lecture5 | PDF Host

Router Security ( Access Control List (ACL )) Lecture 5 Asst. Prof. Dr. Noor Ghazi Objectives - Learn about access control lists. - Understand the types of access controls lists (ACL). - Understand and configure standard ACL. - Understand and configure extended ACL. Lecture 5 1 What are ACLs?  An access list is a sequential series of commands or filters  These lists tell the router what types of packets to : - accept or - deny  Acceptance and denial can be based on specified conditions  ACLs applied on the router's interfaces  The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL  Some ACL decision points are: • IP source address. • IP destination address. • UDP or TCP protocols. • U pper - layer (TCP/UDP) port number.. Lecture 5 2 How ACL executed Lecture 5 3 Lecture 5 4  An ACL is a group of statements that define whether packets are accepted or rejected coming into an interface or leaving an interface  ACL statements operate in sequential, logical order  After indicate if the frame have a matched layer 2 address or it’s a broadcast form, the router will check if there ACLs command present  If the packet is accepted or no ACL : the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device  ACL exists : the packet is tested against the statements in the list If the packet matches a statement, it is either accepted or rejected  If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked  If all the ACL statements are unmatched, an implicit "deny any" statement is placed at the end of the list by default this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded Types of ACLs  Standard IP ACLs Can only filter on source IP addresses.  Extended IP ACLs Can filter on: • Source IP address. • Destination IP address. • Protocol (TCP, UDP). • Port Numbers (Telnet – 23, http – 80, etc.). Lecture 5 5 Create Standard ACL Lecture 5 6 Applying ACL  When the access list is created, it’s not really going to do anything until applying it It means, they’re inactive until you tell that router what to do with them  To use an access list as a packet filter : - Apply it to an interface on the router where you want the traffic filtered - Specify which direction of traffic you want the access list applied to  Specifying the direction of traffic, you can and must use different access lists for inbound and outbound traffic on a single interface : - I nbound Access Lists the IOS checks the packets before being routed to the outbound interface it means before it is sent to the Routing Table Process - O utbound Access Lists , the IOS checks the packets after it is sent to the Routing Table Process Lecture 5 7 Lecture 5 8 • An ACL containing numbered ACL statements cannot be altered It must be deleted by using the no access - list list - number command and then recreated Example • To create a standard access control list to deny any packets from the host 172 16 30 2 R( config )# access - list 10 deny host 172 16 30 2 Or R( config )# access - list 10 deny 172 16 30 2 0 0 0 0 (using Wildcard Masks !!) Lecture 5 9 Wildcard Masks  A wildcard mask is a 32 - bit quantity that is divided into four octets  A wildcard mask is paired with an IP address  Wildcards are used with access lists to specify an individual host, a network, or a specific range of a network or networks  Wildcards are used with the host or network address to tell the router a range of available addresses to filter  Wildcard masks are designed to filter individual or groups of IP addresses permitting or denying access to resources based on the address Lecture 5 10 Examples of Wildcard Masks  Block traffic from the network 192.168.40.0/24 R( config )# access - list 10 deny 192.168.40.0 0.0.0.255  Block traffic from networks that start at network 172.16.16.0/22 and use a block size of 4. The range would then be 172.16.16.0 through 172.16.19.255. R( config )# access - list 10 deny 172.16.16.0 0.0.3.255  This example is for an access list starting at 172 16 16 0 / 21 going up a block size of 8 to 172 16 23 255 R( config )# access - list 10 deny 172 16 16 0 0 0 7 255  This example is for an access list starts at network 172 16 64 0 / 18 and goes up a block size of 64 to 172 16 127 255 R( config )# access - list 10 deny 172 16 64 0 0 0 63 255 Note : If want to block access to the part of the network, you have to remember that the wildcard is always one number less than the block size Lecture 5 11 Extended Access Control Lists  Extended ACLs are used more often than standard ACLs because they provide a greater range of control  Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers  Access can be permitted or denied based on where a packet originates, its destination, protocol type, and port addresses Lecture 5 12 Create Extended ACL Lecture 5 13 • If the operator and operand follow the source address it refers to the source port • If the operator and operand follow the destination address it refers to the destination port Lecture 5 14 Applying Extended ACL  The ip access - group command links an existing extended ACL to an interface  Remember that only one ACL per interface, per direction, per protocol is allowed  The format of the command is : Router( config - if)# ip access - group access - list - number {in | out} Lecture 5 15 Extended ACL _ Example 1 Deny access to a host at 172 16 50 5 on the finance department LAN for both Telnet and FTP services All other services on this and all other hosts are acceptable for the sales and marketing departments to access Lab_A# config t Lab_A ( config )# access - list 110 deny tcp any host 172 16 50 5 eq 21 Lab_A ( config )# access - list 110 deny tcp any host 172 16 50 5 eq 23 Lab_A ( config )# access - list 110 permit ip any any Lab_A ( config )# int fa0/1 Lab_A ( config - if)# ip access - group 110 out Lecture 5 16 Extended ACL _ Example 2 • Allow HTTP access to the Finance server from source Host B only All other traffic will be permitted Lab_A #config t Lab_A ( config ) #access - list 110 permit tcp host 192.168.177.2 host 172.22.89.26 eq 80 Lab_A ( config ) #access - list 110 deny tcp any host 172.22.89.26 eq 80 Lab_A ( config ) #access - list 110 permit ip any any Lab_A ( config )# interface fastethernet 0/1 Lab_A ( config - if)# ip access - group 110 out Lecture 5 17 Verifying the ACL configuration • Show access - lists command: D isplay the access - lists configuration • Show ip interface command : Display the access - lists interface assignments • Show running - config command : Display the configuration output, including access - lists and assignments Lecture 5 18