Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
In this objective, I’ll discuss the most commonly used advanced access control lists and applications
used by Cisco routers. But first, I am going to mention two security appliances typically
found on network.
Security Appliances
Two technologies that we can use on our networks that provide security are intrusion prevention
systems (IPS) and Intrusion detection systems (IDS).
An IPS is an applicance that monitors network and activities for malicious or unwanted
behavior and can react, in real-time, to block or prevent those activities. IPS, for example, will
operate in-line to monitor all network traffic for malicious code or attacks. When an attack
is detected, it can drop the offending packets while still allowing all other traffic to pass.
An IDS generally detects unwanted manipulations to computer systems, mainly through
the Internet. The manipulations may take the form of attacks by crackers. An intrusion
detection system is used to detect many types of malicious network traffic and computer
usage that can't be detected by a conventional firewall. This includes network attacks
against vulnerable services, data driven attacks on applications, host based attacks such as
privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses,
trojan horses, and worms).
Lock and Key (Dynamic ACLs)
This flavor of ACL depends on either remote or local Telnet authentication in combination
with extended ACLs.
Before you can configure a dynamic ACL, you need to apply an extended ACL on your router
to stop the flow of traffic through it. The only way anyone can get through the blockade is if they
telnet the router and gain authentication. It works like this: The Telnet connection the user
initiated gets dropped and is replaced with a single-entry dynamic ACL that’s appended to the
extended ACL already in place. This causes traffic to be allowed through for a specific amount
of time, and as you may have guessed, time-outs can and do happen.
Reflexive ACLs
These ACLs filter IP packets depending upon upper-layer session information, and they often
permit outbound traffic to pass but place limitations on inbound traffic. You can’t define reflexive
ACLs with numbered or standard IP ACLs, or any other protocol ACLs for that matter. They
can be used along with other standard or static extended ACLs, but they’re only defined with
extended named IP ACLs—that’s it.
6.3 Describe the functions of common security appliances and applications
311
Time-Based ACLs
Time-based ACLs
work a lot like extended ACLs do, but their type of access control is totally
time oriented. Basically, you specify a certain time of day and week and then identify that particular
period by giving it a name referenced by a task. So, by necessity, the reference function
will fall under whatever time constraints you’ve dictated. The time period is based upon the
router’s clock, but I highly recommend using it in conjunction with Network Time Protocol
(NTP) synchronization.
Here’s an example:
Corp#
config t
Corp(config)#
time-range no-http
Corp(config-time-range)#
periodic we?
Wednesday weekdays weekend
Corp(config-time-range)#
periodic weekend ?
hh:mm Starting time
Corp(config-time-range)#
periodic weekend 06:00 to 12:00
Corp(config-time-range)#
exit
Corp(config)#
time-range tcp-yes
Corp(config-time-range)#
periodic weekend 06:00 to 12:00
Corp(config-time-range)#exit
Corp(config)#ip access-list extended Time
Corp(config-ext-nacl)#deny tcp any any eq www time-range no-http
Corp(config-ext-nacl)#permit tcp any any time-range tcp-yes
Corp(config-ext-nacl)#interface f0/0
Corp(config-if)#ip access-group Time in
Corp(config-if)#do show time-range
time-range entry: no-http (inactive)
periodic weekdays 8:00 to 15:00
used in: IP ACL entry
time-range entry: tcp-yes (inactive)
periodic weekend 8:00 to 13:00
used in: IP ACL entry
Corp(config-if)#
The time-range command is pretty flexible and will drive users crazy if you deny them
basic network access or access to the Internet during off-hours. Be careful with the preceding
commands—make sure you test your list on a nonproduction network before you implement
the lists on your production network.
Remarks
This is the tool you grab to use the remark keyword, and it’s really important because it arms
you with the ability to include comments, or rather remarks, regarding the entries you’ve made
312 Chapter 6 Identify security threats to a network and describe general methods
in both your IP standard and extended ACLs. Remarks are very cool because they efficiently
increase your ability to examine and understand your ACLs to the superhero level. Without
them, you’d be caught in a quagmire of meaningless numbers without anything to help you
recall what those numbers mean.
Even though you have the option of placing your remarks either before or after a permit or
deny statement, I totally recommend that you choose to position them consistently, so you don’t
get confused about which remark is relevant to which one of your permit or deny statements.
To get this going for both standard and extended ACLs, just use the access-list
access-list number remark remark global configuration command. And if you
want to get rid of a remark, just use the command’s no form.
Let’s take a look at an example of how to use the remark command:
R2#config t
R2(config)#access-list 110 remark Permit Bob from Sales Only To Finance
R2(config)#access-list 110 permit ip host 172.16.10.1 172.16.20.0 0.0.0.255
R2(config)#access-list 110 deny ip 172.16.10.0 0.0.0.255
172.16.20.0 0.0.0.255
R2(config)#ip access-list extended No_Telnet
R2(config-ext-nacl)#remark Deny all of Sales from Telnetting
to Marketing
R2(config-ext-nacl)#deny tcp 172.16.30.0 0.0.0.255
172.16.40.0 0.0.0.255 eq 23
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#do show run
[output cut]
!
ip access-list extended No_Telnet
remark Stop all of Sales from Telnetting to Marketing
deny tcp 172.16.30.0 0.0.0.255 172.16.40.0 0.0.0.255 eq telnet
permit ip any any
!
access-list 110 remark Permit Bob from Sales Only To Finance
access-list 110 permit ip host 172.16.10.1 172.16.20.0 0.0.0.255
access-list 110 deny ip 172.16.10.0 0.0.0.255 172.16.20.0 0.0.0.255
!
I was able to add a remark to both an extended lists and a named access list. However, you
cannot see these remarks in the output of the show access-list command, only in the
running-config.
6.3 Describe the functions of common security appliances and applications 313
Context-Based Access Control (Cisco IOS Firewall)
You’ve got to have the Cisco IOS Firewall set in the IOS to make use of CBAC, and the funny
thing is, it’s rare to hear someone—even Cisco—differentiate between the two. People usually
just refer to the Cisco IOS Firewall and leave it at that. But what is it?
Well, the CBAC’s job is to scrutinize any and all traffic that’s attempting to come through
the firewall, so it can find out about and control the state information for TCP and UDP sessions.
And it uses that very information it’s gathered to determine whether to create a temporary
pathway into the firewall’s access lists.
To make this happen, just configure ip inspect lists in the same direction that the traffic is
flowing. If you don’t do this, any return traffic won’t be able to get back through, which will negatively
impact any session connections originating from inside the internal network in a big way.
Take a look at Figure 6.2, which illustrates in a very simple way how the Cisco IOS Firewall
(CBAC) works.
FIGURE 6 . 2 Cisco IOS Firewall (CBAC) example
A router that’s configured with the Cisco IOS Firewall will process traffic in the following
manner:
1. First, if the inside ACL approves, the router will get all inside packets sent to it.
2. Next, the approved traffic is subjected to the firewall’s ip inspect process, which adds
the approved connection’s state information into the state table.
3. Finally, the traffic passes through the IP inspect process, which then creates a dynamic
ACL entry and puts it into the outside ACL so that the return traffic will be allowed to
pass back through the router.
Inside interface
Outside interface
Inside ACL, permits
inside trusted traffic
Outside ACL, by default,
denies all traffic inbound to
the interface
Traffic flow direction
1
2
3
4
Inspect process
314 Chapter 6 Identify security threats to a network and describe general methods
Authentication Proxy
I have this set on all of my routers, but to be able to do that you must also have the Cisco IOS
Firewall feature set up. I have the configuration set up this way because the authentication
proxy is a good thing to have on your side.
This is true because it authenticates inbound users, outbound users, or both. Those who
would normally be blocked by an ACL can just bring up a browser to get through the firewall
and then authenticate on a TACACS+ or RADIUS server.
Exam Objectives
Remember the two types of security appliances typically found on a network The two
types of security appliances that you’ll typically find on a network that provide security are
intrusion prevention systems (IPS) and intrusion detection systems (IDS).
Understand what CBAC’s is Context-Based Access Control scrutinizes any and all traffic
that’s attempting to come through the firewall, so it can find out about and control the state
information for TCP and UDP sessions.
No comments:
Post a Comment