Chapter 8 access control lists for threat mitigation

• Lists the benefits of ACLs• Describes the building blocks and operational framework of ACLs • Describes summarizable address blocks in the context of CIDR and VLSM environments, demon

Trang 1

Access Control Lists for

Threat Mitigation

Trang 2

• Lists the benefits of ACLs

• Describes the building blocks and operational framework of ACLs

• Describes summarizable address blocks in the context of CIDR and VLSM

environments, demonstrating how ACL wildcard masks allow for threat

mitigation in those environments

• Lists design considerations when deploying ACLs

• Demonstrates the use of Cisco Configuration Professional and the CLI to

deploy and verify a threat containment strategy using ACLs

• Demonstrates the use of Cisco Configuration Professional and the CLI to

correlate ACL log and alarm information in order to monitor their impact and

effectiveness

• Demonstrates how to configure object groups to streamline the

implementation of ACLs for threat control

• Demonstrates how to configure ACLs in IPv6 environments, highlighting the operational differences with IPv4 ACLs

Outline

Trang 3

• ACLs provide packet filtering for routers and firewalls to protect

internal networks from the outside world

• ACLs filter network traffic in both directions by controlling whether

to forward or block packets at the router interfaces, based on the criteria that you specify within the ACLs

• ACL criteria could be the source address of the traffic, the

destination address of the traffic, the upper-layer protocol, or

other information

ACL Fundamentals

Trang 4

Host A to access the Human Resources network but prevents Host

B from accessing the Human Resources network

Filtering Host B Traffic Ingress Using an ACL

Trang 5

• IP address spoofing (inbound)

• IP address spoofing (outbound)

• DoS TCP SYN attacks (blocking external attacks)

• DoS TCP SYN attacks (using TCP intercept)

• DoS Smurf attacks

• Filtering ICMP messages (inbound)

• Filtering ICMP messages (outbound)

• Filtering traceroute

Using ACLs to mitigate many threats

Trang 6

ACLs operate in two ways:

• Inbound: Incoming packets are processed before they are routed

to an outbound interface An inbound ACL is efficient because it

saves the overhead of routing lookups if the packet will be

discarded after it is denied by the filtering tests If the packet is

permitted by the tests, it is then processed for routing

• Outbound: Packets arriving on the inside interface are routed to

the outbound interface, and then they are processed through the

outbound ACL

ACL Operation

Trang 7

Outbound ACL Operation

Trang 8

Top-Down Process of Tests: Deny or

Permit

Trang 9

Cisco routers support two types of IP ACLs:

• Standard ACLs: Standard IP ACLs check the source addresses of packets that can be routed The result either permits or denies the output for an entire protocol suite, based on the source network,

subnet, or host IP address

• Extended ACLs: Extended IP ACLs check both the source and

destination packet addresses They can also check for specific

protocols, port numbers, and other parameters, which allows

administrators more flexibility and control

The two general methods you can use to create ACLs are as

follows:

• Numbered ACLs: Use a number for identification.

• Named ACLs: Use an alphanumeric string for identification.

Types of IP ACLs

Trang 10

• Wildcard mask bit 0: Match the corresponding bit value in the address.

• Wildcard mask bit 1: Do not check (ignore) the corresponding bit value

in the address.

ACL Wildcard Bits

Trang 11

Wildcard Bits to Match IP Subnets 172.30.16.0 to 172.30.31.0

Router(config)# access-list 1 deny 172.30.16.0 0.0.15.255

Example: Wildcard Masking Process for IP Subnets

Trang 12

Wildcard Masking Process with a Single IP Address

Router(config)# access-list 2 permit 172.30.16.29 0.0.0.0

• Router(config)# access-list 2 permit host 172.30.16.29

With a Match Any IP Address

Router(config)# access-list 2 permit 0.0.0.0 255.255.255.255

• Router(config)# access-list 2 permit any

Example: Wildcard Masking Process with a Single IP Address and with a Match Any IP Address

Trang 13

Numbered Standard ACL Configuration Procedure

Trang 14

r1(config)# access-list 1 deny 172.16.4.0 0.0.0.255

r1(config)# access-list 1 permit any

( implicit deny all = access-list 1 deny 0.0.0.0 255.255.255.255 )

r1(config)# interface ethernet 0

r1(config-if)# ip access-group 1 out

Example: Numbered Standard IPv4 ACL—Deny a Specific Subnet

Trang 15

Router(config-line)# access-class access-list-number {in | out}

Trang 16

Well-Known Port Numbers and IP ProtocolsNumbered Extended IPv4 ACL

Trang 17

Router(config)# access-list access-list-number

{permit | deny} protocol source source-wildcard

[operator port] destination destination-wildcard [operator port] [established] [log]

Router(config-if)# ip access-group

access-list-number (in | out)

Command for a Numbered Extended ACL

Trang 18

r1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21

r1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20

r1(config)# access-list 101 permit ip any any

(implicit deny all)

(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)

r1(config)# interface ethernet 0

r1(config-if)# ip access-group 101 out

Numbered Extended IPv4 ACL Example

Trang 19

Router(config)# access-list 102 permit tcp any

Trang 20

The benefits of using Object Groups for ACL include the following:

• Increased performance when network traffic is heavy

• Reduced storage in NVRAM compared to conventional ACLs

• Separate ownership of the components of an ACE For example, you can create an ACE where each department within an

organization can control its group membership You can also create

an ACE to permit or deny the departments to contact each other

• Allows you to create an object group that contains other object

groups For example, you can create an ENG-ALL address group, which contains the ENG-EAST and ENG-WEST address groups

Enhancing ACLs with Object Groups

Trang 21

access-list 100 deny tcp host 10.6.252.65 host 171.8.2.12 eq www access-list 100 deny tcp host 10.6.252.65 host 171.8.2.12 eq ftp access-list 100 deny tcp host 10.6.252.65 host 171.8.2.13 eq www access-list 100 deny tcp host 10.6.252.65 host 171.8.2.13 eq ftp access-list 100 deny tcp host 10.6.252.66 host 171.8.2.12 eq www access-list 100 deny tcp host 10.6.252.66 host 171.8.2.12 eq ftp access-list 100 deny tcp host 10.6.252.66 host 171.8.2.13 eq www access-list 100 deny tcp host 10.6.252.66 host 171.8.2.13 eq ftp

Example of an ACL Without Object Group

Trang 22

object-group network SOURCES

access-list 100 deny object-group APPLICATIONS

object-group SOURCES object-group DESTINATIONS

Example of an ACL Using Object Groups

Trang 23

The following components can be modularized in network object

groups:

• Any IP address—includes a range from 0.0.0.0 to

255.255.255.255 (specified using the any command)

Trang 24

The following components can be modularized in service object

groups:

• Source and destination protocol ports (such as Telnet or Simple

Network Management Protocol [SNMP])

• ICMP types (such as echo, echo-reply, or host-unreachable)

• Top-level protocols (such as TCP, UDP, or Encapsulating Security Payload [ESP])

• Other service object groups

Service object groups

Trang 25

Before you start to develop any ACLs, consider the following basic rules:

• Base your ACLs on your security policy

• Write it out

• Set up a development system

• Access list comments

• Test

ACL Considerations

Trang 26

You should consider several caveats when working with ACLs:

• ACLs by themselves are stateless

• Only one ACL per interface, per protocol stack, per direction

• Implicit deny all

• Standard ACL limitation

• Order of specific statements

• Directional filtering

• Modifying ACLs

• Special packets

• Extended ACL placement

• Standard ACL placement

ACL Considerations

Trang 27

Rules that can be created using CCP include the following:

• Externally defined rules

Configuring ACLs for Threat Control Using Cisco Configuration

Professional

Trang 28

CCP ACL SummaryWorking with ACLs in CCP

Trang 29

The configuration steps are as follows:

Step 1 Configure the ACL

Step 2 Apply the ACL to interfaces

Step 3 Verify and monitor the ACL

ACL Configuration Scenario Using CCP

Trang 30

ACL Editor

Trang 31

Adding Rules

Trang 32

Adding an Extended Rule

Trang 33

Associating Rules with Interfaces

Trang 34

Enabling Logging with CCP

Selecting ACEs that Will Generate Log Entries

Trang 35

Monitoring ACLs with CCP

Trang 36

Logged ACE Generated by the Firewall Entry

Trang 37

Configuring an Object

Group with CCP

Trang 38

You can create two types of ACL object groups:

• Network object groups: Can contain hostnames, host IP

addresses, subnet masks, range of IP addresses, and other

existing network object groups

• Service object groups: Can contain top-level protocols, such as

TCP, UDP, and TCP-UDP; ICMP types; source and destination

protocol ports; and other existing service object groups

Object Group

Trang 39

Configuring an Object Group Using CCP

Trang 40

Router# config t

Router(config)# object-group network INTERNAL-NETS

Router(config-network-group)# description Subnets inside the

Trang 41

Assigning Object Groups to ACLs

Trang 42

Using ACLs in IPv6

Environments

Trang 43

IPv6 ACLs can help mitigate the following threats, among others:

• Header extension threats; for instance, amplification attacks

based on Routing Header (RH 0)

• Threats based on misuse and abuse of IPv6 ICMP

• Reconnaissance based on multicast IPv6 addresses

• Threats that exploit tunneling solutions such as those used in IPv6 migration environments

Using ACLs in IPv6 Environments

Trang 44

Examples of IPv6 Potential Attacks

Trang 45

Reflexive ACLs and time-based ACLs are also available in IPv6 An IPv6 ACL can match the following IPv6 headers:

• routing: Matches any route header

• mobility: Matches any mobility header

• dest-option-type: Matches any destination option header

• auth: Matches IPsec’s AH

• undetermined-transport: Matches any packet whose Layer 4

protocol cannot be determined (fragmented or unknown extension header) (available only with the deny command)

Advance IPv6 ACL

Trang 46

ipv6 access-list RFC4890

permit icmp any any reply permit icmp any any

echo-request permit icmp any any 1 3

permit icmp any any 1 4

permit icmp any any packet-too-big permit icmp any any exceeded permit icmp any

any parameter-problem permit icmp any any mld-query

permit icmp any any reduction permit icmp any any

mld-report permit icmp any any nd-na

permit icmp any any nd-ns

permit icmp any any router-solicitation

RFC 4890 ICMP ACL

IPv6 ACL Implicit Entries permit icmp any any nd-na permit icmp any any nd-na deny ipv6 any any

Trang 47

For additional information, refer to these Cisco.com resources:

“Identifying Incidents Using Firewall and Cisco IOS Router Syslog

Events,” http://

www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html

“IP Access List Entry Sequence Numbering,” http://

www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html

“Understanding Access Control List Logging,” http://

www.cisco.com/web/about/security/intelligence/acl-logging.html

References

Tiêu đề	Access Control Lists for Threat Mitigation
Trường học	Cisco
Thể loại	essay
Năm xuất bản	2012

Định dạng
Số trang	48
Dung lượng	3,34 MB