Professional Documents
Culture Documents
Access Controls in Networks PDF
Access Controls in Networks PDF
www.ine.com
Course Prerequisites and Assumptions
» Prerequisite = CCNA ACL Videos
» ACLs are used as a classification tool by many
different features…this course will concentrate on
using ACLs purely for packet filtering.
Copyright © www.INE.com
Agenda
» Using L4/ L5 Extensions in Access-Lists
» Reflexive Access-Lists
» Dynamic Access-Lists
» Using Object-Groups with ACLs
» Time-Based Access-Lists
» Access-List Logging Options
Copyright © www.INE.com
Review Quiz #1
» Shown below are some examples of the first few IOS
commands to configure various access-lists.
» Which of these, if completed, will only allow matching on
the source IP address of a packet?
A access-list 85 permit ……..
B access-list 100 permit ……..
C access-list 156 permit ……..
D access-list 1450 permit ……..
E access-list 2420 permit ……..
Copyright © www.INE.com
Review Quiz #2
» Given the following access-list and topology, which of the statements are true?
access-list 1 permit 150.75.1.0 255.255.254.254
interface FastEthernet0/0
ip access-group 1 in
Copyright © www.INE.com
Review Quiz #3
» The three IP addreses below share some common bits. Create a
named, standard access-list called, “INE” that contains only a single
ACE which will permit any packet from these source addresses and
any other addresses matching only these common bits:
21.45.0.242
88.243.0.138
178.101.0.135
Copyright © www.INE.com
Using L4/ L5 extensions in ACLs
www.ine.com
Accessing Layer-4/ 5 ACL Options
» Extended ACLs provide ability to match on Layer-4 and/ or
Layer-5 information.
» Must supply “TCP” or “UDP” keywords as top-level
protocol.
L3-L5 options
Only L3 options are available.
are available.
Copyright © www.INE.com
Matching on TCP/ UDP Port Numbers
» Session-Layer Port Numbers may be matched
in a variety of ways:
• eq 23 (matching on an exact port number that “equals” the supplied
value)
• lt 1000 (matching on any value “less than” the supplied value).
• gt 500 (matching on any value “greater than” the supplied value).
• neq 20 (matching on any value “not equal to” the supplied value).
• range 100-200 (matching on any value in the supplied range of
values).
Copyright © www.INE.com
How would you do this?
» Network Engineers within the Corporate Intranet should be
able to open TCP sessions to devices within the Testing Lab.
» Deny any devices from within lab from initiating outbound
TCP sessions to the Corporate Intranet.
200.1.x.x /16
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
Copyright © www.INE.com
How would you do this?
» When TCP segments are received on Fast0/ 0 as a response
from sessions initiated from within the Corporate Intranet,
what will they all have in common?
TCP Flags=Sync
TCP Flags=Sync+ACK
TCP Flags=ACK
200.1.x.x /16
All Subsequent Permitted Traffic
TCP Flags=ACK
TCP Flags=Reset
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
Copyright © www.INE.com
Solution #1
RouterA(config)#access-list 101 permit tcp any any ack
RouterA(config)#access-list 101 permit tcp any any rst
RouterA(config)#interface FastEthernet0/ 0
RouterA(config)#ip access-group 101 in
200.1.x.x /16
TCP Flags=Reset
Corporate Intranet
Fast0/0
A 200.1.199.1 /30 Testing Lab
Copyright © www.INE.com
Solution #2
RouterA(config)#access-list 101 permit tcp any any est ablished
RouterA(config)#interface FastEthernet0/ 0
RouterA(config)#ip access-group 101 in
200.1.x.x /16
TCP Flags=Reset
Corporate Intranet
Fast0/0
A 200.1.199.1 /30 Testing Lab
Copyright © www.INE.com
Reflexive Access-Lists
(IP Session Filtering)
www.ine.com
How would you do this?
» Network Engineers within the Corporate Intranet should be
able to transmit any type of data to devices within the
Testing Lab.
» If the Testing Lab is compromised, deny any devices from
within lab from initiating outbound sessions to the
200.1.x.x /16
Corporate Intranet.
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
Copyright © www.INE.com
The Solution – Reflexive Access Lists
» Reflexive ACLs monitor for permitted, outgoing data of any type.
» Reflexive ACLs create a mirror-image of transmitted traffic which will be
permitted upon return.
» Reflexive entries expire after configurable 4
timeout value.
ICMP Echo-Response from 200.1.1.1 to 200.2.1.1 (IP Protocol = 1)
3
Permit from 200.1.1.1 to 200.2.1.1
2 (IP Protocol = 1)
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
Copyright © www.INE.com
Reflexive ACL Configuration (2)
» Create a Named, Extended ACL for monitoring ingress
traffic from untrusted sources. Can be
any name.
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
Copyright © www.INE.com
Reflexive ACL Configuration (3)
» Apply both ACLs to interface facing untrusted networks.
RouterA(config)#ip access-list extended EGRESS
RouterA(config-ext-nacl)#permit ip any any reflect M irror
RouterA(config)#ip access-list extended INGRESS
RouterA(config-ext-nacl)#evaluate M irror
RouterA(config)#interface FastEthernet0/ 0
RouterA(config-if)#ip access-group EGRESS out 200.1.x.x /16
RouterA(config-if)#ip access-group INGRESS in
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
Copyright © www.INE.com
Reflexive ACL Timeout Values
» Reflexive ACLs have timeout values.
A. Graceful TCP Close (2-segments seen with FIN flags): Timeout=5-secs
B. TCP Reset: Timeout = immediate
C. TCP packets no longer seen? Timeout = 300-seconds
D. UDP, ICMP and all others? Timeout = 300-seconds after last packet seen.
Copyright © www.INE.com
Monitoring Reflexive ACLs
» Before the dynamic entry is created by the
reflexive ACL:
Copyright © www.INE.com
Dynamic Access Lists
“Lock and Key”
www.ine.com
The Objective…
» You’ve hired a contractor for the next 3-months to work on
Project-X.
» This project requires that the contractor be allowed access to
certain devices/ subnets…but not others.
» Access should be denied after 5-minutes of inactivity, or an
absolute timeout of 15-minutes.
Internet
Project-X Temporary
Contractor Fast0/0
A
Corporate Intranet
Copyright © www.INE.com
Solution #1
» Every authentication request offloaded to a central
authentication database.
» Might require manual configuration of each device.
Internet
Project-X Temporary
Contractor Fast0/0
A
Authentication
Server
Copyright © www.INE.com
Solution #2 – Dynamic ACLs
1. User must first telnet to router.
2. After successful authentication, Telnet session closed and
dynamic ACL created on interface.
3. Dynamic ACL removed from interface after configurable,
absolute-timeout (or idle-timeout) value.
2 I’ll allow that user to 3 15-minutes are up! User
access those resources is no longer allowed!
for 5-minutes!
Copyright © www.INE.com
Dynamic ACL Configuration (1)
username bob password 0 projX
username bob autocommand access-enable timeout 5
Or…
Line vty 0 4
autocommand access-enable timeout 5
Copyright © www.INE.com
Dynamic ACL Configuration (2)
access-list 101 dynamic Project timeout 15 permit ip any 2.4.0.0 0.0.0.255
access-list 101 permit tcp any host 1.1.1.1 eq telnet
!
line vty 0 4
login local Named ACLs can also be used.
Copyright © www.INE.com
Dynamic ACL Configuration (3)
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
ip access-group 101 in
!
interface FastEthernet0/ 1
ip address 1.2.1.1 255.255.255.252
!
Copyright © www.INE.com
Monitoring Dynamic ACLs
» Before the Dynamic ACL is applied…
Copyright © www.INE.com
Clearing Dynamic ACL Entries
» If you ever need to manually delete a Dynamic
ACL entry:
Copyright © www.INE.com
Extending Dynamic ACL Entries
» IOS command allows users to extend the life of
their Dynamic ACE by an additional 6-minutes;
Copyright © www.INE.com
Dynamic ACL Rules
» Cannot be used to provide different access rights
to different users.
» Dynamic ACLs may use either an “idle-timeout” or
“absolute-timeout” value.
» “autocommand access-enable” may be configured
either;
• At the “username” level
• Within the VTY line
Copyright © www.INE.com
Object Groups in IOS
www.ine.com
Object Groups
<output ommitted>
Copyright © www.INE.com
Simplification with Object Groups (1)
» From this…
200.0.0.1 OK!! 10.0.0.100
200.0.0.2 OK!!
x.x.x.x NO!!
10.0.0.101
Copyright © www.INE.com
Simplification with Object Groups (2)
» To this…
200.0.0.1 OK!! 10.0.0.100
200.0.0.2 OK!!
x.x.x.x NO!!
10.0.0.101
Copyright © www.INE.com
Time-Based Access-Lists
www.ine.com
The Objective
Copyright © www.INE.com
Time-Based ACL Configuration (2)
» Decide on either absolute or periodic
Copyright © www.INE.com
Time-Based ACL Configuration (3)
» Complete the command by defining the time interval (s)
Copyright © www.INE.com
Monitoring Time-Based ACLs
Copyright © www.INE.com
Access-List Logging
www.ine.com
Logging
» ACE entries can be appended with Logging-related
keywords
• Access-list x ………….log
• Access-list x …………..log-input
» Logging allows for Syslogs to be displayed providing hit-
counts and evidence of ACL activity.
» Logging forces packets matching ACE entries to be
process-switched = increased CPU load.
Copyright © www.INE.com
Log and Log-Input
Access-list 101 permit icmp any host 22.22.22.22 log
Optional “cookie”
Access-list 101 xxxxxxxxxxx log-input EmailServer
Copyright © www.INE.com
How often is logging displayed? (1)
» Individual ACEs can have the “log” or “log-input”
keywords.
» When an ACL is applied to an interface, syslogs are
generated:
• Once every 5-minutes for packets matching a particular ACE.
• If any log-enabled ACE in any ACL on any interface matches a
packet within one second of the initial log message, the match or
matches are counted for five minutes and then reported.
Copyright © www.INE.com
How often is logging displayed? (2)
5-minutes Syslog for Syslog for Syslog for
ACE#1 ACE#2 ACE#3
ACE#1 match #4
ACE#1 match #3
ACE#1 match #2
1-second
ACE#3 match
ACE#2 match
Syslog for
ACE#1
Initial ACE#1 match
Copyright © www.INE.com
Decreasing the Log Interval
» If you want logs for ACEs to be displayed
MORE frequently than every 5-minutes…it can
be done.
» Use caution…this INCREASES the CPU load.
Copyright © www.INE.com
Save my CPU!!!
» Even though logs for individual ACEs are only
displayed every 5-minutes…EVERY packet that
matches the ACE must be process-switched.
» This can result in heavy CPU load
» How to reduce this?
Copyright © www.INE.com
Filtering on log output (1)
» ACL syslogs have different identifiers depending on type of
traffic that triggered the log.
Copyright © www.INE.com
Filtering on log output (2)
» When sending ACL Syslogs to logging buffer, one can filter
on these identifiers.
Copyright © www.INE.com
Filtering on log output (3)
» From this (yuck!!)…
Copyright © www.INE.com
Filtering on log output (3)
» To this (YAY!!)…
Copyright © www.INE.com
Q&A