Chapter #3: Volume #2

www.youtube.
com/shahinazelkasrawy
Chapter #3
Volume #2
www.facebook.com/eng.shahinaz
www.youtube.com/shahinazelkasrawy
Advanced IPv4 Access Control Lists
In This Chapter
▪ 5.0 Security Fundamentals

▪ 5.6 Configure and verify access control lists
EXTENDED NUMBERED IP ACCESS CONTROL LISTS
• You enable extended access lists on interfaces for packets either

entering or exiting the interface
• IOS searches the list sequentially
• Extended ACLs also use first-match logic
• Extended ACLs differ from standard ACLs mostly because of the
larger variety of packet header fields that can be used to match a
packet.
Matching the Protocol, Source IP, and Destination IP
• the extended ACL access-list command requires three matching

parameters: the IP protocol type, the source IP address, and the
destination IP address.
Extended ACL Syntax, with Required Fields
Extended access-list
Commands and Logic
Explanations
Matching TCP and UDP Port Numbers
Filtering Packets Based on Destination Port
Filtering Packets Based on Source Port
10
Popular Applications and

Their Well- Known Port Numbers
11
Extended access-list Command

Examples and Logic Explanations
12
Extended IP ACL Configuration
13
keep the following in mind
• Place extended ACLs as close as possible to the source of the

packets that will be filtered. Filtering close to the source of the
packets saves some bandwidth.
• Remember that all fields in one access-list command must match
a packet for the packet to be considered to match that access-list
statement.
• Use numbers of 100–199 and 2000–2699 on the access-list
commands; no one number is inherently better than another.
14
NAMED ACLS AND ACL EDITING
• Although both features are useful and important, neither adds any
function as to what a router can and cannot filter.
• Instead, named ACLs and ACL sequence numbers make it easier
to remember ACL names and edit existing ACLs when an ACL
needs to change.
15
Named IP Access Lists
16
Named Access List Configuration
17
Removing One Command from a Named ACL
18
Editing ACLs Using

Sequence Numbers
19
Adding to and Displaying a

NumberedACL Configuration
20
ACL Implementation Considerations
• Place extended ACLs as close as possible to the source of the packet.

• This strategy allows ACLs to discard the packets early.
• Place standard ACLs as close as possible to the destination of the
packet. This strategy avoids the mistake with standard ACLs (which
match the source IPv4 address only) of unintentionally discarding
packets that did not need to be discarded.
• Place more specific statements early in the ACL.
• Disable an ACL from its interface (using the no ip access-group
interface subcommand) before making changes to the ACL.
21
Chapter #4
Volume #2
Security Architectures
In This Chapter
▪ 5.0 Security Fundamentals

▪ 5.1 Define key security concepts (threats, vulnerabilities, exploits, and mitigation
techniques)
▪ 5.2 Describe security program elements (user awareness, training, and physical access
control)
▪ 5.4 Describe security password policies elements, such as management, complexity, and
password alternatives (multifactor authentication, certificates, and biometrics)
▪ 5.8 Differentiate authentication, authorization, and accounting concepts
24
Enterprise Extends
Beyond Its Own Boundary
25
Security Terminology Illustrated
26
Attacks That Spoof Addresses
• Spoofing attacks focus on one vulnerability; addresses and

services tend to be implicitly trusted. Attacks usually take place
by replacing expected values with spoofed or fake values
27
A Sample Spoofing Attack
28
Denial-of-Service Attacks
When an attacker is able to deplete a

system resource, services and systems
become unavailable or crash
called a denial-of-service (DoS) attack

because it denies service to legitimate
users or operations. DoS attacks can
involve something as simple as ICMP
echo (ping) packets, a flood of UDP
packets, and TCP connections, such as
the TCP SYN flood attack previously
described
29
“ ▪ distributed
denial-of-service
(DDoS) attack A DoS
attack that is distributed
across many hosts
under centralized
control of an attacker,
all targeting the same
victim. 30
Reflection and Amplification Attacks
31
“ ▪ If an attacker is able to send a

small amount of traffic to a
reflector and leverage a protocol
or service to generate a large
volume of traffic toward a target,
then an amplification attack has
occurred. In effect, such an
attack amplifies the attacker’s
efforts to disrupt the target.
32
Man-in-the-Middle Attacks
• Sometimes an attacker
might want to
eavesdrop on data that
passes from one
machine to another,
avoiding detection
33
A Man-in-the-Middle Attack Succeeds
34
Reconnaissance Attacks
• discover more details about the target and its systems prior to an actual attack.
• During a reconnaissance attack, the attacker can use some common tools to
uncover public details like who owns a domain and what IP address ranges are
used there.
• Then the attacker can progress to using ping sweeps to send pings to each IP
address in the target range. Hosts that answer the ping sweep then become live
targets.
• Port scanning tools can then sweep through a range of UDP and TCP ports to see
if a target host answers on any port numbers. Any replies indicate that a
corresponding service is running on the target host. Keep in
35
Buffer Overflow Attacks
• This means some incoming data might be stored in unexpected

memory locations if a buffer is allowed to fill beyond its limit.
• An attacker can exploit this condition by sending data that is
larger than expected.
• If a vulnerability exists, the target system might store thatdata,
overflowing its buffer into another area of memory,
• eventually crashing a service or the entire system.
36
Malware (malicious software)
• For example, a trojan horse is malicious software that is hidden

and packaged inside other software that looks normal and
legitimate
• Trojan horse malware can spread from one computer to another
only through user interaction such as opening email attachments,
downloading software from the Internet, and inserting a USB
drive into a computer.
37
“ ▪ In contrast, viruses are

malware that can
propagate between
systems more readily.
To spread, virus
software must inject
itself into another
application
38
“ ▪ An attacker develops
worm software and
deposits it on a system.
From that point on, the
worm replicates itself and
spreads to other systems
through their
vulnerabilities, then
replicates and spreads
39
again and again.
Summary of Malware Types
40
Human Security Vulnerabilities
41
Password Vulnerabilities
42
CONTROLLING AND MONITORING USER ACCESS
• You can manage user activity to and through systems with

authentication, authorization, and accounting (AAA, also
pronounced “triple-A”) mechanisms.
▫ Authentication: Who is the user?
▫ Authorization: What is the user allowed to do?
▫ Accounting: What did the user do?
43
AAA servers usually support the following two protocols

to communicate with enterprise resources:
• TACACS+: A Cisco proprietary protocol that separates each of

the AAA functions. Communication is secure and encrypted over
TCP port 49.
• RADIUS: A standards-based protocol that combines
authentication and authorization into a single resource.
Communication uses UDP ports 1812 and 1813 (accounting) but
is not completely encrypted.
44
A Simplified View of AAA
45
DEVELOPING A SECURITY PROGRAM TO EDUCATE

USERS
• User awareness: All users should be made aware of the need for data confidentiality to protect corporate
information, as well as their own credentials and personal information. They should also be made aware of
potential threats, schemes to mislead, and proper procedures to report security incidents. Users should also be
instructed to follow strict guidelines regarding data loss. For example, users should not include sensitive
information in emails or attachments, should not keep or transmit that information from a smartphone, or
store it on cloud services or removable storage drives.
• User training: All users should be required to participate in periodic formal training so that they become
familiar with all corporate security policies. (This also implies that the enterprise should develop and publish
formal security policies for its employees, users, and business partners to follow.)
• Physical access control: Infrastructure locations, such as network closets and data centers, should remain
securely locked. Badge access to sensitive locations is a scalable solution, offering an audit trail of identities
and timestamps when access is granted. Administrators can control access on a granular basis and quickly
remove access when an employee is dismissed.
46
Good Luck ☺
Eng. Shahinaz Elkasrawy

Chapter #3: Volume #2

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter #3: Volume #2

Uploaded by

Copyright:

Available Formats

www.youtube.

Advanced IPv4 Access Control Lists

▪ 5.0 Security Fundamentals

EXTENDED NUMBERED IP ACCESS CONTROL LISTS

• You enable extended access lists on interfaces for packets either

Matching the Protocol, Source IP, and Destination IP

• the extended ACL access-list command requires three matching

Extended ACL Syntax, with Required Fields

Matching TCP and UDP Port Numbers

Filtering Packets Based on Destination Port

Filtering Packets Based on Source Port

Popular Applications and

Extended access-list Command

Extended IP ACL Configuration

keep the following in mind

• Place extended ACLs as close as possible to the source of the

NAMED ACLS AND ACL EDITING

Named IP Access Lists

Named Access List Configuration

Removing One Command from a Named ACL

Editing ACLs Using

Adding to and Displaying a

ACL Implementation Considerations

• Place extended ACLs as close as possible to the source of the packet.

▪ 5.0 Security Fundamentals

Security Terminology Illustrated

Attacks That Spoof Addresses

• Spoofing attacks focus on one vulnerability; addresses and

A Sample Spoofing Attack

When an attacker is able to deplete a

called a denial-of-service (DoS) attack

Reflection and Amplification Attacks

“ ▪ If an attacker is able to send a

A Man-in-the-Middle Attack Succeeds

Buffer Overflow Attacks

• This means some incoming data might be stored in unexpected

Malware (malicious software)

• For example, a trojan horse is malicious software that is hidden

“ ▪ In contrast, viruses are

Summary of Malware Types

Human Security Vulnerabilities

CONTROLLING AND MONITORING USER ACCESS

• You can manage user activity to and through systems with

AAA servers usually support the following two protocols

• TACACS+: A Cisco proprietary protocol that separates each of

A Simplified View of AAA

DEVELOPING A SECURITY PROGRAM TO EDUCATE

You might also like