sybex ccna 640-802 chapter 12

8/11/2019 Sybex CCNA 640-802 Chapter 12

1/30

Sybex CCNA 640-802Chapter 12: SecurityInstructor& Todd Lammle


2/30

Chapter 1 Objectives

The CCNA Topics Covered in this chapterinclude:

Introduction to Security

Types of attacks

Mitigating attacks Access-lists

Standard

Extended

Named Monitoring Access-lists

2


3/30

Introduction to Security


4/30

Attacks

APPLICATION-LAYER ATTACKS

AUTOROOTERS

BACKDOORS DENIAL OF SERVICE (DOS)

AND DISTRIBUTED DENIAL OF

SERVICE (DDOS) ATTACKS (MANY OTHERS)


5/30

Mitigating Attacks

Appliances IDS

IPS

STATEFUL IOS FIREWALLINSPECTION ENGINE

FIREWALL VOICE TRAVERSAL

ICMPINSPECTION

AUTHENTICATIONPROXY


6/30

Access Lists

Purpose:

Used to permit or deny packets

moving through the router

Permit or deny Telnet (VTY) access

to or from a router

Create dial-on demand (DDR)

interestingtraffic that triggers dialingto a remote location


7/30

Important Rules

Packets are compared to each line ofthe assess list in sequentialorder

Packets are compared with lines of

the access list only until a match ismade Once a match is made & acted upon no

further comparisons take place

An implicit deny is at the end ofeach access list If no matches have been made, the

packet will be discarded


8/30

Types of Access Lists

Standard Access List

Filter by source IP addresses only

Extended Access List

Filter by Source IP, Destination IP,Protocol Field, Port Number

Named Access List

Functionally the same as standard and

extended access lists.


9/30

Application of Access Lists

Inbound Access Lists

Packets are processed before being

routed to the outbound interface

Outbound Access Lists Packets are routed to the outbound

interface & then processed through the

access list


10/30

ACL Guidelines

One access list per interface, perprotocol, or perdirection

More specific tests at the top of the ACL

New lists are placed at the bottom of the ACL

Individual lines cannot be removed

End ACLs with apermit anycommand

Create ACLs & then apply them to an interface

ACLs do not filter traffic originated from the router

Put StandardACLs close to the destination

Put ExtendedACLs close the source


11/30

Standard IP Access Lists

Router#config t

Enter configuration commands, one per line. End

with CNTL/Z.

Router(config)#access-list ?

IP standard access list

IP extended access list

IPX SAP access list

Extended 48-bit MAC address

access list

IPX summary address access list

Protocol type-code access list

DECnet access list

Appletalk access list

48-bit MAC address access list

IPX standard access list

IPX extended access list


12/30

Standard IP Access Lists

Creating a standard IP access list:Router(config)#access-list 10 ?

deny Specify packets to reject

permit Specify packets to forward

Permit or deny?Router(config)#access-list 10 deny ?

Hostname or A.B.C.D Address to match

any any source host

host A single host address

Using the hostcommandRouter(config)#access-list 10 deny host172.16.30.2


13/30

Wildcards

What are they???

Used with access lists to specify

a.

Host

Network

Part of a network


14/30

Block Sizes

64 32 16 8 4

Rules:

When specifying a range of addresses, choose the

closestblock size

Each block size must start at 0 A 0 in a wildcard means that octet must match

exactly

A 255 in a wildcard means that octet can be any

value

The command anyis the same thing as writing outthe wildcard: 0.0.0.0 255.255.255.255


15/30

Specifying a Range of Subnets

(Remember: specify a range of values in a blocksize)

Requirement: Block access in the range from

172.16.8.0 through 172.16.15.0 = block size 8

Network number = 172.16.8.0

Wildcard = 0.0.7.255

**The wildcard is always one number less than theblock size


16/30

Standard ACL Example


17/30

Standard ACL example 2


18/30

Standard ACL Example 3


19/30

Controlling VTY (Telnet)

Access

Why??

Without an ACL any user can Telnetinto the router via VTY and gain

access Controlling access

Create a standard IP access list Permitting only the host/hosts

authorized to Telnet into the router

Apply the ACL to the VTY line withthe

access-classcommand


20/30

Example

Lab_A(config)#access-list 50 permit172.16.10.3

Lab_A(config)#line vty 0 4

Lab_A(config-line)#access-class 50 in

(implied deny)


21/30

Extended IP Access Lists

Allows you to choose... IP Source Address

IP Destination Address

Protocol Port number


22/30

Extended IP ACLs

Router(config)#access-list ? IP standard access list IP extended access list IPX SAP access list Extended 48-bit MAC addressaccess list

IPX summary address access list Protocol type-code access list DECnet access list Appletalk access list 48-bit MAC address access list IPX standard access list IPX extended access list

Router(config)#access-list 110 ?deny Specify packets to rejectdynamic Specify a DYNAMIC list of PERMITs orDENYs

permit Specify packets to forward


23/30

Extended IP ACLsRouter(config)#access-list 110 deny ?

An IP protocol number

ahp Authentication Header Protocol

eigrp Cisco's EIGRP routing protocol

esp Encapsulation Security Payload

gre Cisco's GRE tunneling

icmp Internet Control Message Protocol

igmp Internet Gateway Message Protocol

igrp Cisco's IGRP routing protocolip Any Internet Protocol

ipinip IP in IP tunneling

nos KA9Q NOS compatible IP over IP tunneling

ospf OSPF routing protocol

pcp Payload Compression Protocol

tcp Transmission Control Protocoludp User Datagram Protocol

Router(config)#access-list 110 deny tcp ?

A.B.C.D Source address

any Any source host

host A single source host


24/30

Extended IP ACL Steps

#1: Select the access list:

RouterA(config)#access-list 110

#2: Decide on deny or permit:

RouterA(config)#access-list 110 deny

#3: Choose the protocol type:RouterA(config)#access-list 110 deny tcp

#4: Choose source IP address of the host or network:

RouterA(config)#access-list 110 deny tcp any

#5: Choose destination IP address

RouterA(config)#access-list 110 deny tcp anyhost 172.16.30.2

#6: Choose the type of service, port, & logging

RouterA(config)#access-list 110 deny tcp any host172.16.30.2 eq 23 log


25/30

Steps (cont.)

RouterA(config)#access-list 110 deny tcp anyhost 172.16.30.2 eq 23 log

RouterA(config)#access-list 110 permit ip any0.0.0.0 255.255.255.255

RouterA(config)#ip access-group 110 in

or

RouterA(config)#ip access-group 110 out


26/30

Named Access Lists

Another way to create standard and extended accesslists.

Allows the use of descriptive names to ease network

management.

Syntax changes:

Lab_A(config)#ip access-list standardBlockSales

Lab_A(config-std-nacl)#deny 172.16.40.0

0.0.0.255Lab_A(config-std-nacl)#permit any


27/30

Turning Off and Configuring

Network Services

SNMP

Lab_B(config)#access-list 110 deny udp anyany eq snmp

EchoLab_B(config)#no service tcp-small-servers

Lab_B(config)#no service udp-small-servers

BootP and Auto-Config

Lab_B(config)#no ip boot server

Lab_B(config)#no service config

Examplesmore pages 632-635


28/30

Ciscos Auto SecureR1#auto secure

--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of the router, but itwill not make it absolutely resistant to all security attacks ***

AutoSecure will modify the onfiguration of your device.

All configuration changes will be shown. For a detailed

explanation of how the configuration changes enhance

security and any possible side effects, please refer to Cisco.com

for Autosecure documentation.

At any prompt you may enter ? for help.

Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: yes

Enter the number of interfaces facing the internet [1]: [enter]

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.10.10.1 YES NVRAM up up

Serial0/0 1.1.1.1 YES NVRAM down down

FastEthernet0/1 unassigned YES NVRAM administratively down down

Serial0/1 unassigned YES NVRAM administratively down down

Enter the interface name that is facing the internet: serial0/0

Securing Management plane services...


29/30

Monitoring IP Access Lists

Display all access lists & their parameters

show access-list

Show only the parameters for the access list 110

show access-list 110

Shows only the IP access lists configuredshow ip access-list

Shows which interfaces have access lists set

show ip interface

Shows the access lists & which interfaces have access

lists setshow running-config


30/30

Written Labs and Review

Questions

Open your books and go through all the

written labs and the review questions.

Review the answers in class.

30

sybex ccna 640-802 chapter 12

Documents