Download presentation
Presentation is loading. Please wait.
Published byArline Douglas Modified over 9 years ago
1
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5
2
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 2 Objectives Explain how ACLs are used to secure a medium-size Enterprise branch office network. Configure standard ACLs in a medium-size Enterprise branch office network. Configure extended ACLs in a medium-size Enterprise branch office network. Describe complex ACLs in a medium-size Enterprise branch office network. Implement, verify and troubleshoot ACLs in an enterprise network environment.
3
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 3 How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network What is ACL? An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. Steps that occur in a complete TCP conversation
4
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 4 Conti… ACLs control access to networks Packet filtering works at Network Layer.
5
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 5 Conti… Flow chart to show how ACLs operate
6
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 6 A general rule for applying ACLs One ACL per protocol- One ACL per direction One ACL per interface
7
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 7 Conti… ACLs perform the following tasks: –Limit network traffic to increase network performance –Provide a basic level of security for network access. –Decide which types of traffic to forward or block at the router interfaces. –Control which areas a client can access on a network. –Screen hosts to permit or deny access to network services. –ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers.
8
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 8 How ACLs Work Inbound ACLs Outbound ACLs ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time. A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" instruction.
9
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 9 Types of ACLs Standard ACLs Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter. Range from 1-99 Extended ACLs Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports Naming ACLs Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. However, a number does not inform you of the purpose of the ACL. For this reason, starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL.
10
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 10 Conti… The two main tasks involved in using ACLs are as follows: Step 1. Create an access list by specifying an access list number or name and access conditions. Step 2. Apply the ACL to interfaces or terminal lines.
11
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 11 Where to place ACLs Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are: –Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. –Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
12
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 12 General Guide Lines for Creating ACLs Base your ACLs on the security policy of the organization. Prepare a description of what you want your ACLs to do. Use a text editor to create, edit and save ACLs. Test your ACLs on a development network before implementing them on a production network. Benefits This will ensure you implement organizational security guidelines. This will help you avoid inadvertently creating potential access problems. This will help you create a library of reusable ACLs. This will help you avoid costly errors.
13
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 13 Configuring Standard ACL Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] E.g R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255 The any and host Keywords After a standard ACL is configured, it is linked to an interface using the ip access-group command: Router(config-if)#ip access-group 1 out
14
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 14 Host and Any Example 1 R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255 R1(config)#access-list 10 permit any Example 2 R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255 R1(config)#access-list 10 permit host 192.168.10.10
15
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 15 Conti… Cisco ACLs can be identified using standardized numbering or names
16
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 16 Conti… Where ACLs should be placed in a network
17
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 17 Applying ACL Apply a standard ACL to an interface
18
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 18 Controlling VTY Access R1(config)#access-list 10 permit 192.168.10.0 0.0.0.255 R1(config)#access-list 10 permit 192.168.11. 0.0.0.255 R1(config)#access-list 10 deny any Implementing ACL on vty R1(config)#line vty 0 4 R1(config-line)#password secret R1(config-line)#login R1(config-line)#access-class 10 in
19
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 19 Named ACLs R1(config)#ip access-list standard NO_ACCESS R1(config-std-nacl)#deny host 192.168.11.10 R1(config-std-nacl)#permit 192.168.11.0 0.0.0.255 R1(config)#interface fa0/0 R1(config-if)#ip access-group NO_ACCESS out
20
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 20 Testing for ports and services Using port numbers R1(config)#access-list 101 permit tcp any eq 23 R1(config)#access-list 101 permit tcp any eq 21 R1(config)#access-list 101 permit tcp any eq 20 Using service name R1(config)#access-list 101 permit tcp any eq telnet R1(config)#access-list 101 permit tcp any eq ftp R1(config)#access-list 101 permit tcp any eq ftp-data Or R1(config)#access-list 101 permit tcp any eq ?
21
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 21 Types of Complex ACLs Dynamic ACLs Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. Reflexive ACLs Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. Time-based ACLs Time-based ACLs allow for access control based on time. To implement time-based ACLs, you create a time range that defines specific times of the day and week.
22
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 22 Verifying ACLs How to monitor and verify ACLs
23
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 23 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network Describe how to troubleshoot common ACL problems
24
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 24 Implement, Verify and Troubleshoot ACLs in an Enterprise Network Environment Create, place and verify a standard/ extended ACL and verify its placement. Verify ACL’s functionality and troubleshoot as needed.
25
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 25 Summary An Access List (ACL) is: A series of permit and deny statements that are used to filter traffic Standard ACL –Identified by numbers 1 - 99 and 1300 - 1999 –Filter traffic based on source IP address Extended ACL –Identified by number 100 -199 & 2000 - 2699 –Filter traffic based on Source IP address Destination IP address Protocol Port number
26
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 26 Summary Named ACL –Used with IOS 11.2 and above –Can be used for either standard or extended ACL ACL’s use Wildcard Masks (WCM) –Described as the inverse of a subnet mask Reason –0 check the bit –1 ignore the bit
27
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 27 Summary Implementing ACLs –1 st create the ACL –2 nd place the ACL on an interface Standard ACL are placed nearest the destination Extended ACL are placed nearest the source Use the following commands for verifying & troubleshooting an ACL –Show access-list –Show interfaces –Show run
28
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 28 Summary Complex ACL –Dynamic ACL –Reflexive ACL –Time based ACL
29
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 29
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.