1. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5

2. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 2 Objectives  Explain how ACLs are used to secure a medium-size Enterprise branch office network.  Configure standard ACLs in a medium-size Enterprise branch office network.  Configure extended ACLs in a medium-size Enterprise branch office network.  Describe complex ACLs in a medium-size Enterprise branch office network.  Implement, verify and troubleshoot ACLs in an enterprise network environment.

3. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 3 Security in the Campus Model  Core: not here. Fastest part of the network, implementing security here would slow it down. Besides, traffic has already got into the network.  Access switches: switch ports set to specific VLANs. Port security: disable port if too many MAC addresses.  Access routers: let traffic in/out from outside the network. Good place to enforce security  Inter-VLAN routers or L3 switches: allows traffic to cross between VLANs. Good place to enforce security

4. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 4 Routers Inspect Packet Fields  Routers already inspect the destination IP address of a packet to determine how to route it and may drop the packet if there is no route We add a security mechanism: Access Control Lists (ACLs) ACL: a set of rules that inspect some fields in a packet. If the packet matches the rule, we can choose to keep the packet or drop the packet

5. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 5 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  What steps occur in a complete TCP conversation?

6. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 6 What Fields Can Be Inspected?  IP Source address  IP Destination address  Layer 4 protocol, e.g. TCP, IP, ICMP  Layer 4 source port  Layer 4 destination port, e.g. port 80 for the web  If the packet is start of a connection (SYN) or not  NOTE: traffic is bi-directional. Port 80 might be the destination port in one direction, but the source port in the other direction

7. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 7 Explain How ACLs are Used to Secure a Medium-Size Enterprise Branch Office Network  Explain how a packet filter allows or blocks traffic

8. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 8 Where Can ACL Rules be Applied?  A group of rules (tests, entries) form an Access Control List  An ACL can be applied to a router interface in-bound As soon as traffic arrives, before it is routed  An ACL can be applied to a router interface out-bound As packets are queued for retransmission On each interface, we can have two ACLs: One in-bound and one out-bound

9. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 9 Example Location of ACLs on Router Interfaces

10. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 10 Rules in an Access Control List  Each rule (test, entry) is applied. If no match, move to next  If match, obey the permit or deny operation  If no rule matches drop the packet

11. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 11 Standard and Extended ACLs  A standard ACL has rules that only match the source IP address and wildcard. Example:  An extended ACL has rules that match destination IP, L4 protocol and source & destination ports.  Wildcard: inverse of netmask. Think of it as a range.  192.168.30.0 0.0.0.255 means 30.0 up to 30.255

12. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 12 Naming or Numbering an ACL  ACLs can be numbered or named  Standard ACLs: name or number from 1 to 99  Extended ACLs: name or number from 100 to 199

13. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 13 Where to Place ACLs: Rule of Thumb  Extended: as close to the traffic source as possible  Standard: as close to the destination as possible

14. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 14 ACL Best Practices  ACLs implement your organisation’s security policy  Often unreadable, so give each one a description  Fiddly to edit, so use a text editor  Will cause havoc when mistakes made, so always test them on a development network before you put them into production

15. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 15 ACLs: Rule Order is Important  We want to block all of 131.70.5.0/24 from coming into our LAN, but we want to let 131.70.5.42 in. access-list 10 deny 131.70.5.0 0.0.0.255 access-list 10 permit 131.70.5.42 0.0.0.0  This in fact will also block 131.70.5.42 And it will block all traffic: implict deny all rule at the bottom  Reorder the rules:  access-list 10 permit 131.70.5.42 0.0.0.0  access-list 10 deny 131.70.5.0 0.0.0.255  access-list 10 permit 0.0.0.0 255.255.255.255

16. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 16 Special Shorthand Keywords  “host X” matches a single host address  “any” matches all IP addresses  We can rewrite the ACL on the previous slide:  access-list 10 remark Let Sandeep’s PC in to the LAN  access-list 10 permit host 131.70.5.42  access-list 10 remark But stop the rest of subnet 5.0  access-list 10 deny 131.70.5.0 0.0.0.255  access-list 10 remark All other traffic can come in  access-list 10 permit any

17. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 17 Standard ACL Command Syntax

18. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 18 Applying an ACL to an Interface  Once we have an ACL, we have to apply it to a specific interface an in a specific direction interface fa0/0 ip access-group 10 out

19. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 19 Editing ACLs: The Easy Way  Show the entries for a specific ACL from the running configuration  Copy theminto a text file  Edit the text file  Do “no access-list 10” to remove the ACL from the router  Paste the corrected ruleset back into the router

20. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 20 Named ACLs  Named ACLs are good as they help to document the purpose of the ACL

21. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 21 Is My ACL Working?  How do I know if my ACL is working? Has it permitted or denied any traffic? Which rules are being used?

22. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 22 Extended ACLs: More Power  Src/dest IP, L4 protocol, src/dest ports

23. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 23 Extended ACLs  Operators to test if ports match, don’t match or are in a specific range; if pkt starts connection of part of an established connection

24. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 24 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to apply an extended ACL to an interface

25. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 25 Configure Extended ACLs in a Medium- Size Enterprise Branch Office Network  Describe how to create named extended ACLs

26. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 26 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  List the three types of complex ACLs

27. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 27 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Explain how and when to use dynamic ACLs

28. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 28 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Explain how and when to use reflexive ACLs

29. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 29 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Explain how and when to use time-based ACLs

30. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 30 Describe Complex ACLs in a Medium-Size Enterprise Branch Office Network  Describe how to troubleshoot common ACL problems

31. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 31 Implement, Verify and Troubleshoot ACLs in an Enterprise Network Environment  Create, place and verify a standard/ extended ACL and verify its placement.  Verify ACL’s functionality and troubleshoot as needed.

32. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 32 Summary  An Access List (ACL) is: A series of permit and deny statements that are used to filter traffic  Standard ACL –Identified by numbers 1 - 99 and 1300 - 1999 –Filter traffic based on source IP address  Extended ACL –Identified by number 100 -199 & 2000 - 2699 –Filter traffic based on Source IP address Destination IP address Protocol Port number

33. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 33 Summary  Named ACL –Used with IOS 11.2 and above –Can be used for either standard or extended ACL  ACL’s use Wildcard Masks (WCM) –Described as the inverse of a subnet mask Reason –0  check the bit –1  ignore the bit

34. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 34 Summary  Implementing ACLs –1 st create the ACL –2 nd place the ACL on an interface Standard ACL are placed nearest the destination Extended ACL are placed nearest the source  Use the following commands for verifying & troubleshooting an ACL –Show access-list –Show interfaces –Show run

35. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 35 Summary  Complex ACL –Dynamic ACL –Reflexive ACL –Time based ACL

36. © 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 36