ACL Concepts PDF

Topic 2: ACL Concepts Enterprise Networking, Security, and Automation v7.0 (ENSA) Objectives Explain how ACLs are used as part of a network security policy. Topic Title Topic Objective Purpose of ACLs Explain how ACLs filter traffic. Wildcard Masks in ACLs Explain how ACLs use wildcard masks. Guidelines for ACL Explain how to create ACLs. Creation Types of IPv4 ACLs Compare standard and extended IPv4 ACLs. 2 Purpose of ACLs 3 Purpose of ACLs What is an ACL? ▪ An ACL is a series of IOS commands that are used to filter packets based on information found in the packet header. ▪ By default, a router does not have any ACLs configured. When an ACL is applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded. ▪ An ACL uses a sequential list of permit or deny statements, known as access control entries (ACEs). ▪ Note: ACEs are also commonly called ACL statements. ▪ When network traffic passes through an interface configured with an ACL, the router compares the information within the packet against each ACE, in sequential order, to determine if the packet matches one of the ACEs. This process is called packet filtering. 4 Purpose of ACLs What is an ACL? (Cont.) ▪ Several tasks performed by routers require the use of ACLs to identify traffic: Limit network traffic to increase network performance Provide traffic flow control Provide a basic level of security for network access Filter traffic based on traffic type Screen hosts to permit or deny access to network services Provide priority to certain classes of network traffic 5 Purpose of ACLs Packet Filtering ▪ Packet filtering controls access to a network by analyzing the incoming and/or outgoing packets and forwarding them or discarding them based on given criteria. ▪ Packet filtering can occur at Layer 3 or Layer 4. ▪ Cisco routers support two types of ACLs: Standard ACLs - ACLs only filter at Layer 3 using the source IPv4 address only. Extended ACLs - ACLs filter at Layer 3 using the source and / or destination IPv4 address. They can also filter at Layer 4 using TCP, UDP ports, and optional protocol type information for finer control. 6 Purpose of ACLs ACL Operation ▪ ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ▪ ACLs can be configured to apply to inbound traffic and outbound traffic. Note: ACLs do not act on packets that originate from the router itself. ▪ An inbound ACL filters packets before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. ▪ An outbound ACL filters packets after being routed, regardless of the inbound interface. 7 Purpose of ACLs ACL Operation (Cont.) ▪ Here are the operational steps used when traffic has entered a router interface with an inbound standard IPv4 ACL configured: 1. The router extracts the source IPv4 address from the packet header. 2. The router starts at the top of the ACL and compares the source IPv4 address to each ACE in a sequential order. 3. When a match is made, the router carries out the instruction, either permitting or denying the packet, and the remaining ACEs in the ACL, if any, are not analyzed. 4. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded because there is an implicit deny ACE automatically applied to all ACLs. ▪ The last ACE statement of an ACL is always an implicit deny that blocks all traffic. It is hidden and not displayed in the configuration. Note: An ACL must have at least one permit statement otherwise all traffic will be denied due to the implicit deny ACE statement. 8 Wildcard Masks in ACLs 9 Wildcard Masks in ACLs Wildcard Mask Overview ▪ A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. ▪ Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask, the reverse is true. ▪ An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match. ▪ Wildcard masks use the following rules to match binary 1s and 0s: Wildcard mask bit 0 - Match the corresponding bit value in the address Wildcard mask bit 1 - Ignore the corresponding bit value in the address 10 Wildcard Masks in ACLs Wildcard Mask Overview (Cont.) Last Octet (in Wildcard Mask Meaning (0 - match, 1 - ignore) Binary) 0.0.0.0 00000000 Match all octets. Match the first three octets 0.0.0.63 00111111 Match the two left most bits of the last octet Ignore the last 6 bits Match the first three octets 0.0.0.15 00001111 Match the four left most bits of the last octet Ignore the last 4 bits of the last octet Match the first three octets 0.0.0.252 11111100 Ignore the six left most bits of the last octet Match the last two bits Match the first three octet 0.0.0.255 11111111 Ignore the last octet 11 Wildcard Masks in ACLs Wildcard Mask Types Wildcard to Match a Host: ▪ Assume ACL 10 needs an ACE that only permits the host with IPv4 address 192.168.1.1. Recall that “0” equals a match and “1” equals ignore. ▪ To match a specific host IPv4 address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required. ▪ When the ACE is processed, the wildcard mask will permit only the 192.168.1.1 address. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1 0.0.0.0. Decimal Binary IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001 Wildcard Mask 0.0.0.0 00000000.00000000.00000000.00000000 Permitted IPv4 192.168.1.1 11000000.10101000.00000001.00000001 Address 12 Wildcard Masks in ACLs Wildcard Mask Types (Cont.) Wildcard Mask to Match an IPv4 Subnet ▪ ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. ▪ The wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly but the fourth octet does not. ▪ When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24 network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0 0.0.0.255. Decimal Binary IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001 Wildcard Mask 0.0.0.255 00000000.00000000.00000000.11111111 Permitted IPv4 192.168.1.0/24 11000000.10101000.00000001.00000000 Address 13 Wildcard Masks in ACLs Wildcard Mask Types (Cont.) Wildcard Mask to Match an IPv4 Address Range ▪ ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24, …, 192.168.31.0/24 networks. 16 = 00010000 17 = 00010001 ▪ This network range could be summarized as 192.168.16.0/20 with... 31 = 00011111 a subnet mask of 255.255.240.0 16 = 00010000 ▪ When processed, the wildcard mask 0.0.15.255 permits all hosts in the 192.168.16.0/24 to 192.168.31.0/24 networks. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.16.0 0.0.15.255. Decimal Binary IPv4 address 192.168.16.0 11000000.10101000.00010000.00000000 Wildcard Mask 0.0.15.255 00000000.00000000.00001111.11111111 192.168.16.0/24 11000000.10101000.00010000.00000000 Permitted IPv4 to Address 192.168.31.0/24 11000000.10101000.00011111.00000000 14 Wildcard Masks in ACLs Wildcard Mask Calculation ▪ Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask from 255.255.255.255. Some examples: ▪ Assume you wanted an ACE in ACL 10 to permit access to all users in the 192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask (255.255.255.0) from 255.255.255.255. This produces the wildcard mask 0.0.0.255. The ACE would be access-list 10 permit 192.168.3.0 0.0.0.255. ▪ Assume you wanted an ACE in ACL 10 to permit network access for the 14 users in the subnet 192.168.3.32/28. Subtract the subnet (i.e., 255.255.255.240) from 255.255.255.255. This produces the wildcard mask 0.0.0.15. The ACE would be access- list 10 permit 192.168.3.32 0.0.0.15. ▪ Assume you needed an ACE in ACL 10 to permit only networks 192.168.10.0 and 192.168.11.0. These two networks could be summarized as 192.168.10.0/23 which is a subnet mask of 255.255.254.0. Subtract 255.255.254.0 subnet mask from 255.255.255.255. This produces the wildcard mask 0.0.1.255. The ACE would be access-list 10 permit 192.168.10.0 0.0.1.255. 15 Wildcard Masks in ACLs Wildcard Mask Keywords ▪ There are two keywords to identify the most common uses of wildcard masking: host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address. any - This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses. ▪ Example: The ACL 10 ACE permits only the 192.168.10.10 host and the ACL 11 ACE permits all hosts. Alternatively, the keywords host and any could have been used to replace the highlighted output. The following commands accomplishes the same task as the previous commands. 16 Guidelines for ACL Creation 17 Guidelines for ACL Creation Limited Number of ACLs per Interface ▪ There is a limit on the number of ACLs that can be applied on a router interface. For example, a dual-stacked (i.e, IPv4 and IPv6) router interface can have up to four ACLs applied, as shown in the figure. One outbound IPv4 ACL. One inbound IPv4 ACL. One inbound IPv6 ACL. One outbound IPv6 ACL. Note: ACLs do not have to be configured in both directions. The number of ACLs and their direction applied to the interface will depend on the security policy of the organization. 18 Guidelines for ACL Creation ACL Best Practices ▪ Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime, troubleshooting efforts, and poor network service. Basic planning is required before configuring an ACL. Guideline Benefit Base ACLs on the organizational security This will ensure you implement organizational policies. security guidelines. This will help you avoid inadvertently creating Write out what you want the ACL to do. potential access problems. Use a text editor to create, edit, and save all of This will help you create a library of reusable your ACLs. ACLs. This will help you (and others) understand the Document the ACLs using the remark command. purpose of an ACE. Test the ACLs on a development network before This will help you avoid costly errors. implementing them on a production network. 19 Types of IPv4 ACLs 20 Types of IPv4 ACLs Standard and Extended ACLs There are two types of IPv4 ACLs: ▪ Standard ACLs - These permit or deny packets based only on the source IPv4 address. ▪ Extended ACLs - These permit or deny packets based on the source IPv4 address and destination IPv4 address, protocol type, source and destination TCP or UDP ports and more. Example of an extended ACL that permits traffic originating from any host on the 192.168.10.0/24 network to any IPv4 network if the destination host port is 80 (HTTP). 21 Types of IPv4 ACLs Numbered and Named ACLs Numbered ACLs ▪ ACLs numbered 1-99, or 1300-1999 are standard ACLs, while ACLs numbered 100-199, or 2000-2699 are extended ACLs. R1(config)# access-list ? IP standard access list IP extended access list Extended 48-bit MAC address access list IP standard access list (expanded range) Protocol type-code access list IP extended access list (expanded range) 48-bit MAC address access list rate-limit Simple rate-limit specific access list template Enable IP template acls Router(config)# access-list 22 Types of IPv4 ACLs Numbered and Named ACLs (Cont.) Named ACLs ▪ Named ACLs are the preferred method to use when configuring ACLs. Specifically, standard and extended ACLs can be named to provide information about the purpose of the ACL. For example, naming an extended ACL FTP- FILTER is far better than having a numbered ACL 100. ▪ The ip access-list command is used to create a named ACL, as shown. R1(config)# ip access-list extended FTP-FILTER R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data R1(config-ext-nacl)# 23 Types of IPv4 ACLs Where to Place ACLs ▪ Every ACL should be placed where it has the greatest impact on efficiency. ▪ Extended ACLs should be located as close as possible to the source of the traffic to be filtered. ▪ Standard ACLs should be located as close to the destination as possible. 24 Types of IPv4 ACLs Where to Place ACLs (Cont.) Factors Influencing ACL Placement Explanation Placement of the ACL can depend on whether or not the The extent of organizational control organization has control of both the source and destination networks. It may be desirable to filter unwanted traffic at the source to Bandwidth of the networks involved prevent transmission of bandwidth-consuming traffic. It may be easier to implement an ACL at the destination, but traffic will use bandwidth unnecessarily. An extended ACL could be used on each router where the Ease of configuration traffic originated. This would save bandwidth by filtering the traffic at the source, but it would require creating extended ACLs on multiple routers. 25 Types of IPv4 ACLs Standard ACL Placement Example ▪ In the figure, the administrator wants to prevent traffic originating in the 192.168.10.0/24 network from reaching the 192.168.30.0/24 network. ▪ Following the basic placement guidelines, the administrator would place a standard ACL on router R3. 26 Types of IPv4 ACLs Standard ACL Placement Example (Cont.) There are two possible interfaces on R3 to apply the standard ACL: 1. R3 S0/1/1 interface (inbound) - The standard ACL can be applied inbound on the R3 S0/1/1 interface to deny traffic from.10 network. However, it would also filter.10 traffic to the 192.168.31.0/24 (.31 in this example) network. Therefore, the standard ACL should not be applied to this interface. 2. R3 G0/0 interface (outbound) - The standard ACL can be applied outbound on the R3 G0/0/0 interface. This will not affect other networks that are reachable by R3. Packets from.10 network will still be able to reach the.31 network. This is the best interface to place the standard ACL to meet the traffic requirements. 27 Types of IPv4 ACLs Extended ACL Placement Example ▪ Extended ACLs should be located as close to the source as possible. ▪ However, the organization can only place ACLs on devices that they control. Therefore, the extended ACL placement must be determined in the context of where organizational control extends. ▪ In the figure, for example, Company A wants to deny Telnet and FTP traffic to Company B’s 192.168.30.0/24 network from their 192.168.11.0/24 network, while permitting all other traffic. 28 Types of IPv4 ACLs Extended ACL Placement Example (Cont.) ▪ An extended ACL on R3 would accomplish the task, but the administrator does not control R3. In addition, this solution allows unwanted traffic to cross the entire network, only to be blocked at the destination. ▪ The solution is to place an extended ACL on R1 that specifies both source and destination addresses. ▪ There are two possible interfaces on R1 to apply the extended ACL: 1. R1 S0/1/0 interface (outbound) - The extended ACL can be applied outbound on the S0/1/0 interface. This solution will process all packets leaving R1 including packets from 192.168.10.0/24. 2. R1 G0/0/1 interface (inbound) - The extended ACL can be applied inbound on the G0/0/1 and only packets from the 192.168.11.0/24 network are subject to ACL processing on R1. Because the filter is to be limited to only those packets leaving the 192.168.11.0/24 network, applying the extended ACL to G0/1 is the best solution. 29 Appendix – Summary of ACL Configuration Commands 30 Configure Standard IPv4 ACLs Source network or host address to filter: any (all networks); host (specific address) ▪ Create a Numbered Standard IPv4 ACL Syntax Use the no access-list access-list-number command to remove a numbered standard ACL. If omitted, a default ▪ Create a Named Standard IPv4 ACL Syntax 0.0.0.0 mask is assumed. ▪ Apply a Standard IPv4 ACL To remove an ACL from an interface, enter the no ip access-group interface configuration command. ▪ Verify ACLs Use the show running-config command to review the ACL in the configuration file. Use the show ip interface command to verify the ACL is applied to the interface. 31 Configure Numbered Standard ACL Example The ACL permits traffic from host 192.168.10.10 and all hosts on the 192.168.20.0/24 network out interface serial 0/1/0 on router R1. 32 Configure Named Standard ACL Example The ACL permits traffic from host 192.168.10.10 and all hosts on the 192.168.20.0/24 network out interface serial 0/1/0 on router R1. 33 Protocols Options ▪ Extended ACLs can filter on internet protocols and ports. Use the ? to get help when entering a complex ACE. The four highlighted protocols are the most popular options. 34 TCP port options 35 Configure Numbered Extended IPv4 ACLs ▪ To create a numbered extended ACL, use the following global configuration command: Source network or host address to filter. - any keyword to specify all networks. - host ip-address keyword or simply enter an ip- address (without the host keyword) to identify a ip, tcp, udp, icmp. specific IP address. ip matches all IP protocols. Destination network or host address to filter. lt (less than) - any keyword to specify all networks. gt (greater than) - host ip-address keyword or ip-address. eq (equal) neq (not equal). 36 Configure Numbered Extended IPv4 ACLs (cont.) ▪ Extended ACLs can filter on different port number and port name options. ▪ The ACL 100 filters the HTTP traffic by using either the www port name or the port number 80. Both ACEs achieve exactly the same result. ▪ Configuring the port number is required when there is not a specific protocol name listed such as SSH (port number 22) or an HTTPS (port number 443). 37 Apply a Numbered Extended IPv4 ACL ▪ This ACL permits both HTTP and HTTPS traffic from the 192.168.10.0 network to go to any destination, and it is applied closed to the source inbound on the R1 G0/0/0 interface. Named Extended IPv4 ACL Syntax ▪ To create a named extended ACL, use the ip access-list extended command. ▪ The extended ACL NO-FTP-ACCESS is created and the prompt changed to named extended ACL configuration mode. 38 Named Extended IPv4 ACL Example ▪ Configuring and applying two named extended IPv4 ACLs to an interface: SURFING will permit inside HTTP and HTTPS traffic to exit to the internet. BROWSING will only permit returning web traffic to the inside hosts while all other traffic exiting the R1 G0/0/0 interface is implicitly denied. 39 Named Extended IPv4 ACL Example (Cont.) ▪ The SURFING ACL permits HTTP and HTTPS traffic from inside users to exit the G0/0/1 interface connected to the internet. ▪ Web traffic returning from the internet is permitted back into the inside private network by the BROWSING ACL. Basic firewall to permit ▪ The SURFING ACL is only reply web traffic. applied inbound and the BROWSING ACL is applied outbound on the R1 G0/0/0 interface. 40 Named Extended IPv4 ACL Example (Cont.) ▪ The show access-lists command is used to verify the ACL statistics. ▪ Notice that the permit secure HTTPS counters (i.e., eq 443) in the SURFING ACL and the return established counters in the BROWSING ACL have increased. 41 Edit Extended ACLs Using Sequence Numbers ▪ The ACE sequence number 10 in the SURFING ACL has an incorrect source IP networks address. ▪ To correct this error, the original statement is removed with the no sequence_# command and the corrected statement is added. ▪ The show access-lists command output verifies the configuration change. 42

Document Details

Tags

Related

Summary

Full Transcript