ccna security ch11 access control lists threat mitigation

8/9/2019 Ccna Security Ch11 Access Control Lists Threat Mitigation

1/22

Chapter 11: Using Access Control Lists for ThreatMitigation

I. Access Control List Fundamentals and Benefits

1. Access Lists Aren't ust for Brea!fast An"more#. $topping Malicious Traffic %ith an Access List&. hat Can e (rotect Against)*. The Logic in a (ac!et+Filtering ACL,. $tandard and -tended Access Lists/. Line 0umers Inside an Access List2. ildcard Mas!s3. 45ect 6roups

II.Implementing I(7* ACLs as (ac!et Filters


2/22

1. (utting the (olic" in (lace1. Configure 8 9outer 8 ACL 8 ACL $ummar"

a. This will show whether there are any ACLs in place


3/22

2. Click ACL -ditor on the left and click Add

3. Input name or number and use the drop down to select standard or extended. !eep clickin" the Add button to continue to add AC#s


4/22

$. %se the Mo7e Up or Mo7e o%n buttons to chan"e the order of the AC#s&. Click 4; to add the ACL to the router

'. The followin" shows how to implement in the CLI(. f

!adding comments in the form of remarks is helpful in remembering!what a specific portion of the access list was intended forR1(config)# access-list 5 remark Block Server1's subnet from reaching Server 3

!using the log keyword at the end of the ACL entry (AC) will create!syslog messages regarding this line is being matched "he syslog messages!could be iewed whereer they are being sent$ such as from the buffer memory!or at a syslog sererR1(config)# access-list 5 deny 11.11.11.0 0.0.0.255 log

!"his last line of the access list is critical$ to permit any traffic!that wasn%t!preiously denied &ithout this last line$ all other traffic would be denied!where this access list is applied ( based on the direction of the traffic and!which direction the access list is studying the trafficR1(config)# access-list 5 ermit 0.0.0.0 255.255.255.255


5/22

). Top portion shows where the ACL is applied *hasn+t been applied yet,1-. ottom portion shows details of each AC#


6/22

11. Apply the ACL durin" ACL editin"/ click theAssociatebutton

12. %se CLI to associate ACL to interface! 'oe to interface configuration modeR1(config)# interface !igabit"thernet3#0

! apply the access list using the access group command$ with the keyword outR1(configif)# i access-grou 5 out


7/22

13. 0ther option is to nai"ate to Configure 8 Interface Management 8 Interface and

Connections and edit the properties of the interface and select ACL


8/22

1. Let+s now start in interface confi"uration to apply an ACL to the interface and create

it at the same time.1$. Configure 8 Interface Management 8 Interface and Connections click -dit

1&. e are applyin" inbound/ so select the Inbound button and create an ACL *This areaallows the deletion/ creation/ and choosin" of an existin" ACL


9/22

1'. e should be creatin" an obect "roup before creatin" the ACL

1(. Configure 8 9outer 8 ACL 8 45ect 6roups 8 0et%or! 45ect 6roups clickCreate

1). Add the 4erer I5 addresses 22.22.22.22 and 33.33.33.33/ name the "roup and clickokay.04T-


10/22

2-. %sin" CLI

-ample 11+& Create a Network Object Group!name the obect group$ and the type (in this case it%s a network!obect group)R1(config)# ob$ect-grou net%ork &(ouleServers

!add a description if desiredR1(confignetworkgroup)# descrition Server2 and Server3's host addresses

!and the two hosts that will be identified by this obect groupR1(confignetworkgroup)# host 33.33.33.33R1(confignetworkgroup)# host 22.22.22.22

21. Confi"ure the ACLs usin" 0bect 8roups-ample 11+* Using Object Groups as Part of the ACL!create the named or numbered access list$ as long as it is e*tended!in this e*ample we%re using a named access listR1(config)# i access-list e)tended **+S")tended&(,")amle

!you can add comments using the remark command to your ACL%s if desiredR1(confige*tnacl)# remark his &(, uses ob$ect grous

!this entry permits "C+ traffic from the ,,,,1-./, network if the!traffic is destined for the two serers identified by the obect group$!and if the destination port is "C+ 0- ( &eb serices)!we could add logging with a login keyword at the end of each entry if!desiredR1(confige*tnacl)#ermit tc ..1.0 0.0.0.255 ob$ect-grou &(ouleServers e/ %%%

!ne*t we deny all the other ,,,, networks including ,,,,1 from any further!traffic to the serers ecause the access list is ordered from top to bottom$!this ne*t deny statement would be too late to stop the desired &eb traffic!from the preious line$ which is the desired resultR1(confige*tnacl)# deny i ..0.0 0.0.255.255 ob$ect-grou &(ouleServers

!now we hae a permit for all other traffic that was not preiously!matchedR1(confige*tnacl)# ermit i any anyR1(confige*tnacl)# e)it

!Applying this access list inbound on the correct interface is what puts!the policy into actionR1(config)# interface !igabit"thernet1#0R1(configif)# i access-grou **+S")tended&(,")amle in

22. 9isit the ACL #ditor to see where your ACL is applied23. Configure 8 9outer 8 ACL 8 ACL -ditor *:ou could also isit the ACL 4ummary

to see an oeriew,


11/22

2. f

-ample 11+,Monitoring ACLs from the CLI!the command show accesslist$ or show ip accesslist will show all of your!ACLs that you hae configured 2f you hae access control lists other than!for 2+,$ using the 2+ keyword with the show command will filter the output


12/22

!and only show the 2+ access lists for 2+ ersion ,!at the end of each entry$ if there hae been matches for that entry they will!show up inside parenthesesR1# sho% access-lists3tandard 2+ access list 4

!notice the se5uence numbers starting with 1- 1- deny 111111-$ wildcard bits ---/44 log (6711 matches) /- permit any (66 matches)

!the output is now showing us the ne*t access listwhich is the named!e*tended access list*tended 2+ access list 22839*tended9ACL9*ample 1- permit tcp ,,,,1- ---/44 obectgroup A9Couple93erers e5 www log (7 matches) /- deny ip ,,,,-- --/44/44 obectgroup A9Couple93erers log (0 matches) 6- permit ip any any (,:/, matches)

!to iew the 2+ related information on an interface$ use the following!command!in the output to indicate whether or not there is a filtering ACL!applied$ and if so which direction it is applied

R1# sho% i int g3#0;igabitthernet6.- is up$ line protocol is up 2nternet address is 16--1./, roadcast address is /44/44/44/44 Address determined by nonolatile memory '"< is 14-- bytes =elper address is not set >irected broadcast forwarding is disabled 'ulticast resered groups oined? //,--1- @utgoing access list is 4 2nbound access list is not set +ro*y AR+ is enabled Local +ro*y AR+ is disabled 3ecurity leel is default 3plit horion is enabled 2C'+ redirects are always sent 2C'+ unreachables are always sent 2C'+ mask replies are neer sent 2+ fast switching is enabled 2+ fast switching on the same interface is disabled 2+ Blow switching is disabled 2+ CB switching is enabled 2+ CB switching turbo ector 2+ CB turbo switching turbo ector 2+ multicast fast switching is enabled 2+ multicast distributed fast switching is disabled 2+ routecache flags are Bast$ CB Router >iscoery is disabled 2+ output packet accounting is disabled 2+ access iolation accounting is disabled "C+.2+ header compression is disabled R"+.2+ header compression is disabled +olicy routing is disabled 8etwork address translation is disabled ;+ +olicy 'apping is disabled 2nput features? 'C2 Check @utput features? 2+sec or interface ACL checked on preencrypted clear te*t packets &CC+ Redirect outbound is disabled &CC+ Redirect inbound is disabled &CC+ Redirect e*clude is disabled


13/22

R1# sho% i int g1#0;igabitthernet1.- is up$ line protocol is up 2nternet address is 1/--1./, roadcast address is /44/44/44/44 Address determined by nonolatile memory '"< is 14-- bytes =elper address is not set >irected broadcast forwarding is disabled

'ulticast resered groups oined? //,--1- @utgoing access list is not set 2nbound access list is 22839*tended9ACL9*ample +ro*y AR+ is enabled Local +ro*y AR+ is disabled 3ecurity leel is default 3plit horion is enabled 2C'+ redirects are always sent 2C'+ unreachables are always sent 2C'+ mask replies are neer sent 2+ fast switching is enabled 2+ fast switching on the same interface is disabled 2+ Blow switching is disabled 2+ CB switching is enabled 2+ CB switching turbo ector

2+ CB turbo switching turbo ector 2+ multicast fast switching is enabled 2+ multicast distributed fast switching is disabled 2+ routecache flags are Bast$ CB Router >iscoery is disabled 2+ output packet accounting is disabled 2+ access iolation accounting is disabled "C+.2+ header compression is disabled R"+.2+ header compression is disabled +olicy routing is disabled 8etwork address translation is disabled ;+ +olicy 'apping is disabled 2nput features? Access List$ 'C2 Check &CC+ Redirect outbound is disabled &CC+ Redirect inbound is disabled &CC+ Redirect e*clude is disabledR1#

2$. %seful when troubleshootin" ; clear ip access+list counters

2&. Counters increment whether you use the log option at the end of an ACL or not

#. To Log or 0ot to Log1. hen usin" the log option at the end of an ACL/ a syslo" messa"e is "enerated the

first time a packet is matched based on that ACL/ then another summary syslo"


14/22

messa"e is "enerated after a waitin" period showin" the total number of hits durin"the waitin" period. This can be chan"ed to eery packet if you want.

2.


15/22

a. Monitor 8 9outer 8 Logging display $"slog tab and scroll throu"h syslo"messa"es

b. Can search throu"h the syslo" messa"es and filter based on lo""in" leel aswell

c. 7ext tab oer is the =irewall lo" tab. :ou can iew details about deniedconnections and also iew Top Attack 5orts or you can select top attackersusin" the down arrow/ both of which are iewed on the bottom part.


16/22

d.

III. Implementing I(7/ ACLs as (ac!et Filters

1. I5& packet>filterin" hi"hli"hts6a. Can filter based on source and destination prefixb. Can filter based on source and destination portsc. Can filter based on the presence of a next headerd. There is an implicit den" at the end of the ACL/ with the exception of nei"hbor

solicitation *74, and nei"hbor adertisement *7A, packets. 74 and 7A packetsare implicitly allowed... *7ote that if includin" an explicit den" you shouldexplicitly permit these *74 and 7A,/ before your deny if I5& is to functionproperly.,

e. If an empty access list *and access lists without any entries/ which is really ust aname, is applied to an interface as a filterin" access list/ it will not deny any

traffic. This is the exact same behaior as I5 packet>filterin" access lists. Thiscan happen if a alid access list is applied to an interface and then the access listis deleted but the interface confi"uration still shows that it is applied. In thisscenario/ that access list will not filter any traffic? instead/ it behaes as if noaccess list is in force at all.

f. @eflexie and time>based access lists are supported/ ust like on the I04 forI5. A reflexie access list was an attempt at performin" stateful inspection/usin" ACLs that created dynamic entries based on the initial traffic and what theexpected return traffic would look like. The dynamic entries permit the reply


17/22

traffic in a similar way as stateful firewall do by default today. :ou learn moreabout stateful packet inspection in the upcomin" firewall chapters.

". :ou can filter on I5& extension headers

I=. >o I ;no% This Alread")? @uiTale 11+1 o I !now "his A#rea$%&' (ection)to)*uestion Mapping

Foundation Topics $ection @uestions

Access Control List =undamentals enefits 1>

Implementin" I5 ACLs as 5acket =ilters $>(

Implementin" I5& ACLs as 5acket =ilters )>1-

1. hich of the followin" are adanta"es of an extended access list oer a standardaccess list when used for packet filterin"a. It can filter based on source addressb. It can filter based on destination addressc. It can filter based on application layer informationd. Lo""in" can be performed

2. hat method is used to indicate that a portion of an I5 address in the source packetdoes not need to be compared to an access list entrya. 4ubnet maskb. Baskc. ildcard maskd. =ull I5 address reuired

3. hat techniue enables you to match on a ran"e of subnets usin" a sin"le access listentry/ without usin" obect "roupsa. ildcard mask/ so that matches are done only for the summary of those

networksb. @eflexie ACLsc. Time>based ACLsd. #xtended named ACLs

. hat happens when an access list has 1-- lines and a match occurs on line 1a. Lines 1$ throu"h 1-- are parsed as a "roup obectb. The ACL acts on the packet/ and no further list processin" is done for that packetc. The ACL is processed all the way throu"h line 1--/ to see whether there is a

more strict policy that should be appliedd. There cannot be a line 1 because the only lines permitted start with 1- and

increment by 1-$. hich of the followin" are alid options for creatin" and applyin" ACLs in CC5

*Choose all that apply.,a. %se the ACL #ditorb. 8o to Interface Confi"urationc. %se the ACL iDard from the Tools menud. ACLs may be created in CC5/ but they hae to be applied usin" the CLI


18/22

&. hat is the benefit of a network obect "roup as it relates to access listsa. A sin"le obect "roup/ that contains many hosts/ can simplify the implementation

of an ACLb. 0bect "roups refer only to serices such as TC5 or %E5 portsc. 0bect "roups can be used as an alternatie to ACLsd. 7etwork obect "roups/ when implemented/ use less C5% and resources from the

router when implementin" access controls that contain them'. hich one of the followin" is probably the sin"le most si"nificant benefit ofmana"in" existin" ACLs usin" CC5 rather than ia the command linea. Applyin" access lists to interfacesb. Creatin" brand>new access listsc. Lookin" at hit counts on the access list entriesd. @earran"in" the order of the access list entries

(. hat does the lo" keyword do when added at the end of an access list entrya. It sends an 47B5 messa"eb. It sends an 4E## messa"ec. It "enerates a syslo" messa"ed. It causes hit counts to be displayed when iewin" access lists

). ith I5&/ what is si"nificantly different about applyin" a packet filter to aninterface compared to I5a. The syntax is the same at the interfaceb. :ou do not use the keywords for in and out

c. :ou use the command ip7/ access+list rather than access+group

d. :ou use the command traffic+filter instead of access+group1-. If you accidentally implement an I5& filterin" policy that explicitly denies all

inbound I5& traffic/ which protocol in the I5& suite will most likely cause a failurein the network firsta. I5& ICB5b. I5& %E5c. I5& TC5d. Impossible to implement a den" an" an" statement in I5& ACLs


19/22

=. 9e7ie% All the ;e" Topics

Tale 11+*!e% "opics

;e" Topic-lement

escription (age0umer

Text hat can we protect a"ainst 2-

Text The lo"ic in a packet>filterin" ACL 21

Table 11>3 4tandard ACLs ersus extended ACLs 23

Text ildcard masks 2

Text 0bect "roups 2

#xample 11>1 %sin" the CLI to implement an access list 2(

#xample 11>2 %sin" the CLI to apply the access list to an interface 2)

#xample 11>3 %sin" the CLI to create a network obect "roup 2$3

#xample 11> %sin" obect "roups as part of the ACL 2$3=i"ure 11>11 9erifyin" the details of the ACLs 2$

#xample 11>& Creatin" an I5& access list and applyin" it as a filter 2&1


20/22


21/22

Tale 11+, CA (er+er Configuration .ie#$s an$ /a#ues

Field =alue#nableFEisable Eisabled by default. Bust be in this state if you need to make

chan"es to any of the confi"uration alues.

5assphrase Bandatory field used to enter the password for the local CA key>store. The password must by ' characters in len"th.

Issuer 7ame #nter the hostname or I5 address you want to be used for the issueralue in any certificates "enerated. y default/ this is the A4A I5address or hostname *where confi"ured,.

CA 4erer !ey 4iDe #nter the minimum key siDe the serer will use *$12/ '&(/ 1-2/ or2-( bits/ default 1-2,.

Client !ey 4iDe #nter the minimum key siDe used by clients *$12/ '&(/ 1-2/ or2-( bits/ default 1-2,.

CA Certificate Life>time #nter the lifetime of the local CA root certificate file *default 3&$-days,.

Client Certificate Life>time #nter the lifetime of issued client certificate files *default 3&$ days,.

4BT5 4erer 7ameFI5Address

#nter the name or I5 address of the 4BT5 serer used to send #n>rollment initations throu"h.

=rom Address #nter the email address you want to use to send enrollment inita>tions from *default adminHasa>domain>name,.

4ubect #nter the subect for enrollment certificate emails *default Certifi>cate #nrollment Initation,.

C@L Eistribution 5oint %@L Eefault http6FFA4A C@L Interface and5ort

#nter the interface and port to use for the C@L publishin".

C@L Lifetime #nter the lifetime for the C@L *default & hours,.

Eatabase 4tora"e Location #nter the path and filename of the database stored on the A4A flash.

Eefault 4ubect 7ame #nter the default subect name to be used in issued certificates and

appended to the user name.#nrollment 5eriod #nter the time period for enrollment purposes *default 2 hours,.

0ne Time 5assword#xpiration

Eefault '2 hours.

Certificate #xpiration@eminder

#nter the alue in days used to mark the reminder alue for emails sentto certificate owners about expiration deadlines *default 1 days,.


22/22

Tale 11+& (tan$ar$ ACLs /ersus ,-ten$e$ ACLs

$tandard ACL -tended ACL

7umeric ran"e 1>))/ 13-->1))) 1--;1))/ 2---;2&))

0ption for usin" names for theACL instead of numbers

:es :es

hat they can match on 4ource I5 only of the packetbein" compared to the list

4ource or destination I5/ plusmost Layer protocols/includin" items in the Layer header of the packet bein"compared

here to place %nfortunately/ these need to beplaced relatiely close to thedestination. Applyin"

ecause the extended ACL hasthe "ranularity of matchin" onspecific source and destination/you can place these ery close tothe source of the host who is"eneratin" the packet/ because it

will only deny the traffic to thespecific destination and will notcause a loss of serice to otherdestinations that are still bein"permitted

=II. efine ;e" Terms1. packet filterin" >2. spoofed address >3. 4:7>flood attack >

. standardFextended ACL >$. numberedFnamed ACL

=III.Command 9eference to Chec! our Memor"

Tale 11+, Comman$ 0eference

Command escription

Ip7/ traffic+filter

1OGU(2(OU0C,2.IL",0 inApply the named I5& ACL inbound in interface confi"urationmode

45ect+group net%or!A2Coup#e2(er+ers

Create a named network obect "roup and moe to obect "roupconfi"uration mode

(ermit tcp **.**.1.D D.D.D.#,,o5ect+groupA_Couple_Servers eE%%%

5ermit source traffic from any hosts whose I5 address be"inswith ..1/ and allow TC5 access to any hosts that aremembers of the obect "roup/ if the destination TC5 port is (-*www,

Ip access+groupIINS_Extended_ACL_Example in

Apply the named I5 access list inbound in interfaceconfi"uration mode

ccna security ch11 access control lists threat mitigation

Documents