1 / 42

Filtering Traffic Using Access Control Lists

Filtering Traffic Using Access Control Lists. Introducing Routing and Switching in the Enterprise – Chapter 8. Objectives. Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. Analyze the use of wildcard masks.

quinta
Download Presentation

Filtering Traffic Using Access Control Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Filtering Traffic Using Access Control Lists Introducing Routing and Switching in the Enterprise– Chapter 8

  2. Objectives • Describe traffic filtering and explain how Access Control Lists (ACLs) can filter traffic at router interfaces. • Analyze the use of wildcard masks. • Configure and implement ACLs. • Create and apply ACLs to control specific types of traffic. • Log ACL activity and integrate ACL best practices.

  3. 8.1 Describe Traffic Filtering • Analyze the contents of a packet to see if it should be allowed or dropped • Can be simple or complex • Traffic can be filtered based on • source IP, destination IP, MAC address, protocol, application type • Similar to junk email filtering • Improves network performance • Doesn’t consume valuable network resources sending out data when denied close to source

  4. 8.1.1 Describe Traffic Filtering Devices most commonly used to provide traffic filtering: • Firewalls built into integrated routers (Linsys) • Dedicated security appliances • Server-based firewalls • Cisco routers with IOS firewalls

  5. 8.1 Describe Traffic Filtering ACLs identify traffic for multiple uses such as: • Specify internal hosts for NAT • Classify traffic for QoS and queuing • Restrict contents of routing updates, • Limiting debug outputs • Controlling virtual terminal access to routers

  6. 8.1 Describe Traffic Filtering Possible problems resulting from using ACLs: • Increased load on router to check each packet • Poorly designed ACLs can cause possible network disruption • Unintended consequences from incorrect placement

  7. 8.1 Describe Traffic Filtering • Standard ACLs filter based on source IP address only • Numbers from 1-99 and 1300 to 1999 • Extended ACLs filter on source and destination, as well as protocol and port number • Numbers from 100 to 199 and from 2000 to 2699 • Named ACLscan be either standard or extended • References names rather than a number

  8. 8.1 Describe Traffic Filtering

  9. 8.1 Describe Traffic Filtering • ACLs consist of 1 or more statements • Each statement either permits or denies based on specified parameters • Final statement is always an implicit deny (even if you don’t enter it) • ACL must be applied to an interface in order to work • Applied either inbound or outbound • Once the statement applies to a packet, it stops checking so order them carefully

  10. 8.1 Describe Traffic Filtering • ACL is applied inbound or outbound • Direction is from the router’s perspective • will the router allow it in from the interface? • will the router allow the traffic to go out to the interface? • Each interface can have one ACL per direction for each network protocol

  11. 8.1 Describe Traffic Filtering

  12. 8.2 Analyze the Use of Wildcard Masks • Wildcard mask can block a range of addresses or a whole network with one statement • 0s indicate which part of an IP address must match the ACL • 1s indicate which part does not have to match specifically • So all ZEROS would require an exact match of the 32 bits of the IP address • Basically same as using a host statement

  13. 8.2 Analyze the Use of Wildcard Masks • Use the host parameter in place of a 0.0.0.0 wildcard • Use the any parameter in place of a 255.255.255.255 wildcard

  14. 8.2 Analyze the Use of Wildcard Masks 0.0.0.255 0.0.0.255 0.0.0.0 0.0.0.0 0.0.255.255 0.0.255.255 0.255.255.255 0.0.255.255

  15. 8.2 Filtering subnet traffic 3bits are used for subnetting: 192.168.77.0 SM 255.255.255.224 Subtracting the subnet mask from the all 255s mask results in a wildcard mask of 0.0.0.31. To permit all the hosts on the 192.168.77.32 subnet, the ACL statement is: access-list 44 permit 192.168.77.32 0.0.0.31 The range of addresses that this statement permits 192.168.77.33 to 192.168.77.63 (the range of all addresses on the 192.168.77.32 subnet)

  16. 8.2 Filtering subnet traffic

  17. 8.3 Placing Standard and Extended ACLs • Determine traffic filtering requirements • Based on customer needs, traffic types, traffic loads and security concerns • Decide which type of ACL to use • Standard ACL • simple to create • Only filter on source address • Filter all traffic regardless of destination • Place close to destination • Extended ACL • More control than standard • Filter on source and destination • Filter by protocol and port numbers • Place close to source

  18. 8.3.1 Placing Standard and Extended ACLs • Determine the router and interface on which to apply the ACL • Determine in which direction to filter traffic • Visualize the traffic flow from the perspective of the router

  19. 8.3 Placing Standard and Extended ACLs

  20. 8.3 Placing Standard and Extended ACLs

  21. 8.3.3 Configure and Implement Access Control Lists: Numbered Standard ACL • Use access-list command to enter statements • Use the same number for all statements 1-99, 1300-1999 • Place specific first, then more general • Because every statement is examined • Apply as close to the destination as possible (this is because you can’t specify the destination)

  22. 8.3.3 Configure and Implement Access Control Lists: Numbered Standard ACL • Keep in mind that once a match is found, no other statements are looked at in the ACL list • So if one line permits, and a line later denies, it is permitted • Place most specific first • To delete an ACL use the no access-list command • You have to delete an entire ACL as a whole. If you add statements later, they are added to the end!! • Copy to word first so you can delete and type back in • Assign to interface as inbound or outbound with this command R2(config)#interface fastethernet 0/0 R2(config-if)#ip access-group 5 in • Default direction is out • To remove an ACL from an interface, enter NO command

  23. 8.3.3 Configure and Implement Access Control Lists: Numbered Standard ACL

  24. 8.3.3 Configure and Implement Access Control Lists: Numbered standard ACL

  25. 8.3.3 Configure and Implement Access Control Lists: Numbered standard ACL

  26. 8.3.3 Configure and Implement Access Control Lists: Numbered standard ACL remember:specific to general

  27. DO LAB 8.3.3 • Verifying standard ACLS

  28. 8.3.4 Configure and Implement AccessControl Lists: Numbered Extended ACL • Use access-list command to enter statements • Use the same number for all statements • Number ranges: 100-199, 2000-2699 • Specify a protocol to permit or deny • Place as close to the source as possible • Key difference is requirement to specify a protocol after the permit or deny condition. • protocol can be IP, indicating all IP traffic regardless of the protocol • or can indicate filtering on a specific IP protocol (TCP, UDP, ICMP, and OSPF)

  29. 8.3.4 Configure and Implement AccessControl Lists: Numbered Extended ACL

  30. 8.3.5 Configure and Implement Access Control Lists: Named ACLs • Descriptive name replaces number range • Use ip access-list command to enter initial statement • Start succeeding statements with either permit or deny • Apply in the same way as standard or extended ACL

  31. 8.3.6 Configure and Implement Access Control Lists: VTY access • Restricting virtual teletype terminal (VTY) access increases network security • Stops intruders trying to gain access to a router • Access list applied to the router VTY will permit only certain IP addresses • Use the access-class command to initiate the ACL instead of ip-access-class • Use a numbered ACL • Apply identical restrictions to all VTY lines

  32. 8.3.6 Configure and Implement Access Control Lists: VTY access • Create the ACL in line configuration mode • Use the access-class command to initiate the ACL • Use a numbered ACL • Apply identical restrictions to all VTY lines

  33. Create and Apply ACLs to Control Specific Types of Traffic • Use a specified condition when filtering on port numbers: eq, lt, gt • Deny all appropriate ports for multi-port applications like FTP • Use the range operator to filter a group of ports

  34. Create and Apply ACLs to Control Specific Types of Traffic • Block harmful external traffic while allowing internal users free access • Ping: allow echo replies while denying echo requests from outside the network • Stateful Packet Inspection

  35. Create and Apply ACLs to Control Specific Types of Traffic • Account for NAT when creating and applying ACLs to a NAT interface • Filter public addresses on a NAT outside interface • Filter private addresses on a NAT inside interface

  36. Create and Apply ACLs to Control Specific Types of Traffic • Examine every ACL one line at a time to avoid unintended consequences

  37. Create and Apply ACLs to Control Specific Types of Traffic • Apply ACLs to VLAN interfaces or subinterfaces just as with physical interfaces

  38. Log ACL Activity and ACL Best Practices • Logging provides additional INFORMATIONAL details on packets denied or permitted • Add the log option to the end of each ACL statement to be tracked

  39. Log ACL Activity and ACL Best Practices Syslog messages: • Status of router interfaces • ACL messages • Bandwidth, protocols in use, configuration events

  40. Log ACL Activity and ACL Best Practices • Always test basic connectivity before applying ACLs • Add deny ip any to the end of an ACL when logging • Use reload in 30 when testing ACLs on remote routers

  41. Summary • ACLs enable traffic management and secure access to and from a network and its resources • Apply an ACL to filter inbound or outbound traffic • ACLs can be standard, extended, or named • Using a wildcard mask provides flexibility • There is an implicit deny statement at the end of an ACL • Account for NAT when creating and applying ACLs • Logging provides additional details on filtered traffic

More Related