Access control lists

• Configure ACLs for each network protocol configured on the border router interfaces.. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.. Two

University of Jordan Faculty of Engineering & Technology Computer Engineering Department Computer Networks Laboratory 907528

Lab.8 Access Control Lists

1 To understand the concept of ACLs

Objectives

2 Design and apply named standard and named extended ACLs

1 Read thoroughly and prepare the experiment sheet

Pre-lab Preparation:

2 You must bring a printed copy of this experiment with you to the lab

You can find the problem sheet on Drive D: of the lab PCs

Procedure:

Introduction:

Network security is a huge subject One of the most important skills a network administrator needs is mastery of access control lists (ACLs) Administrators use ACLs to stop traffic or permit only specified traffic while stopping all other traffic on their networks

Network designers use firewalls to protect networks from unauthorized use Firewalls are hardware or software solutions that enforce network security policies Consider a lock on a door to a room inside a building The lock only allows authorized users with a key or access card to pass through the door Similarly, a firewall filters unauthorized or potentially dangerous packets from entering the network On a Cisco router, you can configure

a simple firewall that provides basic traffic filtering capabilities using ACLs

An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols ACLs provide a powerful way to control traffic into and out of your network You can configure ACLs for all routed network protocols

An ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or

"deny" decisions based on:

• Source IP address

• Destination IP address

• ICMP message type

The ACL can also extract upper layer information and test it against its rules Upper layer information includes:

• TCP/UDP source port

• TCP/UDP destination port

What is an ACL?

An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header ACLs are also used for selecting types of traffic to be analyzed, forwarded,

or processed in other ways

As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet The ACL enforces one or more corporate security policies by applying a permit or deny rule to determine the fate of the packet ACLs can be configured

to control access to a network or subnet

By default, a router does not have any ACLs configured and therefore does not filter traffic Traffic that enters the router is routed according to the routing table If you do not use ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment

Here are some guidelines for using ACLs:

• Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet

• Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network

• Configure ACLs on border routers-routers situated at the edges of your networks This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network

• Configure ACLs for each network protocol configured on the border router interfaces You can

configure ACLs on an interface to filter inbound traffic, outbound traffic, or both

The Three Ps

A general rule for applying ACLs on a router can be recalled by remembering the three Ps You can configure one ACL per protocol, per direction, per interface:

• One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each

protocol enabled on the interface

• One ACL per direction-ACLs control traffic in one direction at a time on an interface Two separate ACLs must be created to control inbound and outbound traffic

• One ACL per interface-ACLs control traffic for an interface, for example, Fast Ethernet 0/0

Writing ACLs can be a challenging and complex task Every interface can have multiple protocols and

directions defined The router in the example has two interfaces configured for IP: AppleTalk and IPX This router could possibly require 12 separate ACLs: one ACL for each protocol, times two for each direction, times two for the number of ports

ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers In addition to either permitting or denying traffic, an ACL can classify traffic to enable priority

processing down the line

ACL Operation:

How ACLs Work

ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router and packets that exit outbound interfaces of the router ACLs do not act on packets that originate from the router itself

ACLs are configured either to apply to inbound traffic or to apply to outbound traffic

Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded If the packet is permitted by the tests, it is then processed for routing

Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL

ACL statements operate in sequential order They evaluate packets against the ACL, from the top down, one statement at a time

If a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet

is permitted or denied as determined by the matched statement If a packet header does not match an ACL statement, the packet is tested against the next statement in the list This matching process continues until the end of the list is reached

A final implied statement covers all packets for which conditions did not test true This final test condition matches all other packets and results in a "deny" instruction Instead of proceeding into or out of an interface, the router drops all of these remaining packets This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic

Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable If the packet is not routable, it is dropped Next, the router checks to see whether the outbound

interface is grouped to an ACL If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer Examples of outbound ACL operation are as follows:

If the outbound interface is not grouped to an outbound ACL, the packet is sent directly to the outbound

interface

If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACL statements that are associated with that interface Based on the ACL tests, the packet is permitted or denied

For outbound lists, "to permit" means to send the packet to the output buffer, and "to deny" means to discard the packet

Types of ACLs:

There are two types of Cisco ACLs, standard and extended

Standard ACLs

Standard ACLs allow you to permit or deny traffic from source IP addresses The destination of the packet and the ports involved do not matter

Example: access-list 10 permit 192.168.30.0 0.0.0.255

The example allows all traffic from network 192.168.30.0/24 network Because of the implied "deny any" at the end, all other traffic is blocked with this ACL Standard ACLs are created in global configuration mode

Extended ACLs

Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination

IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control

Example: access-list 103 permit tcp 192.168.30.0 0.0.0.255any eq 80

ACL 103 permits traffic originating from any address on the 192.168.30.0/24 network to any destination host port 80 (HTTP) Extended ACLs are created in global configuration mode

Numbering and Naming ACLs:

Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic However, a number does not inform you of the purpose of the ACL For this reason you can use a name to identify a Cisco ACL

The rule to designate numbered ACLs and named ACLs is:

Numbered ACL:

You assign a number based on which protocol you want to filtered:

• (1 to 99) and (1300 to 1999): Standard IP ACL

• (100 to 199) and (2000 to 2699): Extended IP ACL

In case you are wondering why numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols

Named ACL:

You assign a name by providing the name of the ACL:

• Names can contain alphanumeric characters

• It is suggested that the name be written in CAPITAL LETTERS

• Names cannot contain spaces or punctuation and must begin with a letter

• You can add or delete entries within the ACL

Where to place ACLs:

The proper placement of an ACL to filter undesirable traffic makes the network operate more efficiently ACLs can act as firewalls to filter packets and eliminate unwanted traffic Where you place ACLs can reduce

unnecessary traffic For example, traffic that will be denied at a remote destination should not use network resources along the route to that destination

Every ACL should be placed where it has the greatest impact on efficiency The basic rules are:

• Locate extended ACLs as close as possible to the source of the traffic denied This way, undesirable traffic is filtered without crossing the network infrastructure

• Because standard ACLs do not specify destination addresses, place them as close to the destination as possible

Let us consider an example of where to place ACLs in our network The interface and network location is based

on what you want the ACL to do

1 In the figure below, the administrator wants to prevent traffic originating in the 192.168.10.0/24

network from getting to the 192.168.30.0/24 network An ACL on the outbound interface of R1 denies R1 the ability to send traffic to other places as well The solution is to place a standard ACL on the inbound interface of R3 to stop all traffic from the source address192.168.10.0/24 A standard ACL meets the needs because it is only concerned with source IP addresses

2 Consider that administrators can only place ACLs on devices that they control Therefore, placement must be determined in the context of where the control of the network administrator extends, see figure below In this figure, the administrator of the 192.168.10.0/24 and 192.168.11.0/24 networks (referred

to as Ten and Eleven, respectively, in this example) wants to deny Telnet and FTP traffic from Eleven

to the 192.168.30.0/24 network (Thirty, in this example) At the same time, other traffic must be

permitted to leave Ten

There are several ways to do this An extended ACL on R3 blocking Telnet and FTP from Eleven would accomplish the task, but the administrator does not control R3 That solution also still allows unwanted traffic to cross the entire network, only to be blocked at the destination This affects overall network efficiency

One solution is to use an outbound extended ACL that specifies both source and destination addresses (Eleven and Thirty, respectively), and says, "Telnet and FTP traffic from Eleven is not allowed to go to Thirty." Place this extended ACL on the outbound S0/0/0 port of R1

A disadvantage of this solution is that traffic from Ten would also be subject to some processing by the ACL, even though Telnet and FTP traffic is allowed

The better solution is to move closer to the source and place an extended ACL on the inbound Fa0/2 interface of R1 This ensures that packets from Eleven do not enter R1, and subsequently cannot cross over into Ten, or even enter R2 or R3 Traffic with other destination addresses and ports is still

permitted through R1

Configuring a standard ACL

Standard ACL Logic

In the figure below, packets that come in Fa0/0 are checked for their source addresses:

access-list 2 deny 192.168.10.1

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 2 deny 192.168.0.0 0.0.255.255

access-list 2 permit 192.0.0.0 0.255.255.255

If packets are permitted, they are routed through the router to an output interface If packets are not permitted, they are dropped at the incoming interface

Configuring Standard ACLs

To configure numbered standard ACLs on a Cisco router, you must first create the standard ACL and then

activate the ACL on an interface

The full syntax of the standard ACL command is as follows:

Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log]

The following table provides a detailed explanation of the syntax for a standard ACL

source:

Use a 32-bit quantity in four-part, dotted- decimal format

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.55

Use a 32-bit quantity in four-part, dotted-decimal format Place ones in the bit positions you want to ignore Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.55

console (The level of messages logged to the console is controlled by the logging console command.) The message includes the ACL number, whether the packet was permitted or denied, the source address, and the number of packets The message is generated for the first packet that matches, and then at five-minute intervals, including the number of packets permitted or denied in the prior five-minute interval

For example, to create a numbered ACL designated 10 that would permit network 192.168.10.0 /24, you would enter:

R1(config)# access-list 10 permit 192.168.10.0

To remove the ACL, the global configuration no access-list command is used Issuing the show access-list command confirms that access list 10 has been removed

Typically, administrators create ACLs and fully understand each the purpose of each statement within the ACL However, when an ACL is revisited at a later time, it may no longer as obvious as it once was

The remark keyword is used for documentation and makes access lists a great deal easier to understand Each remark is limited to 100 characters The ACL in the figure below, although fairly simple, is used to provide an example When reviewing the ACL in the configuration, the remark is also displayed

ACL Wildcard Masking

Wildcard Masking

ACLs statements include masks, also called wildcard masks A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at Although wildcard masks have no functional relationship with subnet masks, they do provide a similar function The mask determines how much of an IP source or destination address to apply to the address match The numbers 1 and 0 in the mask identify how to treat the corresponding IP address bits However, they are used for different purposes and follow different rules

Wildcard masks and subnet masks are both 32 bits long and use binary 1s and 0s Subnet masks use binary 1s and 0s to identify the network, subnet, and host portion of an IP address Wildcard masks use binary 1s and 0s to filter individual or groups of IP addresses to permit or deny access to resources based on an IP address By carefully setting wildcard masks, you can permit or deny a single or several IP addresses

Wildcard masks and subnet masks differ in the way they match binary 1s and 0s Wildcard masks use the following rules to match binary 1s and 0s:

Wildcard mask bit 0 - Match the corresponding bit value in the address

Wildcard mask bit 1 - Ignore the corresponding bit value in the address

The table below shows the results of applying a 0.0.255.255 wildcard mask to a 32-bit IP address Remember that a binary 0 indicates a value that is matched

Decimal Address Binary Address

IP address to be processed 192.168.10.0 11000000.10101000.00001010.00000000

Wildcard mask 0.0.255.255 00000000.00000000.11111111.11111111

Resulting IP address 192.168.0.0 11000000.10101000.00000000.00000000

Wildcard Bit Mask Keywords

Working with decimal representations of binary wildcard mask bits can be tedious To simplify this task, the keywords host and any help identify the most common uses of wildcard masking These keywords eliminate entering wildcard masks when identifying a specific host or network They also make it easier to read an ACL

by providing visual clues as to the source or destination of the criteria

The host option substitutes for the 0.0.0.0 mask This mask states that all IP address bits must match or only one host is matched

The any option substitutes for the IP address and 255.255.255.255 mask This mask says to ignore the entire IP address or to accept any addresses

Example 1: Wildcard Masking Process with a Single IP Address

In the example, instead of entering 192.168.10.10 0.0.0.0, you can use host 192.168.10.10

R1(config)# access-list 1 permit 192.168.10.10 0.0.0.0 R1(config)# access-list 1 permit host 192.168.10.10

Example 2: Wildcard Masking Process with a Match Any IP Address

In the example, instead of entering 0.0.0.0 255.255.255.255, you can use the keyword any by itself

R1(config)# access-list 1 permit 0.0.0.0 255.255.255.255 R1(config)# access-list 1 permit any

Applying Standard ACLs to Interfaces

Standard ACL Configuration Procedures

After a standard ACL is configured, it is linked to an interface using the ip access-group command:

Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out}

To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL

Step 1:

Use the access-list global configuration command to create any entry in a standard ACL

R1(config)# access-list 1 permit 192.168.10.0 0.0.0.255

Step 2:

Use the interface configuration command to select an interface to which to apply the ACL

R1(config)# interface FastEthernet 0/0

Step 3:

Use the ip access-group interface configuration command to activate the existing ACL on an interface

R1(config)# ip access-group 1 out

The following figures show examples of an ACL to permit a single network, of an ACL that denies a specific host, and an ACL that denies a specific subnet

Editing Numbered ACLs

When configuring an ACL, the statements are added in the order that they are entered at the end of the ACL However, there is no built-in editing feature that allows you to edit a change in an ACL You cannot selectively insert or delete lines

It is strongly recommended that any ACL be constructed in a text editor such as Microsoft Notepad This allows you to create or edit the ACL and then paste it onto the router For an existing ACL, you could use the show running-config command to display the ACL, copy and paste it into the text editor, make the necessary changes, and reload it

For example, assume that the host IP address of a host was incorrectly entered Instead of the 192.168.10.100 host, it should have been the 192.168.10.11 host Here are the steps to edit and correct ACL 20:

Step 1:

Display the ACL using the show running-config command The include keyword used to display only the

ACL statements

R1# show running-config | include access-list access-list 20 permit 192.168.10.100