FNS10 Mod03

For review only.
Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights

© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—3-11
Module 3
ACLs and CBAC
© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-2

Learning Objectives
For review only. Please do not distribute

• Describe the process of creating, applying,

editing and troubleshooting ACLs
• Understand the types of ACLs
• Understand how CBAC works
• Configure, apply and test CBAC
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-3

Overview

This module will discuss, in greater detail, how

routers are utilized to secure a network through
the use of Access Control Lists (ACLs) and
Context-based Access Control (CBAC).

Key terms

• CBAC
• Turbo ACLs
• Lock and Key ACLs
• Authentication Proxy
• PAM

Access Control Lists

Identifying Access Lists
Cisco routers can identify access lists using two

methods:

• Access list number (All IOS versions)—The number of

the access list determines what protocol it is filtering:
– (1-99) and (1300-1399)—Standard IP access lists.
– (100-199) and (2000-2699)—Extended IP access lists.
– (800-899)—Standard IPX access lists.
• Access list name (IOS versions > 11.2)—You provide
the name of the access list:
– Names contain alphanumeric characters.
– Names cannot contain spaces or punctuation and must
begin with a alphabetic character.

Basic Types of IP Access Lists
Cisco routers support two basic types of IP
access lists:

• Standard—Filter IP packets based on the source

address only.
• Extended—Filter IP packets based on several
attributes, including:
– Protocol type.
– Source and destination IP addresses.
– Source and destination TCP/UDP ports.
– ICMP and IGMP message types.

Standard Numbered Access List
Format
Router(config)#

access-list access-list-number {deny | permit}

source [source-wildcard]
Austin2(config)# access-list 2 permit 36.48.0.3

Austin2(config)# access-list 2 deny 36.48.0.0
0.0.255.255
Austin2(config)# access-list 2 permit 36.0.0.0
0.255.255.255
Austin2(config)# interface e0/1
Austin2(config-if)# ip access-group 2 in

Standard Named Access List Format
Router(config)#

ip access-list standard access-list-name

Router(config-std-nacl)#
{deny | permit} source [source-wildcard]
Austin2(config)# ip access-list standard protect

Austin2(config-std-nacl)# deny 36.48.0.0
0.0.255.255
Austin2(config-std-nacl)# permit 36.0.0.0
0.255.255.255
Austin2(config)# exit

Extended Numbered Access List
Format
Miami SMTP
e0/0 128.88.1.0 host
Internet

128.88.3.0 128.88.1.2
Router(config)#
access-list access-list-number {deny | permit}
{protocol-number | protocol-keyword}{source
source-wildcard | any | host} {source-port}
{destination destination-wildcard | any | host}
{destination-port} [established][log | log-input]
Miami(config)# access-list 103 permit tcp any
128.88.0.0 0.0.255.255 established
Miami(config)# access-list 103 permit tcp any host
128.88.1.2 eq smtp
Miami(config)# interface e0/0
Miami(config-if)# ip access-group 103 in
Extended Named Access List Format
Router(config)#
ip access-list extended access-list-name

Router(config-ext-nacl)#
{deny | permit} {protocol-number | protocol-
keyword} {source source-wildcard | any | host}
{source-port} {destination destination-wildcard
| any | host} {destination-port}
[established][log | log-input]
Miami(config)# ip access-list extended mailblock
Miami(config-ext-nacl)# permit tcp any
128.88.0.0 0.0.255.255 established
Miami(config-ext-nacl)# permit tcp any host
128.88.1.2 eq smtp
Miami(config-ext-nacl)# exit

Commenting IP Access-List Entries
Router(config)#

remark message
Miami(config)# access-list 102 remark Allow

traffic to file server
Miami(config)# access-list 102 permit ip any
host 128.88.1.6

Basic Rules for Developing Access
Lists
Here are some basic rules you should follow when

developing access lists:

• Rule #1—Write it out!

– Get a piece of paper and write out what you want this access list
to accomplish.
– This is the time to think about potential problems.
• Rule #2—Setup a development system.
– Allows you to copy and paste statements easily.
– Allows you to develop a library of access lists.
– Store the files as ASCII text files.
• Rule #3—Apply access list to a router and test.
– If at all possible, run your access lists in a test environment
before placing them into production.

Access List Directional Filtering
Austin1

s0/0 e0/0
Internet
e0/1
Inbound Outbound
• Inbound—Data flows toward router interface.

• Outbound—Data flows away from router interface.

Applying Access Lists to Interfaces
Router(config)#
ip access-group {access-list-number | access-

list-name} {in | out}
Tulsa(config)# interface e0/1

Tulsa(config-if)# ip access-group 2 in
Tulsa(config-if)# exit
Tulsa(config)# interface e0/2
Tulsa(config-if)# ip access-group mailblock out

Displaying Access Lists
Router#
show access-lists {access-list-number | access-

list-name}
Miami# show access-lists
Extended IP access list 102
permit ip any host 128.88.1.6
Extended IP access list mailblock
permit tcp any 128.88.0.0 0.0.255.255
established
Miami#

Enable Turbo ACLs
R2

e0/0 e0/1 Remote access LAN 16.2.1.0/24

16.1.1.2 16.2.1.1
Router(config)#
access-list compiled
Router#
show access-list compiled
R2(config)# access-list compiled
R2(config)# exit
R2# show access-list compiled

Enhanced Access Lists
Cisco routers support several enhanced types of

access lists:

• Dynamic (Lock and Key)—Create dynamic entries.

• Time-Based—Access lists whose statements
become active based upon the time of day and/or
day of the week.
• Reflexive—Create dynamic openings on the
untrusted side of a router based on sessions
originating from a trusted side of the router.
• Context-Based Access Control (CBAC)—Allows for
secure handling of multi-channel connections
based on upper layer information.
Types of IP ACLs

Context-based Access Control
(CBAC)

CBAC
• Packets are inspected entering the firewall by CBAC if they

are not specifically denied by an ACL.

• CBAC permits or denies specified TCP and UDP traffic

through a firewall.
• A state table is maintained with session information.
• ACLs are dynamically created or deleted.
• CBAC protects against DoS attacks.
TCP
Internet
UDP

Cisco IOS ACLs
• Provide traffic filtering by

– Source and destination IP addresses.

– Source and destination ports.
• Can be used to implement a filtering firewall
– Ports are opened permanently to allow traffic,
creating a security vulnerability.
– Do not work with applications that negotiate
ports dynamically.

FNS 1.0—3-24
How CBAC Works
© 2003, Cisco Systems, Inc. All rights reserved.

How CBAC Works (Cont)


Supported Protocols
• TCP (single channel) • Java

• UDP (single channel) • SQL*Net

• RPC • RTSP (such as
• FTP RealNetworks)
• TFTP • H.323 (such as NetMeeting,
ProShare, CUSeeMe)
• UNIX R-commands (such
as rlogin, rexec, and rsh) • Other multimedia
• SMTP – Microsoft NetShow
• HTTP (Java blocking) – StreamWorks
– VDOLive

Alerts and Audit Trails

• CBAC generates real-time alerts and audit

trails.
• Audit trail features use Syslog to track all
network transactions.
• With CBAC inspection rules, you can
configure alerts and audit trail information on
a per-application protocol basis.

CBAC Configuration

• Set audit trails and alerts.

• Set global timeouts and thresholds.
• Define Port-to-Application Mapping (PAM).
• Define inspection rules.
• Apply inspection rules and ACLs to
interfaces.
• Test and verify.

Configure CBAC
(Task 1 and 2)

Enable Audit Trail and Alert
Router(config)#

ip inspect audit-trail
• Enables the Syslog server and turns on logging
Router(config)# logging on
Router(config)# logging 10.0.0.3
Router(config)# ip inspect audit-trail
Router(config)#
[no] ip inspect alert-off
• Alert can be turned off

TCP, SYN, and FIN Wait Times

Router(config)#
ip inspect tcp synwait-time seconds
• Specifies the time the Cisco IOS Firewall waits
for a TCP session to reach the established state.
Router(config)#
ip inspect tcp finwait-time seconds
• Specifies the time the Cisco IOS Firewall waits for
a FIN exchange to complete before quitting the
session.

TCP, UDP, and DNS Idle Times
Router(config)#

ip inspect tcp idle-time seconds

ip inspect udp idle-time seconds
• Specifies the time allowed for a TCP or UDP
session with no activity.
Router(config)#
ip inspect dns-timeout seconds
• Specifies the time allowed for a DNS session
with no activity.

Global Half-Opened Connection
Limits
Router(config)#

ip inspect max-incomplete high number

• Defines the number of existing halfopened sessions
that cause the software to start deleting halfopened
sessions (aggressive mode).
Router(config)#
ip inspect max-incomplete low number
• Defines the number of existing halfopened sessions
that cause the software to stop deleting halfopened
sessions.

Global Half-Opened Connection Limits (cont.)
Router(config)#

ip inspect one-minute high number

• Defines the number of new halfopened
sessions per minute at which they start being
deleted.
Router(config)#
ip inspect one-minute low number
• Defines the number of new halfopened
sessions per minute at which they stop being
deleted.

Half-Opened Connection Limits
by Host
Router(config)#
ip inspect tcp max-incomplete host number

block-time seconds
• Defines the number of half-opened TCP sessions with the same
host destination address that can exist at a time before the Cisco
IOS Firewall starts deleting half-open sessions to the host.
• After the number of half-opened connections is exceeded to a
given host, the software deletes half-open sessions on that host
in the following manner:
– If block-time is 0, the oldest half-opened session is deleted,
per new connection request, to allow new connections.
– If block-time is greater than 0, all half-opened sessions are
deleted, and new connections to the host are not allowed
during the specified block time.

Port-to-Application Mapping
(Task 3)

Port-to-Application Mapping

• Ability to configure any port number for an

application protocol.
• CBAC uses PAM to determine the
application configured for a port.

User-Defined Port Mapping
Router(config)#

ip port-map appl_name port port_num

• Maps a port number to an application.
Router(config)#
access-list permit acl_num ip_addr
ip port-map appl_name port port_num list acl_num
• Maps a port number to an application for a given host.
Router(config)#
access-list permit acl_num ip_addr wildcard_mask
ip port-map appl_name port port_num list acl_num
• Maps a port number to an application for a given network.

Display PAM Configuration
Router#
show ip port-map

• Shows all port mapping information.

Router#
show ip port-map appl_name
• Shows port mapping information for a given application.
Router#
show ip port-map port port_num
• Shows port mapping information for a given application on a
given port.
Router# sh ip port-map ftp

Default mapping: ftp port 21 system defined
Host specific: ftp port 1000 in list 10 user

Define Inspection Rules
(Task 4)

Inspection Rules for Application
Protocols
Router(config)#

ip inspect name inspection-name protocol [alert {on|

off}] [audit-trail {on|off}] [timeout seconds]
• Defines the application protocols to inspect.
• Will be applied to an interface
– Available protocols: tcp, udp, cuseeme, ftp, http, h323, netshow, rcmd,
realaudio, rpc, smtp, sqlnet, streamworks, tftp, and vdolive.
– alert, audit-trail, and timeout are configurable per protocol and override
global settings.
Router(config)# ip inspect name FWRULE smtp alert on

audit-trail on timeout 300
Router(config)# ip inspect name FWRULE ftp alert on
audit-trail on timeout 300

Inspection Rules for Java
Router(config)#

ip inspect name inspection-name http java-list

acl-num [alert {on|off}] [audit-trail {on|off}]
[timeout seconds]
• Controls java blocking with a standard ACL.
Router(config)# ip inspect name FWRULE http java-list

10 alert on audit-trail on timeout 300
Router(config)# ip access-list 10 deny 172.26.26.0
0.0.0.255
Router(config)# ip access-list 10 permit 172.27.27.0
0.0.0.255

Inspection Rules for RPC Applications
Router(config)#

ip inspect name inspection-name rpc

program-number number [wait-time minutes]
[alert {on|off}] [audit-trail {on|off}]
[timeout seconds]
• Allows given RPC program numbers—waittime keeps the
connection open for a specified number of minutes.
Router(config)# ip inspect name FWRULE rpc

program-number 100022 wait-time 0 alert off
audit-trail on

Inspection Rules for SMTP Applications
Router(config)#

ip inspect name inspection-name smtp [alert

{on|off}] [audit-trail {on|off}] [timeout
seconds]
• Allows only the following legal commands in SMTP
applications: DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT,
RCPT, RSET, SAML, SEND, SOML, and VRFY.
• If disabled, all SMTP commands are allowed through the
firewall, and potential mail server vulnerabilities are exposed.
Router(config)# ip inspect name FWRULE smtp

Inspection Rules for IP Packet
Fragmentation
Router(config)#

ip inspect name inspection-name fragment max

number timeout seconds
• Protects hosts from certain DoS attacks involving fragmented
IP packets
– max—number of unassembled fragmented IP packets.
– timeout—seconds when the unassembled fragmented IP
packets begin to be discarded.
Router(config)# ip inspect name FWRULE

fragment max 254 timeout 4

Inspection Rules and ACLs
Applied to Router Interfaces
(Task 5)

Apply an Inspection Rule to an Interface

Router (config-if)#
ip inspect inspection-name {in | out}
• Applies the named inspection rule to an interface.
Router(config)# interface e0/0

Router(config-if)# ip inspect FWRULE in
• Applies the inspection rule to interface e0/0 in inward direction.

General Rules for Applying Inspection
Rules and ACLs

• Interface where traffic initiates

– Apply ACL on the inward direction that
permits only wanted traffic.
– Apply rule on the inward direction that
inspects wanted traffic.
• All other interfaces
– Apply ACL on the inward direction that denies
all unwanted traffic.

Example—Two Interface Firewall


Outbound Traffic

Router(config)# ip inspect name OUTBOUND tcp

Router(config)# ip inspect name OUTBOUND udp
• Configure CBAC to inspect TCP and UDP traffic.
Router(config)# access-list 101 permit ip 10.0.0.0

0.0.0.255 any
Router(config)# access-list 101 deny ip any any
• Permit insideinitiated traffic from the 10.0.0.0 network.

Router(config-if)# ip inspect OUTBOUND in
Router(config-if)# ip access-group 101 in
• Apply an ACL and inspection rule to the inside interface in an
inward direction.
Inbound Traffic

Router(config)# access-list 102 permit icmp any

host 10.0.0.3
Router(config)# access-list 102 permit tcp any
host 10.0.0.3 eq www
• Permit outsideinitiated ICMP and HTTP traffic to host 10.0.0.3.

• Apply an ACL and inspection rule to outside interface in inward
direction.

Example—Three-Interface Firewall


Outbound Traffic

Router(config)# ip inspect name OUTBOUND tcp

Router(config)# ip inspect name OUTBOUND udp
• Configure CBAC to inspect TCP and UDP traffic.
Router(config)# access-list 101 permit ip 10.0.0.0

0.0.0.255 any
• Permit insideinitiated traffic from 10.0.0.0 network.
Router(config-if)# ip inspect OUTBOUND in
• Apply an ACL and inspection rule to the inside interface in an inward
direction.
Inbound Traffic

Router(config)# ip inspect name INBOUND tcp

• Configure CBAC to inspect TCP traffic.
Router(config)# access-list 102 permit icmp any host
172.16.0.2
Router(config)# access-list 102 permit tcp any host
172.16.0.2 eq www
• Permit outsideinitiated ICMP and HTTP traffic to host 172.16.0.2.
• Apply an ACL and inspection rule to the outside interface in an inward
direction.

DMZ-Bound Traffic

Router(config)# access-list 103 permit icmp host 172.16.0.2 any

• Permit only ICMP traffic initiated in the DMZ.
Router(config)# access-list 104 permit icmp any host 172.16.0.2
Router(config)# access-list 104 permit tcp any host 172.16.0.2
eq www
• Permit only outward ICMP and HTTP traffic to host 172.16.0.2.

Router(config-if)# ip access-group 104 out
• Apply proper access lists and an inspection rule to the interface.

Test and Verify
(Task 6)

show Commands
Router#
show ip inspect name inspection-name

show ip inspect config

show ip inspect interfaces
show ip inspect session [detail]
show ip inspect all
• Displays CBAC configurations, interface configurations, and
sessions.
Router# sh ip inspect session
Established Sessions
Session 6155930C (10.0.0.3:35009)=>(172.30.0.50:34233)
tcp SIS_OPEN
Session 6156F0CC (10.0.0.3:35011)=>(172.30.0.50:34234)
tcp SIS_OPEN
Session 6156AF74 (10.0.0.3:35010)=>(172.30.0.50:5002) tcp
SIS_OPEN

debug Commands
Router#
debug ip inspect function-trace

debug ip inspect object-creation

debug ip inspect object-deletion
debug ip inspect events
debug ip inspect timers
• General debug commands.
Router(config)#
debug ip inspect protocol
• Protocolspecific debug.

Remove CBAC Configuration

Router(config)#
no ip inspect
• Removes entire CBAC configuration.
• Resets all global timeouts and thresholds
to the defaults.
• Deletes all existing sessions.
• Removes all associated dynamic ACLs.

Summary

Summary
• ACLs are used to filter and secure network traffic.

• While ACLs filter network traffic by controlling whether routed or

switched packets are forwarded or blocked at the interface, CBAC is
used to create temporary openings in the firewall access lists.
• The student should understand the six steps required for configuring
CBAC:
– Set audit trails and alerts
– Set global timeouts and thresholds
– Define PAM
– Define inspection rules
– Apply inspection rules and ACLs to interfaces
– Test and verify

© 2003, Cisco Systems, Inc. All rights reserved. 62

FNS10 Mod03

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

FNS10 Mod03

Hochgeladen von

Copyright:

Verfügbare Formate

For review only.

Please do not distribute

© 2003, Cisco Systems, Inc. All rights

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-2

For review only. Please do not distribute

• Describe the process of creating, applying,

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-3

For review only. Please do not distribute

This module will discuss, in greater detail, how

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-4

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-5

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-6

Cisco routers can identify access lists using two

For review only. Please do not distribute

• Access list number (All IOS versions)—The number of

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-7

For review only. Please do not distribute

• Standard—Filter IP packets based on the source

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-8

For review only. Please do not distribute

access-list access-list-number {deny | permit}

Austin2(config)# access-list 2 permit 36.48.0.3

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-9

For review only. Please do not distribute

ip access-list standard access-list-name

Austin2(config)# ip access-list standard protect

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-10

For review only. Please do not distribute

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-12

For review only. Please do not distribute

Miami(config)# access-list 102 remark Allow

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-13

Here are some basic rules you should follow when

For review only. Please do not distribute

• Rule #1—Write it out!

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-14

For review only. Please do not distribute

• Inbound—Data flows toward router interface.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-15

For review only. Please do not distribute

list-name} {in | out}

Tulsa(config)# interface e0/1

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-16

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-17

For review only. Please do not distribute

e0/0 e0/1 Remote access LAN 16.2.1.0/24

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-18

Cisco routers support several enhanced types of

For review only. Please do not distribute

• Dynamic (Lock and Key)—Create dynamic entries.

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-20

© 2003 Cisco Systems, Inc. All rights reserved. FNS 1.0—3-21

• Packets are inspected entering the firewall by CBAC if they

For review only. Please do not distribute

• CBAC permits or denies specified TCP and UDP traffic

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—3-22

• Provide traffic filtering by

For review only. Please do not distribute

– Source and destination IP addresses.