Security and Access Control Lists (ACLs)

Similar documents

CISCO IOS NETWORK SECURITY (IINS)

Lab Configure IOS Firewall IDS

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

8 steps to protect your Cisco router

Lab Developing ACLs to Implement Firewall Rule Sets

Adding an Extended Access List

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

FIREWALLS & CBAC. philip.heimer@hh.se

CCNA Security v1.0 Scope and Sequence

SUBNETTING SCENARIO S

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

CTS2134 Introduction to Networking. Module Network Security

Training Course on Network Administration

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Lab Configuring Access Policies and DMZ Settings

Introduction of Intrusion Detection Systems

- Introduction to PIX/ASA Firewalls -

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Cisco Firewall Technology

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

8. Firewall Design & Implementation

CONFIGURING TCP/IP ADDRESSING AND SECURITY

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Intro to Firewalls. Summary

Implementing Secure Converged Wide Area Networks (ISCW)

CCNA Access List Sim

Chapter 11 Cloud Application Development

Access Control Lists: Overview and Guidelines

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Cisco Advanced Services for Network Security

CCNA Security v1.0 Scope and Sequence

Lab Configure Cisco IOS Firewall CBAC

INTRODUCTION TO FIREWALL SECURITY

Strategies to Protect Against Distributed Denial of Service (DD

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

How To Understand And Understand Cisco Security Specialist (For A Non-Profit)

Connecticut Justice Information System Security Compliance Assessment Form

Chapter 9 Firewalls and Intrusion Prevention Systems

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Cisco Certified Security Professional (CCSP)

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Cisco Configuring Commonly Used IP ACLs

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Deploying Firewalls Throughout Your Organization

Table of Contents. Configuring IP Access Lists

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

How To Secure Network Threads, Network Security, And The Universal Security Model

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Lab Configuring Access Policies and DMZ Settings

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

Computer Security: Principles and Practice

Lecture 23: Firewalls

THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE, AND ROI

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

CCNA Security. IINS v2.0 Implementing Cisco IOS Network Security ( )

Computer Security DD2395

Lab Characterizing Network Applications

Architecture Overview

Interconnecting Cisco Network Devices 1 Course, Class Outline

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

NATed Network Testing IxChariot

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Cisco IPS Tuning Overview

CSCE 465 Computer & Network Security

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

PART D NETWORK SERVICES

Testing Network Security Using OPNET

Lab 2 - Basic Router Configuration

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

ICND IOS CLI Study Guide (CCENT)

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Network Incident Report

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Security Toolsets for ISP Defense

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

Firewalls Overview and Best Practices. White Paper

Lab Organizing CCENT Objectives by OSI Layer

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Network Security: Introduction

IP Telephony Management

Transcription:

Security and Access Control Lists (ACLs) Malin Bornhager Halmstad University Session Number 2002, Svenska-CNAP Halmstad University 1

Objectives Security Threats Access Control List Fundamentals Access Control Lists (ACLs) Configuration 2

Why is network security important? Networks have grown in both size and importance Loss of privacy, theft of information, legal liability The types of potential threats to network security are always evolving 3

Common Security Threats Three common factors in network security: Vulnerability Degree of weakness in routers, switches, desktops, servers, and security devices Technological, configuration and security policy weaknesses Threat People interested and qualified in taking advantage of each weakness Attack 4

Types of Network Attacks Reconnaissance Unauthorized discovery and mapping of systems, services or vulnerabilities Access Gain access to a device Denial of Service (DoS) Disables or corrupts networks Worms, viruses and Trojan horses Damage or corrupt a system 5

Host and Server Based Security Antivirus software Personal firewalls OS patches Intrusion Detection Systems (IDS) can detect attacks against a network and send logs to a management console Intrusion Prevention Systems (IPS) can prevent attacks from being executed 6

Router Security Manage router security Secure remote access Logging router activity Secure vulnerable router services and interfaces Secure routing protocols Control and filter network traffic SDM can be used to configure security features on Cisco IOS based routers 7

Security Device Manager - SDM Cisco Router and Security Device Manager that simplifies router and security configuration Easy-to-use, web-based devicemanagement tool Automatic router security management Supports a wide range of Cisco IOS software releases 8

What are ACLs? ACLs are lists of instructions you apply to a router's interface to tell the router what kinds of packets to accept and what kinds to deny. 9

Introduction to ACLs Lists of conditions Filter network traffic Accept or Deny Secure access to and from a network 10

Introduction to ACLs Per protocol IP IPX AppleTalk Per direction In Out Per port 11

Example 12

ACLs can be used to: Limit network traffic and increase network performance Provide traffic flow control (restrict routing updates) Basic level of security for network access Traffic types forwarded or blocked Control access to areas Permit or deny host access to network segment 13

How ACLs Work 14

Protocols with ACLs Specified by Numbers 15

The Function of a Wildcard Mask 16

Standard ACLs 17

Extended ACLs 18

Named ACLs 19

Placing ACLs Standard ACLs should be placed close to the destination. Extended ACLs should be placed close to the source. 20

Creating ACLs 21

Verifying ACLs There are many show commands that will verify the content and placement of ACLs on the router. show ip interface show access-lists Show running-config 22

Restricting Virtual Terminal Access 23

Example 172.16.20.0/24 172.16.40.0/24 s0 s0 s1 s0 RouterA.1.2 RouterB.1.2 RouterC.1 e0.1 e0.1 e0 Administration Sales Engineering 172.16.10.3/24 172.16.30.3/24 172.16.50.3/24 172.16.10.2/24 Port 80 172.16.30.2/24 172.16.50.2/24 Task What if we want to deny only the Engineering workstation 172.16.50.2 to be able to access the web server in Administrative network with the IP address 172.16.10.2 and port address 80. All other traffic is permitted. 24

Example 172.16.20.0/24 172.16.40.0/24 s0 s0 s1 s0 RouterA.1.2 RouterB.1.2 RouterC.1 e0.1 e0.1 e0 Administration Sales Engineering 172.16.10.2/24 Port 80 172.16.10.3/24 RouterC(config)#access-list 110 deny tcp host 172.16.50.2 host 172.16.10.2 eq 80 RouterC(config)#permit any any RouterC(config)#interface e 0 172.16.30.2/24 172.16.30.3/24 RouterC(config-if)#ip access-group 110 in 172.16.50.2/24 172.16.50.3/24 Why is better to place the ACL on RouterC instead of RouterA? Why is the e0 interface used instead of s0 on RouterC? 25

Summary List of permit and deny statements Order of statements important Placement of ACLs important 32-bit wildcard mask Standard ACLs check the source Extended ACLs provides a greater range of control 26