cit 742: network administration and security mohammed a. saleh 1
TRANSCRIPT
CIT 742: Network Administration and Security
Mohammed A. Salehhttp://ifm.ac.tz/staff/msaleh/CIT742.html
1
Access Control Lists Perimeters for security for both small and enterprise
networks include route, firewalls, internal routers, IDs and many more.
If network vulnerabilities are exploited this can cause a major breakdown in a company’s network
Inventions of the internet only considered it to be a robust network, overlooking the security issue related to it as a result a lot has been done to implement security - most IP implementations are insecure
Some security threats include:
2
Cont … Application-layer attacks Rootkits Exploits Backdoors Denial of Service (DoS) and Distributed Denial of Service
(DDoS) attacks TCP SYN flood “Ping of Death” attacks
IP spoofing Man-in-the-middle attacks Network reconnaissance
3
Cont … Packet sniffers Password attacks
Brute-force attack
Port redirection attacks Trojan horse attacks and viruses
4
A typical secured network
5
Using Cisco IOS Firewall Mitigating some of the more common security threats
can be achieved by using the IOS firewall. Features include:
Stateful IOS firewall inspection engine This is your perimeter protection feature Gives your internal users secure access control on a per-
application basis. Often called context-based access control (CBAC).
Intrusion detection This is a deep packet inspection tool that lets you monitor,
intercept, and respond to abuse in real-time
6
Cont … ICMP inspection
Permits responses to ICMP packets such as ping and traceroute that come from inside your firewall while denying other ICMP traffic.
Per-user firewalls Personalized, user-specific, downloadable firewalls obtained
through service providers. You can also get personalized ACLs and other settings via AAA
server profile storage.
DoS detection and prevention This is a feature that checks packet headers and drops any
packets it finds suspicious.
7
Cont … Policy-based, multi-interface support
This allows you to control user access by IP address and interface depending on your security policy.
Network Address Translation (NAT) This conceals the internal network from the outside, which
increases security.
Peer router authentication This guarantees that routers are getting dependable routing
information from actual, trusted sources. For this to work, you need a routing protocol that supports
authentication such as RIPv2, EIGRP, or OSPF.
8
Introduction to Access Lists A lot like programming a series of if-then statements
if a given condition is met, then a given action is taken If the specific condition isn’t met, nothing hap- pens, and the
next statement is evaluated
Basically packet filters that packets are compared against, categorized by, and acted upon accordingly
Once the lists are built, they can be applied to either inbound or outbound traffic on any interface Applying an ACL causes the router to analyze every packet
crossing that interface in the specified direction and take the appropriate action.
9
Cont … A packet follows a few important rules when it’s being
compared to an access list: It’s always compared to each line of the access list in sequential
order; in other words, it’ll always start with the first line of the access list, then go to line 2, then line 3, and so on.
It’s compared to lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon, and no further comparisons take place.
There is an implicit “deny” at the end of each access list; this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded.
10
Two types of ACLs1. Standard ACLs
Use only the source IP address in an IP packet as the condition test
All decisions are made based on the source IP address They basically permit or deny an entire suite of protocols They don’t distinguish between any of the many types of IP
traffic such as WWW, Telnet, UDP, and so on.
2. Extended ACLs Can evaluate many of the other fields in the layer- 3 and layer-4
headers of an IP packet Evaluate source and destination IP addresses, the protocol field
in the Network layer header, and the port number at the Transport layer header
Make much more granular decisions when controlling traffic.11
Cont … Names ACLs
Can either be standard or extended
Security threats you can mitigate with ACLs: IP address spoofing—inbound IP address spoofing—outbound DoS TCP SYN attacks—blocking external attacks DoS TCP SYN attacks—using TCP intercept Filtering ICMP messages—inbound Filtering ICMP messages—outbound Filtering traceroute
12
Not wise to allow any IP packets coming into a private network that contain the source address of any internal hosts or networks—just don’t do it!
Standard ACLs Standard IP access lists filter network traffic by
examining the source IP address in a packet. You create a standard IP access list by using the
access-list numbers 1–99 or 1300–1999 ACLs are differentiated using a number. Creating an Access-list and Applying it to an Interface
access-list - Configures a single access-list statement into a router’s memory for use in a complete access list that will be applied to an interface
ip access-group - Places an access list on a device’s physical interface
A standard ACL should apply closest to the destination an in an “outbound” direction
13
Standard ACLs
14
Option Meaning
<ID number> Identifies an access list by number as a standard or extended list. Also allows the creation and separation of multiple access lists.
Permit or deny Specifies the effect of the access-list statement as allowing or blocking the traffic specified.
hostname or IP address Specifies the hostname or device’s IP address that will be acted upon in the access-list statement.
host Specifies a single specific host for the statement.
any Specifies that regardless of the host or device IP, it will match the statement.
Cont … access-list 10 deny host 172.16.30.2
This tells the list to deny any packets from host 172.16.30.2. The default parameter is host.
the router assumes you mean host 172.16.30.2.
Wildcard Masking Used with access lists to specify an individual host, a
network, or a certain range of a network or networks An example below tells the router to match the first
three octets exactly but that the fourth octet can be anything: Corp(config)#access-list 10 deny 172.16.10.0 0.0.0.255 ip access-group 10 in
15
Controlling VTY (Telnet) Access Standard ACLs are used to stop unwanted users from
telnet access on a large router. You need only to control where the user is coming from
—their source IP address. To perform this function, follow these steps:
1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.
2. Apply the access list to the VTY line with the access-class command
16
Cont … An example of allowing only host 172.16.10.3 to telnet
into a router: Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in
Because of the implied deny any at the end of the list, the access list stops any host from telnetting into the router except the host 172.16.10.3, regardless of which individual IP address on the router is used as a target.
17
Extended ACLs In the standard IP access list
blocking all access from the sales LAN to the finance department
What if you needed sales to gain access to a certain server on the finance LAN but not to other network services for security reasons?
A standard IP access list can’t allow users to get to one network service and not another.
A standard ACL won’t make decisions based on both source and destination addresses
An extended ACL will
18
Extended ACLs Extended access lists allow you to specify:
source and destination addresses protocol and port number that identify the upper-layer protocol
or application
Creating an Access-list and Applying it to an Interface access-list - Configures a single access-list statement into a
router’s memory for use in a complete access list that will be applied to an interface
ip access-group - Places an access list on a device’s physical interface
19
Extended ACLs options
20
Option Meaning
<ID number> Identifies an access list by number as a standard or extended list. Also allows the creation and separation of multiple access lists.
Permit or deny Specifies the effect of the access-list statement as allowing or blocking the traffic specified.
Protocol Specifies the protocol to be filtered in the access-list statement.
hostname or IP address Specifies the hostname or device’s IP address that will be acted upon in the access-list statement.
host Specifies a single specific host for the statement.
Extended ACLs options
21
Option Meaning
any Specifies that regardless of the host or device IP, it will match the statement.
eq Means equal to, and specifies the application protocol to be filtered by the statement.
Port number Lists the actual port number or protocol for filtering.
Extended ACLs Example Corp(config)#access-list 110 deny tcp any host
172.16.30.2 all TCP traffic to host 172.16.30.2 will be denied, regardless of
the destination port
Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq ? shows you the available options
Block Telnet (port 23) to host 172.16.30.2 only Corp(config)#access-list 110 deny tcp any host 172.16.30.2 eq
23 log keep in mind that the next line is an implicit deny any by default Corp(config)#access-list 110 permit ip any any
22
Cont … The keyword any represents all hosts on the entire
network 0.0.0.0 255.255.255.255 is the same command as any Corp(config)#access-list 110 permit ip 0.0.0.0 255.255.255.255
0.0.0.0 255.255.255.255
23
Named ACL Allows you to use names to both create and apply either
standard or extended access lists Named Access List Commands
ip access-list: Configures a named access list ip access-group: Places an access list on a device’s physical
interface
Named ACL options can either be those of the standard or extended.
Example Lab_A(config)#ip access-list standard BlockSales Lab_A(config-std-nacl)#
standard access list and then added a name: BlockSales Notice that router prompt changed
24
Named ACL Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255 Lab_A(config-std-nacl)#permit any
Lab_A#show running-config ! ip access-list standard BlockSales deny172.16.40.0 0.0.0.255 permit any !
Applying the ACL on the interface Lab_A(config)#int e1 Lab_A(config-if)#ip access-group BlockSales out
25
Time-based ACLs Work a lot like extended ACLs do, but their type of
access control is totally time-oriented specify a certain time of day and week and then identify that
particular period by giving it a name referenced by a task the reference function will fall under whatever time constraints
you’ve dictated
The time period is based upon the router’s clock highly recommend using it in conjunction with Network Time
Protocol (NTP) synchronization.
Timed Access List Commands Time-range: Configures a time range value to be added to an
access list as an option to control traffic and access by time
26
Cont …
27
Option Meaning
<ID name> Identifies the time range by name for use in an access-list statement
Periodic Specifies how the time range will act or be created, allowing specific time values to be set
hh:mm Specifies time values for when the range will start and stop on specific days
Example
28
Cont …
29
Note: Make sure you test your list on a nonproduction network before you implement the lists on your production network.
Monitoring ACLs It’s always good to be able to verify a router’s
configuration
30
Access List Verification Commands
Command Meaning
Show access-list Displays all access lists and their parameters configured on the router. This command does not show you which interface the list is set on.
Show access-list 110 Shows only the parameters for the access list 110. This command does not show you the interface the list is set on.
Show ip access-list Shows only the IP access lists configured on the router.
Show ip interface Shows which interfaces have access lists set.
Network Address Translation The original intention for NAT was to slow the depletion
of available IP address space by allowing many private IP addresses to be represented by some smaller number of public IP addresses.
When is it best to have NAT You need to connect to the Internet, and your hosts don’t have
globally unique IP addresses. You change to a new ISP that requires you to renumber your
network. You need to merge two intranets with duplicate addresses.
31
Cont …
32
Types of NAT Static NAT
This type of NAT is designed to allow one-to-one mapping between local and global addresses
one real Internet IP address for every host on your network.
Dynamic NAT This version gives you the ability to map an unregistered IP
address to a registered IP address from out of a pool of registered IP addresses
Have enough pool of IP addresses
Overload NAT Most popular type of NAT configuration. It is a form of dynamic NAT that maps multiple unregistered IP
addresses to a single registered IP address—many-to-one—by using different ports
Also known as Port Address Translation (PAT) NAT Overload is the real reason we haven’t run out of valid IP address on the
Internet 33
How NAT works
34
Cont…1. The organization has 4 legitimate IP addresses
2. Client connects with a private IP address as the source IP
3. NAT supplies the client with one public address from the pool as the source address
4. Server has one address which receives the connection
5. When the server replies the source address becomes the destination
6. The NAT receives the reply intended for the private address client
7. Translates back to the private address using the current connection
The number of client computers able to connect simultaneously is limited to the number of legitimate addresses in the pool
35
NAT Names Addresses used after NAT translations are called global
addresses usually the public addresses used on the Internet you don’t need public addresses if you aren’t going on the
Internet.
Local addresses are the ones we use before NAT translation
The inside local address is actually the private address of the sending host that’s trying to get to the Internet
The outside local address is the address of the destination host The latter is usually a public address (web address, mail server)
After translation The inside local address is then called the inside global address the outside global address becomes the name of the destination
host 36
Cont … NAT terms
37
Names Meaning
Inside local Name of inside source address before translation
Outside local Name of destination host before translation
Inside global Name of inside host after translation
Outside global Name of outside destination host after translation
Static NAT configuration
38
Cont … The ip nat inside source command identifies which IP
addresses will be translated static translation between the inside local IP address 10.1.1.1 to
the outside global IP address 170.46.2.2.
The ip nat inside command identifies that interface as the inside interface
The ip nat outside command identifies that interface as the outside interface
39
Dynamic NAT configuration
Dynamic NAT means we have a pool of addresses that we will use to provide real IP addresses to a group of users on the inside
We do not use port numbers, so we need to have real IP addresses for every user trying to get outside the local network
40
Cont …
The ip nat inside source list 1 pool todd command tells the router to translate IP addresses that match access-list 1 to an address found in the IP NAT pool named todd
41
PAT (Overloading) configuration
shows how to configure inside global address overloading.
42
Cont …
The differences with the other configurations The pool of addresses has shrunk to only one IP address and
at the end of the ip nat inside source command It uses the the overload command.
43
Verification of NAT
44
Questions