You are on page 1of 6

Student Name _David M.

Fontanez___ ___ Date___22 Jan 2015___

Database Server Security Demands iLab3

In this lab, the students will examine the following objectives.

Become familiar with well-known and ephemeral ports

Create ACL to meet requirements on database security demands
Learn best practices to create and apply ACLs.

A small company is using the topology shown below. The Public Server is actually an off-site
Database Server that contains company records. Assume that the network represents
the Internet. The Dallas and Chicago Servers and hosts need to access the database server securely.
Only users in the Dallas and Chicago LANs should be able to access the database server.

The last page of the lab assignment document contains a full-page topology. Remove this
page and use it for reference to the topology and the IP addresses.

Initial Configuration
The Dallas, Chicago, and ISP Routers FastEthernet and Serial interfaces used for the lab have been
correctly configured and enabled. Unused interfaces have been shutdown. The RIP routing tables are
complete for all routers and hosts. No ACLs have been applied to any of the routers. Below is the
initial running-config file in ISP router.
version 12.3(4)T7
hostname ISP_Router
interface FastEthernet0/0
ip address
interface FastEthernet1/0
ip address
interface Serial0/0
ip address
interface Serial0/1
ip address
router rip
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco

Lab Data Collection and Submission

Download and open the lab document file: SEC450_DB-SecurityDemands_Report.docx. Enter your
name and date at the top of the lab document. As you complete each task of the lab assignment
entering all relevant configuration commands, and, answered questions (as specified in the iLab
assignment) into this lab document. You will submit the completed
SEC450_DB_SecurityDemands_Report.docx file into the this weeks eCollege iLab Dropbox.

Note: RED text indicates the required questions to answer

Task to Set up Security Policy for Offsite Database Server

The following requirements were given to the network engineer to create and apply ACL 100 in ISP router

Permit SQL database traffic from the Public server to the Dallas Host.
Permit SQL database traffic from the Public server to the Dallas Server.
Permit SQL database traffic from the Public server to the Chicago Host.
Permit SQL database traffic from the Public server to the Chicago Server.
Deny all other TCP traffic from the Public server to any destination.
Permit all other traffic.

#1. Explain the meaning of the "three P's" best practice rule to create ACL in routers
One ACL per protocol- To control traffic flow on an interface, an ACL must be defined for each
protocol enabled on the interface.
One ACL per direction- ACLs control traffic in one direction at a time on an interface. Two
separate ACLs must be created to control inbound and outbound traffic.
One ACL per interface- ACLs control traffic for an interface, for example, Fast Ethernet0/0.

#2. Explain the difference between the following two access-list commands
a) access-list 101 permit tcp any any eq 80
b) access-list 101 permit tcp any eq 80 any
a) Allows any traffic with a destination TCP port
b) Allows any traffic with a source TCP port

#3. What are well-known, registered, and ephemeral UDP/TCP ports?

Well-known and registered port numbers are needed for server processes since a client must know
the servers port number to initiate contact. In contrast, client processes can use any port number.
Each time a client process initiates a UDP or TCP communication it is assigned a temporary,
or ephemeral, port number to use for that conversation. These port numbers are assigned in a
pseudo-random way, since the exact number used is not important, as long as each process has a
different number. The numbers are defined as 1,024 to 4,999, providing 3,976 ephemeral ports.

#4. What is wrong with ACL 105?

access-list 105 permit tcp any any
access-list 105 deny tcp host any

With the access-list 105 permit tcp any any, the eq was not specified.
On access-list 105 deny tcp host any, it should have been input like this:
access-list 105 deny tcp any host

#5. What well-known TCP port does Oracle Database (sql net) server use?
TCP Port 1521

#6. A company is managing an Oracle Database located in a Public Server to support day-to-day
operations in Dallas and Chicago networks. The company has requested its Internet Access Provider
(ISP) to create the necessary ACL at the ISP router securing that only responses from Oracle server to
certain hosts are allowed to enter Dallas and Chicago LANs.
ISP network engineers decided to use extended ACL, and applies it to F0/0 interface in ISP router. Why
did they decide to create an extended ACL and apply it in interface F0/0 for inbound traffic?
They decided to do this because if the access list is inbound, when the router receives a packet, the
Cisco IOS software checks the criteria statements of the access list for a match. If the packet is
permitted, the software continues to process the packet. If the packet is denied, the software discards
the packet.

#7. Copy below ISP routers initial running-config file from page 2, and add the commands
needed to create and apply the ACL in the ISP router.

ISP_Router#config t
Enter configuration commands, one per line.

End with CNTL/Z.

Rerun simulation if changes are made to the router's configuration.

ISP_Router(config)#access-list 100 permit tcp host eq 66 host
ISP_Router(config)#access-list 100 permit tcp host eq 66 host
ISP_Router(config)#access-list 100 permit tcp host eq 66 host
ISP_Router(config)#access-list 100 permit tcp host eq 66 host
ISP_Router(config)#access-list 100 deny tcp host any
ISP_Router(config)#access-list 100 permit ip any any
ISP_Router(config)#int f0/0
ISP_Router(config-if)#ip access-group 100 in

Answer all questions in the iLab Report document and upload it in Week 3 iLab Dropbox.