Beruflich Dokumente
Kultur Dokumente
Open Transcript
ACLs provide a basic level of security for network access. Without any ACLs configured on a router, all packets pass
through the router and onto the network. ACLs can be configured on a router that is positioned between two parts of the
network to control traffic that is entering or exiting a specific part of the internal network. An ACL on the router, for example,
can allow one host to access a part of the network while, at the same time, preventing another host from accessing that
same area.
35%
Initializing...
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 1/5
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Initializing...
The ACL that is shown in the above figure allows host A to access the human resources network but prevents host B from
accessing the human resources network.
To provide the security benefits of ACLs, at a minimum, configure ACLs at the network perimeter. This configuration
provides a basic buffer from the outside network, or from a less controlled area of the network, onto network segments
requiring more security. On these network edge routers, an ACL should be configured for each network protocol that is
configured on the router interfaces.
• Protocol differentiation at the transport layer: TCP, UDP, ICMP, OSPF, and so on
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 2/5
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
• When the transport layer is TCP or UDP, source and destination ports can be specified.
• When the transport layer is ICMP, types and codes can be specified.
• When the traffic is TCP, the presence of the ACK bit or the RST bit can be verified. Under normal TCP connection flow,
neither of these bits is ever set in the first packet of a new TCP connection.
Packet filtering is commonly implemented on Cisco IOS routers and switches. ACLs are used to classify packets. ACLs can
be used for various functions on a Cisco IOS router. For example, they can be used to classify which packets are permitted
into a priority queue. They can be used to classify which networks an OSPF process will advertise or which network
advertisements an OSPF process will accept. They can be used to classify which packets will have their forwarding path
specified by a policy-based route.
When an ACL is applied to an interface with the access-group command, it implements a packet filter. Consider the
following ACL applied to the gi0/1 interface in the inbound direction regarding the topology that is depicted above:
The ACL describes a policy of what is permitted and denied from the user subnet to the server subnet. To be effective, it can
either be applied inbound on the interface connecting to the user subnet or it can be applied outbound to the interface
connected to the server subnet. Some points of interest in this example include:
• Clients on the user subnet are permitted to send packets to TCP ports 80 and 443 on the two web servers on the server
subnet.
• Clients on the user subnet are permitted to send packets to TCP ports 20 and 21 on the FTP server on the server
subnet.
• Standard FTP will function. Clients establish the control channel by connecting to port 21 on the FTP server. When the
client requests a data transfer, it will obtain an ephemeral TCP port from its operating system and convey the appropriate
port to the FTP server. The server will then open a data channel by connecting from TCP port 20 to the specified
ephemeral port on the client. All packets that are sent from the client to the server that is associated with this data
connection will be sent to TCP port 20.
• Passive FTP will not function. Clients establish the control channel by connecting to port 21 on the FTP server. When the
client requests a data transfer, it specifies the request as passive. The server application then requests an ephemeral
port from its operating system and communicates the port to the client. The client then initiates the data channel by
connecting to the ephemeral port on the server. This connection would not be allowed by the ACL as written, which is a
single example of the difficulty packet filters have in handling protocols which use dynamically negotiated connections.
• No connections are allowed from the user subnet to the SQL server. The SQL server is there to provide real time data to
be presented by the web servers. Access to the data must be through the interface that is provided by the web servers.
The SQL server is largely protected from the user subnet.
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 3/5
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
• There is an explicit deny for all other packets as the last entry in the ACL. While this line is not required to deny all
packets that were not matched by earlier entries, it does serve two purposes. First, hit counters are maintained for each
line in the ACL. The administrator can use the show access-list 100 command to view the ACL and each entry’s hit
count. Without the explicit deny, there would be no record of the number of packets that were denied by the ACL. Also,
the explicit deny uses the log argument, which will cause the generation of syslog messages that are associated with
the denies, which can facilitate central audit trails of rejected traffic. Unfortunately, ACL logging can be CPU intensive
and can negatively affect other functions of the network device. It should therefore be used with discretion.
Note
By default, there is an implicit deny ip any any entry at the end of every ACL. Anything that is not explicitly
permitted is denied.
The ip access-group command is then used to apply the access list to an interface.
A primary focus of the security analysts is to investigate the ACL-related logs to identify or correlate attacks on the network.
It would also be beneficial if a security analyst can assist the network administrators in troubleshooting or fixing certain issue
by looking at the logs.
Mar 30 2016 11:41:48.681 EDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 172.16.1.92(59078)
Take a sample scenario where there is a complaint that the hosts on the 172.16.1.0/24 subnet cannot access the
192.168.2.1 Internal web server. For example, the above denied tcp log message indicates the connection from the source
IP address, 172.16.1.92, to the destination IP address, 192.168.2.1 on TCP port 80, is denied.
With the basic knowledge of the access control list, a security analyst can quickly verify the ACL configuration regarding the
192.168.2.1 web server and the hosts on the 172.16.1.0/24 subnet. In this case, if it is not intended to deny the traffic from
the hosts on the 172.16.1.0/24 subnet to the 192.168.2.1 web server on TCP port 80, and it looks to be a configuration
issue, the security analyst can report the findings to the network administrator.
In an ACL, if a traffic flow is not explicitly permitted, what will be the result of the traffic flow once it has expired testing
of all the access control entries in the list?
Submit
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 4/5
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Which one of the following commands is required on an interface in order to apply an ACL as a packet filter?
access-class
ip access-group
ip access-list
Submit
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 5/5