1

Sybex CCNA 640-802 Chapter 10: Security

The CCNA Topics Covered in this chapter include:• Introduction to Security

– Types of attacks– Mitigating attacks– Types of hardware used for defense: Firewalls

• Application Layer Gateways (ALGs)• Packet Filtering• Stateful Packet Filtering

• Access-lists– Standard– Extended– Named– Monitoring Access-lists

2

(c) University of Technology, Sydney 2000 - 2004

3

Earliest firewalls

?

What is the air-speed velocity of an unladen swallow?

ACLs normally go here

ACLs normally go here

ACLs sometimes go here

ACLs sometimes go here

Any server that handles a lot of internet traffic should be placed in the DMZ. This allows the “trusted”, inner network to be protected from the dangers of the Internet. The web and email servers above are placed here, as well as DNS, proxy, reverse proxy, FTP and VoIP servers.

(c) University of Technology, Sydney 2000 - 2004

5

DMZ between Internet and Network (between the barbarians and the Keep)

Web server

DMZ

• The ALG intercepts and establishes connections to the Internet hosts on behalf of the client.

• See notes

• Stateless ACLs filter traffic based on source and destination IP addresses, TCP and UDP port numbers, TCP flags, and ICMP types and codes.

• Stateful inspection then remembers certain details, or the state of that request.

• See notes

• APPLICATION-LAYER ATTACKS• AUTOROOTERS• BACKDOORS• DENIAL OF SERVICE (DOS) AND • DISTRIBUTED DENIAL OF SERVICE (DDOS)

ATTACKS– (AND MANY OTHERS) - (see text pp 612-13)

– Note: The underlying reason why so many attacks against networks are successful is that when networking in general and the Internet specifically were being developed, security was simply not an issue.

– Not only the structure of networks, but the applications themselves were created with no thought that they might someday be exploited by hackers. For examples try “googling” “network security structure” or some such combination of words

• The book mentions ASA (Adaptive Security Appliance) products. They are the best thing going but they run on expensive hardware and are beyond the scope of the CCNA exam.– Cisco firewalls have their own IOS. Some hardware

and features are:– Appliances

• IDS: Intrusion Detection System• IPS: Intrusion Prevention System

– the book rolls the description of both of these appliances into the IDS blurb, so beware; the IDS detects the threat and sends a message. You need an IPS or some other device to actually respond to the intrusion.

– Stateful IOS Firewall Inspection Engine (AKA CBAC, for context-based access control)

• Allows you to use ACLs efficiently to filter traffic, detect intrusions, etc.• (See: power point on CBAC)

– Firewall Voice Traversal• a VoIP feature

– ICMP Inspection• An ACL can be a blunt instrument, either allowing or

denying all ICMP packets (PING, Traceroute, etc.) This feature allows you to respond to internal ICMP packets while blocking external ones

– Authentication Proxy• HTTP, HTTPS, FTP, and Telnet

authentication• Provides dynamic, per-user

authentication and authorization via TACACS+ and RADIUS protocols

• Packets are compared to each line of the assess list in sequential order

• Packets are compared with lines of the access list only until a match is made– Once a match is made & acted upon no further

comparisons take place!

• An implicit “deny” is at the end of each access list– If no matches have been made, the packet will be

discarded

• Standard Access List– Filter by source IP addresses only

• Extended Access List– Filter by

• Source IP, • Destination IP, • Protocol Field, • Port Number

• Named Access List– Functionally the same as standard and extended access

lists.

• Inbound Access Lists– Packets are processed before being routed to the

outbound interface. – Any packets that are denied won’t be routed

because they are discarded before the routing process.

• Outbound Access Lists– Packets are routed to the outbound interface & then processed through the access list

• One access list per interface, per protocol, per direction

• Place more specific tests at the top of the ACL• New lists are placed at the bottom of the ACL• Individual lines cannot be removed – (must start over!)

– So, save your ACLs to a text file; when finished, copy it to the router. If you have to edit the ACL, do it in the text file.

• End ACLs with a permit any command (this prevents you from shutting down an interface accidentally)

• Create ACLs & then apply them to an interface• ACLs do not filter traffic originated from the router• Put Standard ACLs close to the destination (SAD)• Put Extended ACLs close the source (EAD)

Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <1300-1999> IP standard access list (expanded range) <200-299> Protocol type-code access list <300-399> DECnet access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list

These numbers are ranges of specific types of ACLs

• Creating a standard IP access list:Router(config)#access-list 10 ?

deny Specify packets to reject

permit Specify packets to forward

• Permit or deny?Router(config)#access-list 10 deny ?

Hostname or A.B.C.D Address to match

any any source host

host A single host address

• Using the host commandRouter(config)#access-list 10 deny host 172.16.30.2

• What are they ???– Used with access lists to specify a….

• Host• Network• Part of a network

• A wildcard mask is a 32-bit quantity that is divided into four octets (like an IP address or a subnet mask, although it has nothing to do with subnet masking).

• A wildcard mask is paired with an IP address. • Wildcards are used when you don’t want the ACL to

apply to a single address, or to an entire network (or subnet).

• Wildcards let you specify which group of addresses the ACL should apply to.

64 32 16 8 4

• Rules:– When specifying a range of addresses, choose the closest block size

• For example, if you want to block a range of 12 addresses, choose a block size of 16, provided the 16 numbers cover the entire 12 addresses that you want to block.

– Each block size must start at 0 • Because of this, the number in the wildcard mask will always be one number

less than the associated block size; e.g., for a block size of 8 in the last octet, the wildcard mask would be 0.0.0.7 See next page for more examples.

– A ‘0’ in a wildcard means that octet must match exactly– A ‘255’ in a wildcard means that octet can be any value– The command any is the same thing as writing out the wildcard:

0.0.0.0 255.255.255.255

(Remember: specify a range of values in a block size)

Requirement: Block access in the range from 172.16.8.0 through 172.16.15.0 = block size 8

Network number = 172.16.8.0Wildcard = 0.0.7.255

**The wildcard is always one number less than the block size

Lab_A(config)#access-list 10 deny SalesLab_A(config)#access-list 10 permit anyLab_A(config)#int e1Lab_A(config)#ip access-group 10 out

Lab_B(config)#access-list 10 deny 192.168.10.128 0.0.0.31Lab_B(config)#access-list 10 permit anyLab_B(config)#int e0Lab_B(config)#ip access-group 10 out

• R(config)#access-list 10 deny 172.16.88.0 0.0.7.255• R(config)#access-list 10 deny 172.16.192.0 0.0.63.255• R(config)#access-list 10 deny 172.16.48.0 0.0.15.255• R(config)#access-list 10 deny 172.16.128.0 0.0.31.255• R(config)#access-list 10 permit any• R(config)#int s0• R(config)#ip access-group 10 out

• Why??– Without an ACL any user can Telnet into the

router via VTY and gain access

• Controlling access– Create a standard IP access list

• Permitting only the host/hosts authorized to Telnet into the router

– Apply the ACL to the VTY line with the access-class command

Lab_A(config)#access-list 50 permit 172.16.10.3

Lab_A(config)#line vty 0 4

Lab_A(config-line)#access-class 50 in

(implied deny)

(in other words, only the host at 172.16.10.3 can telnet into the router; all other hosts are denied.)

• Allows you to choose...• IP Source Address• IP Destination Address• Protocol• Port number

Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <200-299> Protocol type-code access list <300-399> DECnet access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list

Router(config)# access-list 110 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward

Extended IP ACLsRouter(config)# access-list 110 deny ?

<0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol tcp Transmission Control Protocol udp User Datagram Protocol

Router(config)# access-list 110 deny tcp ? A.B.C.D Source address any Any source host host A single source host

Extended IP ACL Steps#1: Select the access list:

RouterA(config)#access-list 110

#2: Decide on deny or permit: RouterA(config)#access-list 110 deny

#3: Choose the protocol type: RouterA(config)#access-list 110 deny tcp

#4: Choose source IP address of the host or network: RouterA(config)#access-list 110 deny tcp any

#5: Choose destination IP address RouterA(config)#access-list 110 deny tcp any host 172.16.30.2

#6: Choose the type of service, port, & loggingRouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log

Steps (cont.)RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log

(continued from previous slide)

Next (second) line in the ACL:

RouterA(config)#access-list 110 permit ip any any

Now, place the ACL on an interface, either inbound or outbound:

RouterA(config)#ip access-group 110 in

or

RouterA(config)#ip access-group 110 out

Named Access Lists• Another way to create standard and extended access lists.• Allows the use of descriptive names to ease network management.• Syntax changes:

– Lab_A(config)#ip access-list standard BlockSales» (Or: “extended” BlockSales)

– Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255– Lab_A(config-std-nacl)#permit any

• Advantages:– The IOS does not limit the number of named ACLs that ca

n be configured. • Although the number of standard and extended ACLs is no longer

100 each. With the addition of numbers in the 2000-range, this is really no big deal.

– Named ACLs provide the ability to modify ACLs without deletion and reconfiguration.

• But, a named access list will only allow for statements to be inserted at the end of a list, so the utility of this “advantage” is somewhat limited.

Monitoring IP ACLs: Show Commands• Display all access lists & their parameters

show access-list

• Show only the parameters for the access list 110

show access-list 110

• Shows only the IP access lists configuredshow ip access-list

• Shows which interfaces have access lists setshow ip interface

• Shows the access lists & which interfaces have access lists setshow running-config

The End

33