is the any
parameter, which is used to permit or deny any source host or network. 2. The second choice is to use an IP address to specify either a single host or a range of them. 3. The last option is to use the host
command to specify a specific host only.
The any
command is pretty obvious—any source address matches the statement, so every packet compared against this line will match. The host command is relatively simple too, as you can see here: Corp(config)# access-list 10 deny host ? Hostname or A.B.C.D Host address Corp(config)#
This tells the list to deny any packets from host 172.16.30.2. The default parameter is host
. In other words, if you type access-list 10 deny 172.16.30.2 , the router assumes you mean host 172.16.30.2 and that’s exactly how it will show in your running-config. But there’s another way to specify either a particular host or a range of hosts, and it’s known as wildcard masking. In fact, to specify any range of hosts, you must use wildcard masking in the access list. So exactly what is wildcard masking? Coming up, I’m going to show you using a standard access list example. I’ll also guide you through how to control access to a virtual terminal.
Wildcards are used with access lists to specify an individual host, a network, or a specific range of a network or networks. The block sizes you learned about earlier used to specify a range of addresses are key to understanding wildcards. Let me pause here for a quick review of block sizes before we go any further. I’m sure you remember that the different block sizes available are 64, 32, 16, 8, and 4. When you need to specify a range of addresses, you choose the next-largest block size for your needs. So if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts, you need a block size of 32. If you specify only 2 networks, then go with a block size of 4. Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this: 172.16.30.5 0.0.0.0 The four zeros represent each octet of the address. Whenever a zero is present, it indicates that the octet in the address must match the corresponding reference octet exactly. To specify that an octet can be any value, use the value 255. Here’s an example of how a /24 subnet is specified with a wildcard mask: 172.16.30.0 0.0.0.255 This tells the router to match up the first three octets exactly, but the fourth octet can be any value. Okay—that was the easy part. But what if you want to specify only a small range of subnets? This is where block sizes come in. You have to specify the range of values in a block size, so you can’t choose to specify 20 networks. You can only specify the exact amount that the block size value allows. This means that the range would have to be either 16 or 32, but not 20.
Let’s say that you want to block access to the part of the network that ranges from 172.16.8.0 through 172.16.15.0. To do that, you would go with a block size of 8, your network number would be 172.16.8.0, and the wildcard would be 0.0.7.255. The 7.255 equals the value the router will use to determine the block size. So together, the network number and the wildcard tell the router to begin at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0. This really is easier than it looks! I could certainly go through the binary math for you, but no one needs that kind of pain because all you have to do is remember that the wildcard is always one number less than the block size. So, in our example, the wildcard would be 7 since our block size is 8. If you used a block size of 16, the wildcard would be 15. Easy, right? Just to make you’ve got this, we’ll go through some examples that will definitely help you nail it down. The following example tells the router to match the first three octets exactly but that the fourth octet can be anything: Corp(config)# access-list 10 deny 172.16.10.0 0.0.0.255 The next example tells the router to match the first two octets and that the last two octets can be any value:
Corp(config)# access-list 10 deny 172.16.0.0 0.0.255.255 Now, try to figure out this next line: Corp(config)#
This configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would then be 172.16.16.0 through 172.16.19.255, and by the way, the Cisco objectives seem to really like this one! Let’s keep practicing. What about this next one? Corp(config)# access-list 10 deny 172.16.16.0 0.0.7.255 This example reveals an access list starting at 172.16.16.0 going up a block size of 8 to 172.16.23.255. Let’s keep at it… What do you think the range of this one is? Corp(config)#
This one begins at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.255. You’re almost done practicing! After a couple more, we’ll configure some real ACLs. Corp(config)# access-list 10 deny 172.16.64.0 0.0.63.255 This example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.255. What about this last example? Corp(config)#
This one shows us that it begins at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255. Here are two more things to keep in mind when working with block sizes and wildcards: Each block size must start at 0 or a multiple of the block size. For example, you can’t say that you want a block size of 8 and then start at 12. You must use 0–7, 8–15, 16–23, etc. For a block size of 32, the ranges are 0–31, 32–63, 64–95, etc.
The command any
is the same thing as writing out the wildcard 0.0.0.0 255.255.255.255. Wildcard masking is a crucial skill to master when creating IP access lists, and it’s used identically when creating standard and extended IP access lists.
In this section, you’ll learn how to use a standard access list to stop specific users from gaining access to the Finance department LAN. In
Figure 12.2 , a router has three LAN connections and one WAN connection to the Internet. Users on the Sales LAN should not have access to the Finance LAN, but they should be able to access the Internet and the marketing department files. The Marketing LAN needs to access the Finance LAN for application services. FIGURE 12.2 IP access list example with three LANs and a WAN connection We can see that the following standard IP access list is configured on the router: Lab_A#
config t Lab_A(config)# access-list 10 deny 172.16.40.0 0.0.0.255 Lab_A(config)# access-list 10 permit any It’s very important to remember that the any command is the same thing as saying the following using wildcard masking: Lab_A(config)# access-list 10 permit 0.0.0.0 255.255.255.255 Since the wildcard mask says that none of the octets are to be evaluated, every address matches the test condition, so this is functionally doing the same as using the any keyword.
At this point, the access list is configured to deny source addresses from the Sales LAN to the Finance LAN and to allow everyone else. But remember, no action will be taken until the access list is applied on an interface in a specific direction! But where should this access list be placed? If you place it as an incoming access list on Fa0/0, you might as well shut down the FastEthernet interface because all of the Sales LAN devices will be denied access to all networks attached to the router. The best place to apply this access list is on the Fa0/1 interface as an outbound list: Lab_A(config)# int fa0/1 Lab_A(config-if)# ip access-group 10 out Doing this completely stops traffic from 172.16.40.0 from getting out FastEthernet0/1. It has no effect on the hosts from the Sales LAN accessing the Marketing LAN and the Internet because traffic to those destinations doesn’t go through interface Fa0/1. Any packet trying to exit out Fa0/1 will have to go through the access list first. If there were an inbound list placed on F0/0, then any packet trying to enter interface F0/0 would have to go through the access list before being routed to an exit interface. Now, let’s take a look at another standard access list example. Figure 12.3 shows an internetwork of two routers with four LANs. FIGURE 12.3 IP standard access list example 2 Now we’re going to stop the Accounting users from accessing the Human Resources server attached to the Lab_B router but allow all other users access to that LAN using a standard ACL. What kind of standard access list would we need to create and where would we place it to achieve our goals? The real answer is that we should use an extended access list and place it closest to the source! But this question specifies using a standard access list, and as a rule, standard ACLs are placed closest to the destination. In this example, Ethernet 0 is the outbound interface on the Lab_B router and here’s the access list that should be placed on it: Lab_B#
Lab_B(config)# access-list 10 deny 192.168.10.128 0.0.0.31 Lab_B(config)# access-list 10 permit any Lab_B(config)# interface Ethernet 0 Lab_B(config-if)# ip access-group 10 out Keep in mind that to be able to answer this question correctly, you really need to understand subnetting, wildcard masks, and how to configure and implement ACLs. The accounting subnet is the 192.168.10.128/27, which is a 255.255.255.224, with a block size of 32 in the fourth octet.
With all this in mind and before we move on to restricting Telnet access on a router, let’s take a look at one more standard access list example. This one is going to require some thought. In Figure 12.4 , you have a router with four LAN connections and one WAN connection to the Internet.
IP standard access list example 3 Okay—you need to write an access list that will stop access from each of the four LANs shown in the diagram to the Internet. Each of the LANs reveals a single host’s IP address, which you need to use to determine the subnet and wildcards of each LAN to configure the access list. Here is an example of what your answer should look like, beginning with the network on E0 and working through to E3: Router(config)#
Router(config)# access-list 1 deny 172.16.48.0 0.0.15.255 Router(config)# access-list 1 deny 172.16.192.0 0.0.63.255 Router(config)# access-list 1 deny 172.16.88.0 0.0.7.255 Router(config)# access-list 1 permit any Router(config)# Yüklə 22,5 Mb. Dostları ilə paylaş:
|