Dominio de Conocimiento Routers

Anexo Access Control Lists (ACLs)

Objectives

Explainthedifferencesbetweenstandardandextended ACLs ExplaintherulesforplacementofACLs CreateandapplynamedACLs Describethefunctionoffirewalls UseACLstorestrictvirtualterminalaccess

Introduction

Accesscontrollist(ACL)consistofatablethattellsa computerOperationSystem(OS)whichaccessrightseach userhastoaparticularsystemobject,suchasafile directoryorindividualfile. Eachobjecthasasecurityattributethatidentifiesitsaccess controllist.

Ciscoapplicationview
ACLsarelistsofconditionsused totestnetworktrafficthattries totravelacrossarouter interface. Theseliststelltherouterwhat typesofpacketstoacceptor deny.Acceptanceanddenialcan bebasedonspecified conditions. ACLsenablemanagementof trafficandsecureaccesstoand fromanetwork.

ACLsbenefits
Limitnetworktrafficandincreasenetworkperformance. Providetrafficflowcontrol. Provideabasiclevelofsecurityfornetworkaccess. Trafficdecision(forwardedorblockedattherouter interfaces). Areaaccessing toPermitordenyScreenhoststoaccessanetwork segment. canprovideaccesscontrolbasedonLayer3addressesfor IPandIPXprotocols.

HowACLexecuted

Madedecisionsby matchingacondition statementinanaccess listandthenperforming theacceptorreject actiondefinedinthe statement. ACLstatementsoperate insequential,logical order

EnteringFrametoaRouter

Afterindicateiftheframehaveamatchedlayer2address oritsabroadcastform,therouterwillcheckifthereACLs commandpresent IfthepacketisacceptedornoACL:thepacketis encapsulatedinthenewLayer2protocolandforwarded outtheinterfacetothenextdevice. ACLexists:thepacketistestedagainstthestatementsin thelist.Ifthepacketmatchesastatement,itiseither acceptedorrejected.

ACLrangeforeachprotocols

ACLscanbecreatedforallroutednetworkprotocolssuch asIPandInternetworkPacketExchange(IPX) ACLscanbeconfiguredattheroutertocontrolaccesstoa networkorsubnet.

ACLrangeforeachprotocols

EachACLmusthavea uniqueidentification numberassignedtoit. Thisnumberidentifies thetypeofaccesslist createdandmustfall withinthespecificrange ofnumbersthatisvalid forthattypeoflist.

HowAccessListswork

ACLconfiguration

Step1:Router(config)#accesslistaccesslistnumber {permit/deny}{testcondition} Step2:Router(config)#{protocol}accessgroupaccesslist number AnACLcontainingnumberedACLstatementscannotbe altered.Itmustbedeletedbyusingthenoaccesslistlist number commandandthenrecreated.

ACLconfiguration PermitACLlinewithL3informationonly
Ifapacket'sL3informationmatchestheL3informationin theACLline,thepacket'sfragmentoffsetischecked,itis permitted. Ifapacket'sL3informationdoesnotmatchtheL3 informationintheACLline,thenextACLentryis processed. Ifapacket'sFO>0,thepacketispermitted. Else,thenextACLentryisprocessed.

ACLconfiguration Example

1. Router(config)#accesslist6deny172.13.0.00.0.255.255 2. Router(config)#accesslist6permit172.0.0.0 0.255.255.255 3. Router(config)#interfacee0 4. Router(configif)#ipaccessgroup6in IfwewanttodeleteormodifytheACL: Router(config)#noaccesslist6

WildcardMask

WildcardMaskingforIPaddressbitsusesthenumber1 andthenumber0toidentifyhowtotreatthe correspondingIPaddressbits. Awildcardmaskbit0meanscheckthe correspondingbitvalue. Awildcardmaskbit1meansdonotcheck (ignore)thatcorrespondingbitvalue.

WildcardMask

Wildcardmaskingforaccesslistsoperatesdifferentlyfrom anIPsubnetmask. Azero inabitpositionoftheaccesslistmaskindicatesthat thecorrespondingbitintheaddressmustbechecked; Aone inabitpositionoftheaccesslistmaskindicatesthe correspondingbitintheaddressisnotinterestingand canbeignored.

WildcardMask

AnadministratorwantstotestanIPaddressforsubnets thatwillbepermittedordenied. AssumetheIPaddressisClassB(firsttwooctetsarethe networknumber)witheightbitsofsubnetting(thethird octetisforsubnets). TheadministratorwantstouseIPwildcardmaskingbitsto matchsubnets172.30.16.0to172.30.31.0

WildcardMask
Bycarefullysettingwildcardmasks, anadministratorcanselectsingleor severalIPaddressesforpermitordenytests. Refertotheexampleinthegraphic

WildcardMaskApplication

Any,Host,OptionalFormat

Theany optionsubstitutes0.0.0.0fortheIPaddressand 255.255.255.255forthewildcardmask.Thisoptionwill matchanyaddressthatitiscomparedagainst. Thehost optionsubstitutes0.0.0.0forthemask.Thismask requiresthatallbitsoftheACLaddressandthepacket addressmatch.Thisoptionwillmatchjustoneaddress.

VerifyingtheACLconfiguration

Showaccesslistscommand: displaytheaccesslists configuration

VerifyingtheACLconfiguration

Show ip interface command: display the access-lists interface assignments

VerifyingtheACLconfiguration

Show running-config command: display the configuration output, including accesslists and assignments

StandardACLs
checksthesourceaddressofIPpacketsthatarerouted. TheACLwilleitherpermitordenyaccessforanentire protocolsuite,basedonthenetwork,subnet,andhost addresses. thestandardACLcommandisasfollows: Router(config)#accesslistaccesslistnumberdeny/ permit/remarksource[sourcewildcard][log]

StandardACLs,theremarkkeyword

Makestheaccesslisteasiertounderstand. Thefollowingentryisnotrightawayclearitsobjective: Router(config)#accesslist1permit171.69.2.88 Itismucheasiertoreadaremarkabouttheentryto understanditseffect,asfollows: Router(config)#accesslist1remarkPermitonlyJones workstationthroughaccesslist1permit171.69.2.88

StandardACLs

ToremoveastandardACLuseno statement.Thesyntaxis asfollows: Router(config)#noaccesslistaccesslistnumber Theipaccessgroup commandlinksanexistingstandard ACLtoaninterface: Router(configif)#ipaccessgroup {accesslistnumber| accesslistname}{in|out}

ExtendedACLs
Becauseofthegreaterrangeofcontrolproviding,theyare usedmoreoftenthenstandardACLs. ExtendedACLscheckthesourceanddestinationpacket addressesandcanalsocheckforprotocolsandport numbersgivesgreaterflexibilitytodescribewhattheACL willcheck. Accesscanbepermittedordeniedbasedonwherea packetoriginates,itsdestination,protocoltype,andport addresses. Whenpacketsarediscarded,someprotocolssendanecho packettothesender,statingthatthedestinationwas unreachable.

ExtendedACLs Statements

Accesslistnumberrangeof100 199and2000 2699 SourcedestinationIPaddress Layer4protocolnumber Appliedtoportclosesttosourcehost

ExtendedACLs Parameter

Dynamic:Identifiestheaccesslistasadynamicaccesslist Timeout:specifiestheabsolutelengthoftime Protocol:nameornumber(0 255)ofanInternetprotocol Source:Numberofthenetworkorhostwhichitbeingsendfrom(32bit quantityinfourpart any host) Destination:Numberofthenetworkorhosttowhichthepacketisbeing sent(32bitquantityinfourpart any host)

ExtendedACLs Parameter

source Wildcard:Wildcardbitstobeappliedtosource (32bitquantityinfourpart any host) Destination Wildcard:Wildcardbitstobeappliedto destination(32bitquantityinfourpart any host) OtherparametersincludedintheExtendedACLs: Procedure,tos,log,log input,timerange,icmp type

Transport ApplicationlayerPorts

NamedAccesslist

ModifyingaNamed Accesslist:anyadditions willbemadetotheend oftheACL CreatingNamedAccess list

Advantagesthatareprovidedbyanamedaccesslist

Alphanumericnamescan beusedtoidentifyACLs. TheIOSdoesnotlimitthe numberofnamedACLs thatcanbeconfigured. NamedACLsprovidethe abilitytomodifyACLs withoutdeletionand reconfiguration.

PlacingACLs
ExtendedACLsas closeaspossible tothesourceof thetrafficdenied. StandardACLsdo notspecify destination addresses,sothey shouldbeplaced asclosetothe destinationas possible.

Firewall
It is an architectural structure that exists between the user and the outside world to protect the internal network from intruders. ACLs should be used in firewall routers, which are often positioned between the internal network and an external network, such as the Internet. The firewall router provides a point of isolation so that the rest of the internal network structure is not affected.

Restrictingvirtualterminalaccess

it can provide additional security for our system by using access lists to restrict access to vty lines Associate the access list with inbound Telnet sessions. host1(config)#line vty 12 15 host1(config-line)#accessclass Boston in Configure an access list. host1(config)#access-list Boston permit any

FindelAnexo AccessControlLists (ACL)