Cisco provides basic traffic filtering capabilities with access control lists (ACL). This chapter covers the benefits of ACLs and describes their building blocks. The chapter describes summarizable address blocks in the context of CIDR and VLSM environments, demonstrating how ACL wildcard masks allow for threat mitigation in those environments.
Trang 1© 2012 Cisco and/or its affiliates All rights reserved 1
Access Control Lists for Threat
Mitigation
Trang 2• Lists the benefits of ACLs
• Describes the building blocks and operational framework of ACLs
• Describes summarizable address blocks in the context of CIDR and
VLSM environments, demonstrating how ACL wildcard masks allow for
threat mitigation in those environments
• Lists design considerations when deploying ACLs
• Demonstrates the use of Cisco Configuration Professional and the CLI to deploy and verify a threat containment strategy using ACLs
• Demonstrates the use of Cisco Configuration Professional and the CLI to correlate ACL log and alarm information in order to monitor their impact
and effectiveness
• Demonstrates how to configure object groups to streamline the
implementation of ACLs for threat control
• Demonstrates how to configure ACLs in IPv6 environments, highlighting the operational differences with IPv4 ACLs
Outline
Trang 3© 2012 Cisco and/or its affiliates All rights reserved 3
• ACLs provide packet filtering for routers and firewalls to protect internal networks from the outside world
• ACLs filter network traffic in both directions by controlling whether to
forward or block packets at the router interfaces, based on the criteria
that you specify within the ACLs
• ACL criteria could be the source address of the traffic, the destination
address of the traffic, the upper-layer protocol, or other information
ACL Fundamentals
Trang 5© 2012 Cisco and/or its affiliates All rights reserved 5
• IP address spoofing (inbound)
• IP address spoofing (outbound)
• DoS TCP SYN attacks (blocking external attacks)
• DoS TCP SYN attacks (using TCP intercept)
• DoS Smurf attacks
• Filtering ICMP messages (inbound)
• Filtering ICMP messages (outbound)
• Filtering traceroute
Using ACLs to mitigate many threats
Trang 6ACLs operate in two ways:
• Inbound: Incoming packets are processed before they are routed to an
outbound interface An inbound ACL is efficient because it saves the
overhead of routing lookups if the packet will be discarded after it is
denied by the filtering tests If the packet is permitted by the tests, it is
then processed for routing
• Outbound: Packets arriving on the inside interface are routed to the
outbound interface, and then they are processed through the outbound
ACL
ACL Operation
Trang 7© 2012 Cisco and/or its affiliates All rights reserved 7
Outbound ACL Operation
Trang 8Top-Down Process of Tests: Deny or
Permit
Trang 9© 2012 Cisco and/or its affiliates All rights reserved 9
Cisco routers support two types of IP ACLs:
• Standard ACLs: Standard IP ACLs check the source addresses of
packets that can be routed The result either permits or denies the output for an entire protocol suite, based on the source network, subnet, or host
IP address
• Extended ACLs: Extended IP ACLs check both the source and
destination packet addresses They can also check for specific protocols, port numbers, and other parameters, which allows administrators more
flexibility and control
The two general methods you can use to create ACLs are as follows:
• Numbered ACLs: Use a number for identification.
• Named ACLs: Use an alphanumeric string for identification.
Types of IP ACLs
Trang 10• Wildcard mask bit 0: Match the corresponding bit value in the address
• Wildcard mask bit 1: Do not check (ignore) the corresponding bit value in the address
ACL Wildcard Bits
Trang 11© 2012 Cisco and/or its affiliates All rights reserved 11
Wildcard Bits to Match IP Subnets 172.30.16.0 to 172.30.31.0
Router(config)# access-list 1 deny 172.30.16.0 0.0.15.255
Example: Wildcard Masking Process for IP Subnets
Trang 12Wildcard Masking Process with a Single IP Address
Router(config)# access-list 2 permit 172.30.16.29 0.0.0.0
• Router(config)# access-list 2 permit host 172.30.16.29
With a Match Any IP Address
Router(config)# access-list 2 permit 0.0.0.0 255.255.255.255
• Router(config)# access-list 2 permit any
Example: Wildcard Masking Process with
a Single IP Address and with a Match
Any IP Address
Trang 13© 2012 Cisco and/or its affiliates All rights reserved 13
Numbered Standard ACL Configuration
Procedure
Trang 14© 2012 Cisco and/or its affiliates All rights reserved 14
r1(config)# access-list 1 deny 172.16.4.0 0.0.0.255
r1(config)# access-list 1 permit any
( implicit deny all = access-list 1 deny 0.0.0.0
255.255.255.255 )
r1(config)# interface ethernet 0
r1(config-if)# ip access-group 1 out
Example: Numbered Standard IPv4 ACL—Deny a Specific Subnet
Trang 15© 2012 Cisco and/or its affiliates All rights reserved 15
Router(config-line)# access-class access-list-number {in | out}
Trang 16Well-Known Port Numbers and IP Protocols
Numbered Extended IPv4 ACL
Trang 17© 2012 Cisco and/or its affiliates All rights reserved 17
Router(config)# access-list access-list-number {permit
| deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port]
Trang 18© 2012 Cisco and/or its affiliates All rights reserved 18
r1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0
0.0.0.255 eq 21
r1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0
0.0.0.255 eq 20
r1(config)# access-list 101 permit ip any any
(implicit deny all)
(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0
255.255.255.255)
r1(config)# interface ethernet 0
r1(config-if)# ip access-group 101 out
Numbered Extended IPv4 ACL Example
Trang 19© 2012 Cisco and/or its affiliates All rights reserved 19
Router(config)# access-list 102 permit tcp any host
Trang 20The benefits of using Object Groups for ACL include the following:
• Increased performance when network traffic is heavy
• Reduced storage in NVRAM compared to conventional ACLs
• Separate ownership of the components of an ACE For example, you
can create an ACE where each department within an organization can
control its group membership You can also create an ACE to permit or
deny the departments to contact each other
• Allows you to create an object group that contains other object groups
For example, you can create an ENG-ALL address group, which contains the ENG-EAST and ENG-WEST address groups
Enhancing ACLs with Object Groups
Trang 21© 2012 Cisco and/or its affiliates All rights reserved 21
access-list 100 deny tcp host 10.6.252.65 host 171.8.2.12 eq www access-list 100 deny tcp host 10.6.252.65 host 171.8.2.12 eq ftp access-list 100 deny tcp host 10.6.252.65 host 171.8.2.13 eq www access-list 100 deny tcp host 10.6.252.65 host 171.8.2.13 eq ftp access-list 100 deny tcp host 10.6.252.66 host 171.8.2.12 eq www access-list 100 deny tcp host 10.6.252.66 host 171.8.2.12 eq ftp access-list 100 deny tcp host 10.6.252.66 host 171.8.2.13 eq www access-list 100 deny tcp host 10.6.252.66 host 171.8.2.13 eq ftp
Example of an ACL Without Object
Group
Trang 22access-list 100 deny object-group APPLICATIONS
object-group SOURCES object-group DESTINATIONS
Example of an ACL Using Object Groups
Trang 23© 2012 Cisco and/or its affiliates All rights reserved 23
The following components can be modularized in network object groups:
• Any IP address—includes a range from 0.0.0.0 to 255.255.255.255
(specified using the any command)
Trang 24The following components can be modularized in service object groups:
• Source and destination protocol ports (such as Telnet or Simple Network Management Protocol [SNMP])
• ICMP types (such as echo, echo-reply, or host-unreachable)
• Top-level protocols (such as TCP, UDP, or Encapsulating Security
Payload [ESP])
• Other service object groups
Service object groups
Trang 25© 2012 Cisco and/or its affiliates All rights reserved 25
Before you start to develop any ACLs, consider the following basic rules:
• Base your ACLs on your security policy
• Write it out
• Set up a development system
• Access list comments
• Test
ACL Considerations
Trang 26You should consider several caveats when working with ACLs:
• ACLs by themselves are stateless
• Only one ACL per interface, per protocol stack, per direction
• Implicit deny all
• Standard ACL limitation
• Order of specific statements
• Directional filtering
• Modifying ACLs
• Special packets
• Extended ACL placement
• Standard ACL placement
ACL Considerations
Trang 27© 2012 Cisco and/or its affiliates All rights reserved 27
Rules that can be created using CCP include the following:
• Externally defined rules
Configuring ACLs for Threat Control
Using Cisco Configuration Professional
Trang 28CCP ACL Summary
Working with ACLs in CCP
Trang 29© 2012 Cisco and/or its affiliates All rights reserved 29
The configuration steps are as follows:
Step 1 Configure the ACL
Step 2 Apply the ACL to interfaces
Step 3 Verify and monitor the ACL
ACL Configuration Scenario Using CCP
Trang 30ACL Editor
Trang 31© 2012 Cisco and/or its affiliates All rights reserved 31
Adding Rules
Trang 32Adding an Extended Rule
Trang 33© 2012 Cisco and/or its affiliates All rights reserved 33
Associating Rules with Interfaces
Trang 34Enabling Logging with CCP
Selecting ACEs that Will Generate Log Entries
Trang 35© 2012 Cisco and/or its affiliates All rights reserved 35
Monitoring ACLs with CCP
Trang 36Logged ACE Generated by the Firewall
Entry
Trang 37© 2012 Cisco and/or its affiliates All rights reserved 37
Configuring an Object Group with CCP
Trang 38You can create two types of ACL object groups:
• Network object groups: Can contain hostnames, host IP addresses,
subnet masks, range of IP addresses, and other existing network object
groups
• Service object groups: Can contain top-level protocols, such as TCP,
UDP, and TCP-UDP; ICMP types; source and destination protocol ports;
and other existing service object groups
Object Group
Trang 39© 2012 Cisco and/or its affiliates All rights reserved 39
Configuring an Object Group Using CCP
Trang 40Router# config t
Router(config)# object-group network INTERNAL-NETS
Router(config-network-group)# description Subnets inside the
Trang 41© 2012 Cisco and/or its affiliates All rights reserved 41
Assigning Object Groups to ACLs
Trang 4242
Using ACLs in IPv6 Environments
Trang 43© 2012 Cisco and/or its affiliates All rights reserved 43
IPv6 ACLs can help mitigate the following threats, among others:
• Header extension threats; for instance, amplification attacks based on
Routing Header (RH 0)
• Threats based on misuse and abuse of IPv6 ICMP
• Reconnaissance based on multicast IPv6 addresses
• Threats that exploit tunneling solutions such as those used in IPv6
migration environments
Using ACLs in IPv6 Environments
Trang 44Examples of IPv6 Potential Attacks
Trang 45© 2012 Cisco and/or its affiliates All rights reserved 45
Reflexive ACLs and time-based ACLs are also available in IPv6 An IPv6 ACL can match the following IPv6 headers:
• routing: Matches any route header
• mobility: Matches any mobility header
• dest-option-type: Matches any destination option header
• auth: Matches IPsec’s AH
• undetermined-transport: Matches any packet whose Layer 4 protocol
cannot be determined (fragmented or unknown extension header)
(available only with the deny command)
Advance IPv6 ACL
Trang 46ipv6 access-list RFC4890
permit icmp any any reply permit icmp any any
echo-request permit icmp any any 1 3
permit icmp any any 1 4
permit icmp any any packet-too-big permit icmp any any exceeded permit icmp any
any parameter-problem permit icmp any any mld-query
permit icmp any any reduction permit icmp any any
mld-report permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any router-solicitation
RFC 4890 ICMP ACL
IPv6 ACL Implicit Entries permit icmp any any nd-na permit icmp any any nd-na deny ipv6 any any
Trang 47© 2012 Cisco and/or its affiliates All rights reserved 47
For additional information, refer to these Cisco.com resources:
“Identifying Incidents Using Firewall and Cisco IOS Router Syslog Events,”