Scribd Logo
Upload

Welcome to Scribd!

  • ACL Example

    Uploaded by

    Abdourahmane Kane
    6 views3 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views3 pages

    ACL Example

    Uploaded by

    Abdourahmane Kane

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    ACL Example

    The simplest type of firewall is a packet filter. As the name implies, packet filters look at individual
    packets in isolation. Based on the contents of the packet and the configured policy, they decide to
    permit or deny packets from entering or exiting the router interface. Packet filters generally have
    robust options for differentiating desirable and undesirable packets.

    Common options include the following:

     Source and destination IP addresses at the network layer.


     Protocol differentiation at the transport layer: TCP, UDP, ICMP, OSPF, and so on
     When the transport layer is TCP or UDP, source and destination ports can be specified.
     When the transport layer is ICMP, types and codes can be specified.
     When the traffic is TCP, the presence of the ACK bit or the RST bit can be verified. Under
    normal TCP connection flow, neither of these bits is ever set in the first packet of a new TCP
    connection.
    Packet filtering is commonly implemented on Cisco IOS routers and switches. ACLs are used to
    classify packets. ACLs can be used for various functions on a Cisco IOS router. For example, they
    can be used to classify which packets are permitted into a priority queue. They can be used to
    classify which networks an OSPF process will advertise or which network advertisements an OSPF
    process will accept. They can be used to classify which packets will have their forwarding path
    specified by a policy-based route.

    When an ACL is applied to an interface with the access-group command, it implements a packet
    filter. Referring to the topology that is depicted above, consider the following ACL applied to the gi0/1
    interface in the inbound direction:

    Apply ACL to the gi0/1 Interface

    access-list 100 permit tcp any 10.10.10.10 eq www access-list 100 permit tcp any 10.10.10.10 eq
    443 access-list 100 permit tcp any 10.10.10.11 eq www access-list 100 permit tcp any 10.10.10.11
    eq 443 access-list 100 permit tcp any 10.10.10.12 eq ftp access-list 100 permit tcp any 10.10.10.12
    eq ftp-data access-list 100 deny ip any any log ! interface gi0/1 ip address 10.1.1.1 255.255.255.0 ip
    access-group 100 in <output omitted>
    The ACL describes a policy of what is permitted and denied from the user subnet to the server
    subnet. To be effective, it can either be applied inbound on the interface connecting to the user
    subnet or it can be applied outbound to the interface connected to the server subnet. Some points of
    interest in this example include:

     Clients on the user subnet are permitted to send packets to TCP ports 80 and 443 on the
    two web servers on the server subnet.
     Clients on the user subnet are permitted to send packets to TCP ports 20 and 21 on the FTP
    server on the server subnet.
     Standard FTP will function. Clients establish the control channel by connecting to port 21 on
    the FTP server. When the client requests a data transfer, it will obtain an ephemeral TCP
    port from its operating system and convey the appropriate port to the FTP server. The server
    will then open a data channel by connecting from TCP port 20 to the specified ephemeral
    port on the client. All packets that are sent from the client to the server that is associated with
    this data connection will be sent to TCP port 20.
     Passive FTP will not function. Clients establish the control channel by connecting to port 21
    on the FTP server. When the client requests a data transfer, it specifies the request as
    passive. The server application then requests an ephemeral port from its operating system
    and communicates the port to the client. The client then initiates the data channel by
    connecting to the ephemeral port on the server. This connection would not be allowed by the
    ACL as written, which is a single example of the difficulty packet filters have in handling
    protocols which use dynamically negotiated connections.
     No connections are allowed from the user subnet to the SQL Server. The SQL Server is
    there to provide real-time data to be presented by the web servers. Access to the data must
    be through the interface that is provided by the web servers. The SQL Server is largely
    protected from the user subnet.
     There is an explicit deny for all other packets as the last entry in the ACL. While this line is
    not required to deny all packets that were not matched by earlier entries, it does serve two
    purposes. First, hit counters are maintained for each line in the ACL. The administrator can
    use the show access-list 100 command to view the ACL and each entry’s hit count. Without
    the explicit deny, there would be no record of the number of packets that were denied by the
    ACL. Also, the explicit deny uses the log argument, which will cause the generation of syslog
    messages that are associated with the denies, which can facilitate central audit trails of
    rejected traffic. Unfortunately, ACL logging can be CPU intensive and can negatively affect
    other functions of the network device. It should therefore be used with discretion.
    Note: By default, an implicit deny ip any any entry is at the end of every ACL. Anything that is not
    explicitly permitted is denied.

    The ip access-group command is then used to apply the access list to an interface.

    A primary focus of the security analysts is to investigate the ACL-related logs to identify or correlate
    attacks on the network. It would also be beneficial if a security analyst can assist the network
    administrators in troubleshooting or fixing certain issue by looking at the logs.

    Mar 30 2016 11:41:48.681 EDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 172.16.1.92(59078)
    -> 192.168.2.1(80), 1 packet

    Take a sample scenario where there is a complaint that the hosts on the 172.16.1.0/24 subnet
    cannot access the 192.168.2.1 Internal web server. For example, the above denied TCP log
    message indicates the connection from the source IP address, 172.16.1.92, to the destination IP
    address, 192.168.2.1 on TCP port 80, is denied.
    With the basic knowledge of the access control list, a security analyst can quickly verify the ACL
    configuration regarding the 192.168.2.1 web server and the hosts on the 172.16.1.0/24 subnet. In
    this case, if it is not intended to deny the traffic from the hosts on the 172.16.1.0/24 subnet to the
    192.168.2.1 web server on TCP port 80, and it looks to be a configuration issue, the security analyst
    can report the findings to the network administrator.

    You might also like