1 / 29

Access Control Lists

Access Control Lists. Accessing the WAN – Chapter 5. Objectives. Explain how ACLs are used to secure a medium-size Enterprise branch office network. Configure standard ACLs in a medium-size Enterprise branch office network.

lauren
Download Presentation

Access Control Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control Lists Accessing the WAN– Chapter 5

  2. Objectives • Explain how ACLs are used to secure a medium-size Enterprise branch office network. • Configure standard ACLs in a medium-size Enterprise branch office network. • Configure extended ACLs in a medium-size Enterprise branch office network. • Describe complex ACLs in a medium-size Enterprise branch office network. • Implement, verify and troubleshoot ACLs in an enterprise network environment.

  3. How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network • What is ACL? • An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. • Steps that occur in a complete TCP conversation

  4. Conti… • ACLs control access to networks • Packet filtering works at Network Layer.

  5. Conti… • Flow chart to show how ACLs operate

  6. A general rule for applying ACLs • One ACL per protocol- • One ACL per direction • One ACL per interface

  7. Conti… • ACLs perform the following tasks: • Limit network traffic to increase network performance • Provide a basic level of security for network access. • Decide which types of traffic to forward or block at the router interfaces. • Control which areas a client can access on a network. • Screen hosts to permit or deny access to network services. • ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers.

  8. How ACLs Work • Inbound ACLs • Outbound ACLs • ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time. • A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" instruction.

  9. Types of ACLs • Standard ACLs • Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter. Range from 1-99 • Extended ACLs • Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports • Naming ACLs • Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not inform you of the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL.

  10. Conti… • The two main tasks involved in using ACLs are as follows: • Step 1. Create an access list by specifying an access list number or name and access conditions. • Step 2. Apply the ACL to interfaces or terminal lines.

  11. Where to place ACLs • Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are: • Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. • Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.

  12. General Guide Lines for Creating ACLs • Base your ACLs on the security policy of the organization. • Prepare a description of what you want your ACLs to do. • Use a text editor to create, edit and save ACLs. • Test your ACLs on a development network before implementing them on a production network. • Benefits • This will ensure you implement organizational security guidelines. • This will help you avoid inadvertently creating potential access problems. • This will help you create a library of reusable ACLs. • This will help you avoid costly errors.

  13. Configuring Standard ACL • Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] • E.g • R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255 • The any and host Keywords • After a standard ACL is configured, it is linked to an interface using the ip access-group command: • Router(config-if)#ip access-group 1 out

  14. Host and Any • Example 1 • R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255 • R1(config)#access-list 10 permit any • Example 2 • R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255 • R1(config)#access-list 10 permit host 192.168.10.10

  15. Conti… • Cisco ACLs can be identified using standardized numbering or names

  16. Conti… • Where ACLs should be placed in a network

  17. Applying ACL • Apply a standard ACL to an interface

  18. Controlling VTY Access • R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255 • R1(config)#access-list 10 permit 192.168.11. 0.0.0.255 • R1(config)#access-list 10 deny any • Implementing ACL on vty • R1(config)#line vty 0 4 • R1(config-line)#password secret • R1(config-line)#login • R1(config-line)#access-class 10 in

  19. Named ACLs • R1(config)#ip access-list standard NO_ACCESS • R1(config-std-nacl)#deny host 192.168.11.10 • R1(config-std-nacl)#permit 192.168.11.0 0.0.0.255 • R1(config)#interface fa0/0 • R1(config-if)#ip access-group NO_ACCESS out

  20. Testing for ports and services • Using port numbers • R1(config)#access-list 101 permit tcp any eq 23 • R1(config)#access-list 101 permit tcp any eq 21 • R1(config)#access-list 101 permit tcp any eq 20 • Using service name • R1(config)#access-list 101 permit tcp any eq telnet • R1(config)#access-list 101 permit tcp any eq ftp • R1(config)#access-list 101 permit tcp any eq ftp-data • Or • R1(config)#access-list 101 permit tcp any eq ?

  21. Types of Complex ACLs • Dynamic ACLs • Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only. • Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. • Reflexive ACLs • Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. • Time-based ACLs • Time-based ACLs allow for access control based on time. To implement time-based ACLs, you create a time range that defines specific times of the day and week.

  22. Verifying ACLs • How to monitor and verify ACLs

  23. Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network • Describe how to troubleshoot common ACL problems

  24. Implement, Verify and Troubleshoot ACLs in an Enterprise Network Environment • Create, place and verify a standard/ extended ACL and verify its placement. • Verify ACL’s functionality and troubleshoot as needed.

  25. Summary • An Access List (ACL) is: A series of permit and deny statements that are used to filter traffic • Standard ACL • Identified by numbers 1 - 99 and 1300 - 1999 • Filter traffic based on source IP address • Extended ACL • Identified by number 100 -199 & 2000 - 2699 • Filter traffic based on • Source IP address • Destination IP address • Protocol • Port number

  26. Summary • Named ACL • Used with IOS 11.2 and above • Can be used for either standard or extended ACL • ACL’s use Wildcard Masks (WCM) • Described as the inverse of a subnet mask • Reason • 0  check the bit • 1  ignore the bit

  27. Summary • Implementing ACLs • 1st create the ACL • 2nd place the ACL on an interface • Standard ACL are placed nearest the destination • Extended ACL are placed nearest the source • Use the following commands for verifying & troubleshooting an ACL • Show access-list • Show interfaces • Show run

  28. Summary • Complex ACL • Dynamic ACL • Reflexive ACL • Time based ACL

More Related