Access Controls in Networks PDF

Access Control Lists
(Beyond Standard and Extended)
www.ine.com
Course Prerequisites and Assumptions
» Prerequisite = CCNA ACL Videos
» ACLs are used as a classification tool by many
different features…this course will concentrate on
using ACLs purely for packet filtering.
Copyright © www.INE.com
Agenda
» Using L4/ L5 Extensions in Access-Lists
» Reflexive Access-Lists
» Dynamic Access-Lists
» Using Object-Groups with ACLs
» Time-Based Access-Lists
» Access-List Logging Options
Review Quiz #1
» Shown below are some examples of the first few IOS
commands to configure various access-lists.
» Which of these, if completed, will only allow matching on
the source IP address of a packet?
A access-list 85 permit ……..
B access-list 100 permit ……..
C access-list 156 permit ……..
D access-list 1450 permit ……..
E access-list 2420 permit ……..
Review Quiz #2
» Given the following access-list and topology, which of the statements are true?
access-list 1 permit 150.75.1.0 255.255.254.254
interface FastEthernet0/0
ip access-group 1 in
A None of these PCs will be able to reach the server.

B All of these PCs will be able to reach the server.
C Only PC-A and PC-C will be able to reach the server.
D Only PC-A and PC-B will be able to reach the server.
E Only PC-B will be able to reach the server.
Review Quiz #3
» The three IP addreses below share some common bits. Create a
named, standard access-list called, “INE” that contains only a single
ACE which will permit any packet from these source addresses and
any other addresses matching only these common bits:
21.45.0.242
88.243.0.138
178.101.0.135
Using L4/ L5 extensions in ACLs
www.ine.com
Accessing Layer-4/ 5 ACL Options
» Extended ACLs provide ability to match on Layer-4 and/ or
Layer-5 information.
» Must supply “TCP” or “UDP” keywords as top-level
protocol.
L3-L5 options
Only L3 options are available.
are available.
Matching on TCP/ UDP Port Numbers
» Session-Layer Port Numbers may be matched
in a variety of ways:
• eq 23 (matching on an exact port number that “equals” the supplied
value)
• lt 1000 (matching on any value “less than” the supplied value).
• gt 500 (matching on any value “greater than” the supplied value).
• neq 20 (matching on any value “not equal to” the supplied value).
• range 100-200 (matching on any value in the supplied range of
values).
How would you do this?
» Network Engineers within the Corporate Intranet should be
able to open TCP sessions to devices within the Testing Lab.
» Deny any devices from within lab from initiating outbound
TCP sessions to the Corporate Intranet.
200.1.x.x /16
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
» When TCP segments are received on Fast0/ 0 as a response
from sessions initiated from within the Corporate Intranet,
what will they all have in common?
TCP Flags=Sync
TCP Flags=Sync+ACK
TCP Flags=ACK
200.1.x.x /16
All Subsequent Permitted Traffic
TCP Flags=ACK
TCP Flags=Reset
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
Solution #1
RouterA(config)#access-list 101 permit tcp any any ack
RouterA(config)#access-list 101 permit tcp any any rst
RouterA(config)#interface FastEthernet0/ 0
RouterA(config)#ip access-group 101 in
200.1.x.x /16
All Permitted Traffic

TCP Flags=ACK
TCP Flags=Reset
Corporate Intranet
Fast0/0
A 200.1.199.1 /30 Testing Lab
Solution #2
RouterA(config)#access-list 101 permit tcp any any est ablished
RouterA(config)#ip access-group 101 in
200.1.x.x /16
All Permitted Traffic

TCP Flags=ACK
TCP Flags=Reset
Corporate Intranet
Fast0/0
A 200.1.199.1 /30 Testing Lab
Reflexive Access-Lists
(IP Session Filtering)
www.ine.com
» Network Engineers within the Corporate Intranet should be
able to transmit any type of data to devices within the
Testing Lab.
» If the Testing Lab is compromised, deny any devices from
within lab from initiating outbound sessions to the
200.1.x.x /16
Corporate Intranet.
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
The Solution – Reflexive Access Lists
» Reflexive ACLs monitor for permitted, outgoing data of any type.
» Reflexive ACLs create a mirror-image of transmitted traffic which will be
permitted upon return.
» Reflexive entries expire after configurable 4
timeout value.
ICMP Echo-Response from 200.1.1.1 to 200.2.1.1 (IP Protocol = 1)
3
Permit from 200.1.1.1 to 200.2.1.1
2 (IP Protocol = 1)
ICMP Echo-Request from 200.2.1.1 to 200.1.1.1 (IP Protocol = 1)

1
200.2.1.1 200.1.1.1/30
Corporate Intranet A Fast0/0
200.1.199.1 /30 Testing Lab
Reflexive ACL Configuration (1)
» Create a Named, Extended ACL for monitoring egress traffic
from trusted sources. Can be
any name.
RouterA(config)#ip access-list extended EGRESS

RouterA(config-ext-nacl)#permit ip any any reflect M irror
200.1.x.x /16
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
» Create a Named, Extended ACL for monitoring ingress
traffic from untrusted sources. Can be
any name.
RouterA(config)#ip access-list extended INGRESS

Name must match the name
RouterA(config-ext-nacl)#evaluate M irror previously supplied after “reflect”
keyword.
200.1.x.x /16
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
» Apply both ACLs to interface facing untrusted networks.
RouterA(config)#ip access-list extended EGRESS
RouterA(config-ext-nacl)#permit ip any any reflect M irror
RouterA(config)#ip access-list extended INGRESS
RouterA(config-ext-nacl)#evaluate M irror
RouterA(config-if)#ip access-group EGRESS out 200.1.x.x /16
RouterA(config-if)#ip access-group INGRESS in
Corporate Intranet
Fast0/0
A 200.1.199.1 /30
Testing Lab
Reflexive ACL Timeout Values
» Reflexive ACLs have timeout values.
A. Graceful TCP Close (2-segments seen with FIN flags): Timeout=5-secs
B. TCP Reset: Timeout = immediate
C. TCP packets no longer seen? Timeout = 300-seconds
D. UDP, ICMP and all others? Timeout = 300-seconds after last packet seen.
» Changing the timeout value.

• Values for “A” and “B” above cannot be changed.
• Values for “C” and “D” above can be changed per ACE or
globally.
Configuring Timeout Values
» Modifying Global Reflexive ACL Timeout value.
» Modifying Reflexive Timeout within ACE entries.
Monitoring Reflexive ACLs
» Before the dynamic entry is created by the
reflexive ACL:
» After the Reflexive ACL entry is created:
Dynamic Access Lists
“Lock and Key”
www.ine.com
The Objective…
» You’ve hired a contractor for the next 3-months to work on
Project-X.
» This project requires that the contractor be allowed access to
certain devices/ subnets…but not others.
» Access should be denied after 5-minutes of inactivity, or an
absolute timeout of 15-minutes.
Internet
Project-X Temporary
Contractor Fast0/0
A
Corporate Intranet
Solution #1
» Every authentication request offloaded to a central
authentication database.
» Might require manual configuration of each device.
Internet
Project-X Temporary
Contractor Fast0/0
A
Authentication
Server
Solution #2 – Dynamic ACLs
1. User must first telnet to router.
2. After successful authentication, Telnet session closed and
dynamic ACL created on interface.
3. Dynamic ACL removed from interface after configurable,
absolute-timeout (or idle-timeout) value.
2 I’ll allow that user to 3 15-minutes are up! User
access those resources is no longer allowed!
for 5-minutes!
Dynamic ACL Configuration (1)
username bob password 0 projX
username bob autocommand access-enable timeout 5
Or…
Line vty 0 4
autocommand access-enable timeout 5
access-list 101 dynamic Project timeout 15 permit ip any 2.4.0.0 0.0.0.255
access-list 101 permit tcp any host 1.1.1.1 eq telnet
!
line vty 0 4
login local Named ACLs can also be used.
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
ip access-group 101 in
!
interface FastEthernet0/ 1
ip address 1.2.1.1 255.255.255.252
!
Monitoring Dynamic ACLs
» Before the Dynamic ACL is applied…
» After successful authentication…
Clearing Dynamic ACL Entries
» If you ever need to manually delete a Dynamic
ACL entry:
Extending Dynamic ACL Entries
» IOS command allows users to extend the life of
their Dynamic ACE by an additional 6-minutes;
Dynamic ACL Rules
» Cannot be used to provide different access rights
to different users.
» Dynamic ACLs may use either an “idle-timeout” or
“absolute-timeout” value.
» “autocommand access-enable” may be configured
either;
• At the “username” level
• Within the VTY line
Object Groups in IOS
www.ine.com
Object Groups
<output ommitted>
» Originally designed for Cisco ASA Firewalls

» Command Syntax slightly different on IOS Routers than
ASA Firewalls
» Object Groups simplify ACL management by grouping
similar “objects” together.
• E.g. Public_W eb_Servers Group
» Allows for more modular changes

• A change to an Object Group dynamically affects all ACE’s referencing that group.
Types of Object Groups in Routers
» Cisco routers provide two types of Object Groups:

• Network Group: For defining IP Address-related objects
• Service Group: For defining Protocols and Ports
Simplification with Object Groups (1)
» From this…
200.0.0.1 OK!! 10.0.0.100
200.0.0.2 OK!!
x.x.x.x NO!!
10.0.0.101
Simplification with Object Groups (2)
» To this…
200.0.0.1 OK!! 10.0.0.100
200.0.0.2 OK!!
x.x.x.x NO!!
10.0.0.101
Time-Based Access-Lists
www.ine.com
The Objective
» Employees should NOT be allowed to surf the

Internet during work hours.
Internet 2.2.x.x /16

Fast0/0
A
Corporate Intranet
The Solution: Time-Based ACLs
» Time-Based ACLs activate ACEs during times you
define.
» Times defined within a global “Time-range”
» May be periodic or absolute.
Internet 2.2.x.x /16

Fast0/0
A
Corporate Intranet
Time-Based ACL Configuration (1)
» Ensure your router/ switch has an accurate clock:
» Create a global time-range:
» Decide on either absolute or periodic
» Complete the command by defining the time interval (s)
» Apply the time-range to your ACL
Monitoring Time-Based ACLs
Access-List Logging
www.ine.com
Logging
» ACE entries can be appended with Logging-related
keywords
• Access-list x ………….log
• Access-list x …………..log-input
» Logging allows for Syslogs to be displayed providing hit-
counts and evidence of ACL activity.
» Logging forces packets matching ACE entries to be
process-switched = increased CPU load.
Log and Log-Input
Access-list 101 permit icmp any host 22.22.22.22 log
Access-list 101 permit icmp any host 22.22.22.22 log-input
Optional “cookie”
Access-list 101 xxxxxxxxxxx log-input EmailServer
How often is logging displayed? (1)
» Individual ACEs can have the “log” or “log-input”
keywords.
» When an ACL is applied to an interface, syslogs are
generated:
• Once every 5-minutes for packets matching a particular ACE.
• If any log-enabled ACE in any ACL on any interface matches a
packet within one second of the initial log message, the match or
matches are counted for five minutes and then reported.
How often is logging displayed? (2)
5-minutes Syslog for Syslog for Syslog for
ACE#1 ACE#2 ACE#3
ACE#1 match #4
ACE#1 match #3
ACE#1 match #2
1-second
ACE#3 match
ACE#2 match
Syslog for
ACE#1
Initial ACE#1 match
Decreasing the Log Interval
» If you want logs for ACEs to be displayed
MORE frequently than every 5-minutes…it can
be done.
» Use caution…this INCREASES the CPU load.
Save my CPU!!!
» Even though logs for individual ACEs are only
displayed every 5-minutes…EVERY packet that
matches the ACE must be process-switched.
» This can result in heavy CPU load
» How to reduce this?
Filtering on log output (1)
» ACL syslogs have different identifiers depending on type of
traffic that triggered the log.
» When sending ACL Syslogs to logging buffer, one can filter
on these identifiers.
» From this (yuck!!)…
» To this (YAY!!)…
Q&A
Copyright © INE Inc. All rights reserved.

Access Controls in Networks PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access Controls in Networks PDF

Uploaded by

Copyright:

Available Formats

Access Control Lists

(Beyond Standard and Extended)

A None of these PCs will be able to reach the server.

All Permitted Traffic

All Permitted Traffic

ICMP Echo-Request from 200.2.1.1 to 200.1.1.1 (IP Protocol = 1)

RouterA(config)#ip access-list extended EGRESS

RouterA(config)#ip access-list extended INGRESS

» Changing the timeout value.

» Modifying Reflexive Timeout within ACE entries.

» After the Reflexive ACL entry is created:

» After successful authentication…

» Originally designed for Cisco ASA Firewalls

» Allows for more modular changes

» Cisco routers provide two types of Object Groups:

» Employees should NOT be allowed to surf the

Internet 2.2.x.x /16

Internet 2.2.x.x /16

» Create a global time-range:

» Apply the time-range to your ACL

Access-list 101 permit icmp any host 22.22.22.22 log-input

Copyright © INE Inc. All rights reserved.

You might also like