Tải bản đầy đủ (.pptx) (48 trang)
  1. Trang chủ
    2. >>
  2. Công Nghệ Thông Tin
    3. >>
  3. Quản trị mạng

Chapter 8 access control lists for threat mitigation

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.35 MB, 48 trang )

Access Control Lists for Threat Mitigation

© 2012 Cisco and/or its affiliates. All rights reserved.

1


Outline
• Lists the benefits of ACLs
• Describes the building blocks and operational framework of ACLs
• Describes summarizable address blocks in the context of CIDR and VLSM environments, demonstrating how ACL
wildcard masks allow for threat mitigation in those environments
• Lists design considerations when deploying ACLs
• Demonstrates the use of Cisco Configuration Professional and the CLI to deploy and verify a threat containment
strategy using ACLs
• Demonstrates the use of Cisco Configuration Professional and the CLI to correlate ACL log and alarm information in
order to monitor their impact and effectiveness
• Demonstrates how to configure object groups to streamline the implementation of ACLs for threat control
• Demonstrates how to configure ACLs in IPv6 environments, highlighting the operational differences with IPv4 ACLs

© 2012 Cisco and/or its affiliates. All rights reserved.

2


ACL Fundamentals


ACLs provide packet filtering for routers and firewalls to protect internal networks from the outside world.




ACLs filter network traffic in both directions by controlling whether to forward or block packets at the router
interfaces, based on the criteria that you specify within the ACLs.



ACL criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer
protocol, or other information

© 2012 Cisco and/or its affiliates. All rights reserved.

3


Filtering Host B Traffic Ingress Using an ACL

Host A to access the Human Resources network but prevents Host B from accessing the Human Resources network.

© 2012 Cisco and/or its affiliates. All rights reserved.

4


Using ACLs to mitigate many threats

• IP address spoofing (inbound)
• IP address spoofing (outbound)
• DoS TCP SYN attacks (blocking external attacks)
• DoS TCP SYN attacks (using TCP intercept)
• DoS Smurf attacks

• Filtering ICMP messages (inbound)
• Filtering ICMP messages (outbound)
• Filtering traceroute

© 2012 Cisco and/or its affiliates. All rights reserved.

5


ACL Operation
ACLs operate in two ways:
• Inbound: Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is
efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the
filtering tests. If the packet is permitted by the tests, it is then processed for routing.
• Outbound: Packets arriving on the inside interface are routed to the outbound interface, and then they are
processed through the outbound ACL.

© 2012 Cisco and/or its affiliates. All rights reserved.

6


Outbound ACL Operation

© 2012 Cisco and/or its affiliates. All rights reserved.

7


Top-Down Process of Tests: Deny or Permit


© 2012 Cisco and/or its affiliates. All rights reserved.

8


Types of IP ACLs
Cisco routers support two types of IP ACLs:
• Standard ACLs: Standard IP ACLs check the source addresses of packets that can be routed. The result either
permits or denies the output for an entire protocol suite, based on the source network, subnet, or host IP address.
• Extended ACLs: Extended IP ACLs check both the source and destination packet addresses. They can also check
for specific protocols, port numbers, and other parameters, which allows administrators more flexibility and control.
The two general methods you can use to create ACLs are as follows:
• Numbered ACLs: Use a number for identification.
• Named ACLs: Use an alphanumeric string for identification.

© 2012 Cisco and/or its affiliates. All rights reserved.

9


ACL Wildcard Bits

• Wildcard mask bit 0: Match the corresponding bit value in the address.
• Wildcard mask bit 1: Do not check (ignore) the corresponding bit value in the address.

© 2012 Cisco and/or its affiliates. All rights reserved.

10



Example: Wildcard Masking Process for IP Subnets

Wildcard Bits to Match IP Subnets 172.30.16.0 to 172.30.31.0
Router(config)# access-list 1 deny 172.30.16.0 0.0.15.255

© 2012 Cisco and/or its affiliates. All rights reserved.

11


Example: Wildcard Masking Process with a Single IP Address and with a Match
Any IP Address
Wildcard Masking Process with a Single IP Address
Router(config)# access-list 2 permit 172.30.16.29 0.0.0.0



Router(config)# access-list 2 permit host 172.30.16.29

With a Match Any IP Address
Router(config)# access-list 2 permit 0.0.0.0 255.255.255.255

ã

Router(config)# access-list 2 permit any

â 2012 Cisco and/or its affiliates. All rights reserved.

12



Numbered Standard ACL Configuration Procedure

© 2012 Cisco and/or its affiliates. All rights reserved.

13


Example: Numbered Standard IPv4 ACL—Deny a Specific Subnet

r1(config)# access-list 1 deny 172.16.4.0 0.0.0.255
r1(config)# access-list 1 permit any
( implicit deny all = access-list 1 deny 0.0.0.0 255.255.255.255 )
r1(config)# interface ethernet 0
r1(config-if)# ip access-group 1 out

© 2012 Cisco and/or its affiliates. All rights reserved.

14


ACL with vty Access
Router(config-line)# access-class access-list-number {in | out}
Example :
R1(config)# access-list 12 permit 192.168.1.0 0.0.0.255
!
R1(config)# line vty 0 4
R1(config-line)# access-class 12 in


© 2012 Cisco and/or its affiliates. All rights reserved.

15


Numbered Extended IPv4 ACL

Well-Known Port Numbers and IP Protocols

© 2012 Cisco and/or its affiliates. All rights reserved.

16


Command for a Numbered Extended ACL
Router(config)# access-list access-list-number {permit | deny} protocol source sourcewildcard [operator port] destination destination-wildcard [operator port]
[established] [log]
Router(config-if)# ip access-group access-list-number (in | out)

© 2012 Cisco and/or its affiliates. All rights reserved.

17


Numbered Extended IPv4 ACL Example

r1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
r1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
r1(config)# access-list 101 permit ip any any
(implicit deny all)

(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
r1(config)# interface ethernet 0
r1(config-if)# ip access-group 101 out

© 2012 Cisco and/or its affiliates. All rights reserved.

18


Using the established Keyword
Router(config)# access-list 102 permit tcp any host 200.1.1.2 established
Router(config)# access-list 102 permit tcp any host 200.1.1.2 eq smtp
Router(config)# interface serial 0
Router(config-if)# ip access-group 102 in

© 2012 Cisco and/or its affiliates. All rights reserved.

19


Enhancing ACLs with Object Groups
The benefits of using Object Groups for ACL include the following:
• Increased performance when network traffic is heavy.
• Reduced storage in NVRAM compared to conventional ACLs.
• Separate ownership of the components of an ACE. For example, you can create an ACE where each department
within an organization can control its group membership. You can also create an ACE to permit or deny the
departments to contact each other.
• Allows you to create an object group that contains other object groups. For example, you can create an ENG-ALL
address group, which contains the ENG-EAST and ENG-WEST address groups.


© 2012 Cisco and/or its affiliates. All rights reserved.

20


Example of an ACL Without Object Group
access-list 100 deny tcp host 10.6.252.65 host 171.8.2.12 eq www
access-list 100 deny tcp host 10.6.252.65 host 171.8.2.12 eq ftp
access-list 100 deny tcp host 10.6.252.65 host 171.8.2.13 eq www
access-list 100 deny tcp host 10.6.252.65 host 171.8.2.13 eq ftp
access-list 100 deny tcp host 10.6.252.66 host 171.8.2.12 eq www
access-list 100 deny tcp host 10.6.252.66 host 171.8.2.12 eq ftp
access-list 100 deny tcp host 10.6.252.66 host 171.8.2.13 eq www
access-list 100 deny tcp host 10.6.252.66 host 171.8.2.13 eq ftp

© 2012 Cisco and/or its affiliates. All rights reserved.

21


Example of an ACL Using Object Groups
object-group network SOURCES
host 10.6.252.65 host 10.6.252.66
object-group network DESTINATIONS
host 171.8.2.12 host 171.8.2.13
object-group service APPLICATIONS
tcp www tcp ftp
access-list 100 deny object-group APPLICATIONS
object-group SOURCES object-group


© 2012 Cisco and/or its affiliates. All rights reserved.

DESTINATIONS

22


Network object groups
The following components can be modularized in network object groups:
• Any IP address—includes a range from 0.0.0.0 to 255.255.255.255 (specified using the any command)
• Host IP addresses
• Hostnames
• Other network object groups
ã Ranges of IP addresses
ã Subnets

â 2012 Cisco and/or its affiliates. All rights reserved.

23


Service object groups
The following components can be modularized in service object groups:
• Source and destination protocol ports (such as Telnet or Simple Network Management Protocol [SNMP])
• ICMP types (such as echo, echo-reply, or host-unreachable)
• Top-level protocols (such as TCP, UDP, or Encapsulating Security Payload [ESP])
ã Other service object groups

â 2012 Cisco and/or its affiliates. All rights reserved.


24


ACL Considerations
Before you start to develop any ACLs, consider the following basic rules:
• Base your ACLs on your security policy
• Write it out
• Set up a development system
• Access list comments
ã Test

â 2012 Cisco and/or its affiliates. All rights reserved.

25


Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay
×