security fundamental and acl details (day-1)
TRANSCRIPT
Planes of Operation
• Control Plane-• Makes decisions about where traffic is sent• Control plane packets are destined to or locally originated by the router itself• The control plane functions include the system configuration, management, and exchange of
routing table information• Control plane packets are processed by the router to update the routing table information.
• Data Plane-• Also known as Forwarding Plane• Forwards traffic to the next hop along the path to the selected destination network according
to control plane logic• Data plane packets go through the router• The routers/switches use what the control plane built to dispose of incoming and outgoing
frames and packets• Management Plane-
• User/ Operator/ Tools managing Network Infrastructure
Planes of Operation
Source:https://blog.ipspace.net/2013/08/DevicePlanes.png
Management Plane Protection (MPP)
• Management Plane Protection (MPP) is a security feature for Cisco IOS routers that accomplishes-• Restrict the interfaces where the router permits packets from network management
protocols.• Restrict the network management protocols that the router permits.
• Management protocols that the MPP feature supports-• Blocks Extensible Exchange Protocol (BEEP)• FTP• HTTP• HTTPS• SSH, v1 and v2• SNMP, all versions• Telnet• TFTP
MPP Configuration
• R1(config)#line vty 0 4 R1
• (config-line)#transport input telnet
• R1(config)#control-plane host
• R1(config-cp-host)#management-interface GigabitEthernet 2 allow telnet
• R1#show management-interface
• R1#show management-interface protocol telnet
CoPP (Control Plane Policing)
• Allows you to use MQC (Modular Quality of Service) framework to
permit/deny or rate-limit traffic that goes to the route processor.
• Protect all network Interfaces on all platforms
• No need to apply ACL to individual interfaces
• Some platform implementation specifics
• Some packets must be permitted but at limited rate
• ICMP
• Transit Punts
• Protection against DoS attacks targeting network infrastructure
• Increases the reliability, security, and availability of network devices
ACL for CoPP
• R1(config)#ip access-list extended ICMP
• R1(config-ext-nacl)#permit icmp any any
• R1(config)#ip access-list extended TELNET
• R1(config-ext-nacl)#permit tcp any any eq 23
• R1(config)#ip access-list extended OSPF
• R1(config-ext-nacl)#permit ospf any any
• R1(config)#ip access-list extended HSRP
• R1(config-ext-nacl)#permit udp any host 224.0.0.102 eq 1985
Class Map for CoPP
• R1(config)#class-map ICMP
• R1(config-cmap)#match access-group name ICMP
• R1(config)#class-map TELNET
• R1(config-cmap)#match access-group name TELNET
• R1(config)#class-map OSPF
• R1(config-cmap)#match access-group name OSPF
• R1(config)#class-map HSRP
• R1(config-cmap)#match access-group name HSRP
Policy Map for CoPP
• R1(config)#policy-map COPP
• R1(config-pmap)#class ICMP
• R1(config-pmap-c)#police 8000 conform-action transmit exceed-action transmit
• R1(config-pmap-c)#exit
• R1(config-pmap)#class TELNET
• R1(config-pmap-c)#police 8000 conform-action transmit exceed-action transmit
• R1(config-pmap-c)#exit
• R1(config-pmap)#class OSPF
• R1(config-pmap-c)#police 8000 conform-action transmit exceed-action transmit
• R1(config-pmap-c)#exit
• R1(config-pmap)#class HSRP
• R1(config-pmap-c)#police 8000 conform-action transmit exceed-action transmit
• R1(config-pmap-c)#exit
Apply Policy Map into Control Plan
• R1(config)#control-plane
• R1(config-cp)#service-policy input COPP
• R1#show policy-map control-plane
CoPP Conceptual View
• Source:Ciscolive.com
Access Control Lists (ACL)
• ACL is a set of rules which will allow or deny the specific traffic moving through the router• It is a Layer 3 and Layer 4 security which controls the flow of traffic
from one router to another.• It is also called as Packet Filtering Firewall.
ACL Apply
Types of ACL
• Standard Access Control List- 1-99 or 1300-1999
• Extended Access Control List- 100-199 or 2000-2699
• Named Access Control List• Time Based Access Control List• Dynamic Access Control List
ACL Flow
• Source: Networklessons
Standard Access List
• Filtering is done based on only source IP address• The access-list number range is 1 to 99, 1300 to 1999
access-list <ID> <Action> <Source IP> <Source Wildcard Mask>access-list 10 permit 192.168.2.0 0.0.0.255
Extended Access List
• Checks source, destination, protocol, port no• The access-list number range is 100 – 199, 2000-2699
access-list <ID> <Action> <Protocol> <Source IP> <Source Wildcard Mask> [Source Port] <Destination IP> <Destination Mask> [Destination Port]
access-list 101 deny tcp 192.168.10.10 0.0.0.0 192.168.30.21 0.0.0.0 eq 21
Time-based access-list
• Time-based access-list are type of access-list which allow networkaccess on the basis of time period. It is useful when you want to placerestrictions on outbound or inbound traffic on the basis of particulartime of the day or particular days of a week.• Procedure-• Define time-range – first, we have to define a time-range in which can bedefined with the help of keyword absolute or periodic.• Define an access-list – In the next step, an access-list will be defined in whichwe will apply our time-range.• Apply access-list to an interface – Now, the access-list will be applied to aninterface or line-vty according to our need.
Named Access Control Lists (ACL)
• A great feature of Cisco IOS is Named Access Control Lists. Ciscorouters support Named Access Control Lists (ACLs) from IOS version11.2.• A major limitation of Numbered Access Control Lists (ACLs) was thenumber of total numbered Access Control Lists (ACLs) you can createwas limited.• Named Access Control Lists (ACLs) allows standard and extended ACLsto be given names instead of numbers. Unlike in numbered AccessControl Lists (ACLs), we can edit Named Access Control Lists.
Dynamic Access Control Lists
• Dynamic ACL also known as Lock-and-Key. Lock-and-key is a trafficfiltering security feature that dynamically filters IP protocol traffic.Lock-and-key is configured using IP dynamic extended access lists.
• Lock-and-key uses a challenge mechanism to authenticate individual users.• Lock-and-key provides simpler management in large internetworks.• In many cases, lock-and-key reduces the amount of router processing
required for access lists.• Lock-and-key reduces the opportunity for network break-ins by network
hackers.