Access-Lists Securing Your Router and Protecting Your Network

Reasons to use Access-Lists (ACLs) To filter traffic coming into and leaving your network. Securing access to your router. Restrict contents of routing updates Traffic flow control. Plus many other reasons…we will focus on the first two for this class.

What is an ACL Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces.  Your router examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the access lists.  Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information. Note that sophisticated users can sometimes successfully evade or fool basic access lists because no authentication is required.

Why You Should Configure Access Lists? You should use access lists to secure access for remote users, SNMP access, NTP or any other services that allow read and write access to all or part of your router.  Password/user authentication is enhanced when the traffic can only come from certain ip addresses or specified ranges. You should use access lists to provide a basic level of security for accessing your network.  If you do not configure access lists on your router, all packets passing through the router could be allowed onto all parts of your network.

Standard Vs. Extended Access Lists Standard IP access lists use source addresses for matching operations. Extended IP access lists use source and destination addresses for matching operations, and optional protocol type information for finer granularity of control.  Extended ACLs require a greater knowledge of your network’s operation and networking in general. A poorly designed ACL can cause many problems for the users and the technical staff.

Planning your ACLs Although each protocol has its own set of specific tasks and rules required for you to provide traffic filtering, in general most protocols require at least two basic steps to be accomplished. The first step is to create an access list definition, and the second step is to apply the access list to an interface.  Creating Access Lists  Applying Access lists to interfaces

Creating Access Lists Create access lists for each protocol you wish to filter, per router interface. For some protocols, you create one access list to filter inbound traffic, and one access list to filter outbound traffic. To create an access list, you specify the protocol to filter, you assign a unique name or number to the access list, and you define packet-filtering criteria. A single access list can have multiple filtering criteria statements.

Assigning a Unique Name or Number to Each Access List When configuring access lists on a router, you must identify each access list uniquely within a protocol, by assigning either a name or a number to the protocol's access list. Either a name or a number can identify some protocols. When a number is used to identify an access list, the number must be within the specific range of numbers that is valid for the protocol.

ACL Numbers IP 1 to 99 Extended IP 100 to 199 Ethernet type code 200 to 299 Ethernet address 700 to 799 Transparent bridging (protocol type) 200 to 299 Transparent bridging (vendor code) 700 to 799 Extended transparent bridging 1100 to 1199 DECnet and extended DECnet 300 to 399 XNS 400 to 499 Extended XNS 500 to 599 AppleTalk 600 to 699 Source-route bridging (protocol type) 200 to 299 Source-route bridging (vendor code) 700 to 799 IPX 800 to 899 Extended IPX 900 to 999 IPX SAP 1000 to 1099

Assigning a Unique Name or Number to Each Access List Apollo Domain IP IPX ISO CLNS NetBIOS IPX Source-route bridging NetBIOS

Defining Criteria for Forwarding or Blocking Packets When creating an access list, you define criteria, which are applied to each packet that is processed by the router; the router decides whether to forward or block each packet based on whether or not the packet matches the criteria. Typical criteria you define in access lists are packet source addresses, packet destination addresses, or upper-layer protocol of the packet. For a single access list, you can define multiple criteria in multiple, separate access list statements. Each of these statements should reference the same identifying name or number, to tie the statements to the same access list.  You can have as many criteria statements as you want, limited only by the available memory.  Of course, the more statements you have, the more difficult it will be to comprehend and manage your access lists.

The Order of Things… Each additional criteria statement that you enter is appended to the end of the access list statements. You cannot delete individual statements after they have been created. You can only delete an entire access list. The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked. If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.

The Implicit Deny At the end of every access list is an implied "deny all traffic" criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be blocked. This also requires that you specifically put in your permit statements. Do not assume that the router will understand that you only want to deny one thing and let everything else through.  The router wants ACLs to be as strict as possible!

Wildcard Masks (aka Inverse Masks) Wildcard Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks to configure IP addresses on interfaces start with 255 and have the large values on the left side (for example, IP address with a mask). Masks for IP ACLs are the reverse (for example, mask ). This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care".

Creating Standard and Extended Access Lists Step 1  access-list access-list-number remark  Indicates the purpose of the deny or permit statement.  Example; access-list 2 permit

Creating Standard and Extended Access Lists Step 2  access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard  Defines an extended IP access list number and the access conditions.  Example access-list 102 permit tcp

Creating Standard and Extended Access Lists In addition to defining ACL source and destination, it is possible to define ports, ICMP message types, and other parameters.  access-list 102 permit tcp host host eq ? bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514)

Applying Access Lists After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces  Out - Traffic that has already been through the router and is leaving the interface; the source would be where it's been (on the other side of the router) and the destination is where it's going.  In - Traffic that is arriving on the interface and which will go through the router; the source would be where it's been and the destination is where it's going (on the other side of the router).

Applying Access Lists To control access to a virtual terminal line and the addresses in an access list, use the following command in line configuration mode. Only numbered access lists can be applied to lines. Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.  access-class access-list-number {in | out}  Example access-class 9 in

Applying Access Lists To control access to an interface, use the following command in interface configuration mode. ip access-group {access-list-number | name} {in | out}  Example ip access-group 102 in

Access-lists For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.  Note that ICMP messages sent from your network can be used against you. They are useful to hackers for mapping your network, determining the devices that you are using, etc. For more information see:

Access-lists For outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.  Note that ICMP messages sent from your network can be used against you. They are useful to hackers for mapping your network, determining the devices that you are using, etc. For more information see:

Applying Access Lists When you apply an access list that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.

Access-list examples Applying the list to a line  interface line vty 0 4  ip access-class 2 in (access lists are designated out by default) Standard Access-list  access-list 2 permit (allowed IP address)  access-list 2 deny any any. (This line is not needed because all access lists have an implicit deny all by default)

Access-list examples Extended Access-lists  access-list 102 permit tcp (ip address wildcard mask)(ip address wildcard mask) gt 1023  access-list 102 permit tcp (ip address wildcard mask)(ip address wildcard mask) eq 25  access-list 102 permit icmp (ip address wildcard mask)(ip address wildcard mask)

Access-list examples Applying the list to an interface  interface ethernet 0  ip access-group 102 in

How do I remove an ACL from an interface? To remove an ACL from an interface, go into configuration mode and enter no in front of the access-group command, as shown in the following example.  Example interface Ethernet 0 no ip access-group 102 in