Easy Steps to Cisco Extended Access List

Similar documents
Interested in learning more about security? The OSI Model: An Overview. Copyright SANS Institute Author Retains Full Rights

Implementing Secure Converged Wide Area Networks (ISCW)

Cisco Configuring Commonly Used IP ACLs

Interested in learning more about security? What is Code Red Worm? Copyright SANS Institute Author Retains Full Rights

Firewall Technologies. Access Lists Firewalls

Lab Configure Cisco IOS Firewall CBAC

Chapter 3 Using Access Control Lists (ACLs)

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

The Mechanisms and Effects of the Code Red Worm

CCNA Access List Sim

How To Secure Your Small To Medium Size Microsoft Based Network: A Generic Case Study

FIREWALLS & CBAC. philip.heimer@hh.se

Lab Configure IOS Firewall IDS

Introduction to the Microsoft Windows XP Firewall

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewalls. Chapter 3

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Adding an Extended Access List

Security Awareness Training and Privacy

8 steps to protect your Cisco router

Security and Access Control Lists (ACLs)

Virtual Fragmentation Reassembly

Lab Exercise Configure the PIX Firewall and a Cisco Router

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

- Basic Router Security -

LAB II: Securing The Data Path and Routing Infrastructure

Firewall Stateful Inspection of ICMP

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

NetFlow Subinterface Support

Table of Contents. Configuring IP Access Lists

Access Control Lists: Overview and Guidelines

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

10 Configuring Packet Filtering and Routing Rules

Introduction of Intrusion Detection Systems

co Characterizing and Tracing Packet Floods Using Cisco R

Configuring Network Security with ACLs

Enabling Remote Access to the ACE

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

CSCE 465 Computer & Network Security

A S B

1. Firewall Configuration

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Terminal Server Configuration and Reference Errata

Chapter 8 Security Pt 2

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Firewalls, IDS and IPS

Firewall Firewall August, 2003

Securing Networks with PIX and ASA

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Firewalls (IPTABLES)

Frequent Denial of Service Attacks

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

allow all such packets? While outgoing communications request information from a

Configuring Class Maps and Policy Maps

Guideline on Firewall

SUBNETTING SCENARIO S

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Firewall Stateful Inspection of ICMP

Network Security 1. Module 8 Configure Filtering on a Router

Lab 6.1 Configuring a Cisco IOS Firewall Using SDM

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Security Technology White Paper

Denial Of Service. Types of attacks

Troubleshooting the Firewall Services Module

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Chapter 7 Protecting Against Denial of Service Attacks

CCNA Security 1.1 Instructional Resource

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

Strategies to Protect Against Distributed Denial of Service (DD

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing _06_2000_c1_sec3

Objectives. Router as a Computer. Router components and their functions. Router components and their functions

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Firewall Design Principles

CIT 480: Securing Computer Systems. Firewalls

Internet Security Firewalls

Chapter 2 Quality of Service (QoS)

Configuring NetFlow Secure Event Logging (NSEL)

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

Configuring MAC ACLs

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

UNCLASSIFIED. BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23)

Step-by-Step Configuration

Blue Coat Systems. Reference Guide. WCCP Reference Guide. For SGOS 5.3

Transcription:

Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Easy Steps to Cisco Extended Access List The purpose of this document is to explain in simple words how you can easily create an Extended Access List and apply it to your Cisco Router interface. This document is intended for the novice network security personnel who has a basic understanding of networking essentials. Copyright SANS Institute Author Retains Full Rights AD

Easy Steps to Cisco Extended Access List Nancy Navato GSEC Practical Assignment Version 1.2e Introduction The purpose of this document is to explain in simple words how you can easily create an Extended Access List and apply it to your Cisco Router interface. This document is intended for the novice network security personnel who has a basic understanding of networking essentials. For example, you were recently assigned to the network security section and tasked to protect your network by creating an Extended Access-lists to block ports and suspicious Internet Protocol addresses on your router. To begin, you would Key need fingerprint answers = AF19 to the FA27 following 2F94 998D questions: FDB5 DE3D F8B5 06E4 A169 4E46 What is an Extended Access List? What do you include in your Access List? Where do you place the IP Access List? How do you apply the Access List to the Cisco Router? Please note that the extended access-list on your router has limitations, and is one defense layer of the many layers of your Defense in Depth practice of network security. In one of the Sans Security Essentials Chapters, I like the idea of comparing the protection of data to the king within a castle protected by high walls, a massive moat, and many armed guards. Your network security should be the same way, such that if one layer is breached, your attacker still needs to overcome all this other defense layers. What is an Extended Access List? An extended access-list is an ordered list of statements that can deny or permit packets based on source and destination IP address, port numbers and upper-layer protocols. Standard access list can deny or permit packets by source address only and permit or deny entire TCP/IP protocol suite. Therefore by extended, it means greater functionality and flexibility. Extended access list is a good example of packet filtering where the flow of data packets can be controlled in your network. It can filter based on source and destination, specific IP protocol and port number. What do you include in your access list? A good way to start is to gather the IP addresses for your network as well as the port numbers required by your applications. Your security policy would define what services to permit into and out of your network. Once you have a good understanding of what applications Key fingerprint you must = AF19 permit, FA27 the 2F94 next 998D factor FDB5 would DE3D be F8B5 what 06E4 router A169 interface 4E46 you are going to apply the access list and which direction either inbound or outbound.

Note that an access list is an ordered list and therefore the sequence of your statements is crucial. Also, at the end of the list is an implicit deny of everything that is not permitted. The best security practice is to only allow packets that are explicitly permitted and deny everything else. The access list can always be modified to include needed services. The extended access list syntax is described below. Access-list <number 100-199> <permit deny> <protocol> <source> < sourcemask> <operator source port> < destination> <destination-mask> < operator destination port> <options> < log> To understand better, I am going to break down the entries into fields: Access-list is the command use. access list number permit or deny protocol Source source mask. operator source port destination destination mask Extended IP Access List uses a number in the range of 100 to 199. This is a required field. Allow or block traffic. This is a required field. IP, TCP, UDP, ICMP, GRE and IGRP. TCP, UDP and ICMP use IP at the network layer. This is the Source IP address. This is a required field. Wildcard mask; 0 indicate positions that must match, 1s indicate don t care positions (inverted mask). This is a required field. lt, gt, eq, neq (less than, greater than, equal, not equal) and a port number. Destination IP address. Wildcard mask; 0 indicate positions that must match, 1s indicate don t care positions (inverted mask) operator destination port lt, gt, eq, neq (less than, greater than, equal, not equal) and a port number options Key fingerprint = AF19 FA27 2F94 998D Typical FDB5 DE3D is established F8B5 06E4 to A169 see 4E46 if ACK or RST bits is set. Log log to the router s buffer or a syslog server

Where do you place the Extended Access-List? Scenario 1: Your goal is to filter incoming traffic so that users outside your network can access the public web server using port 80. All other incoming traffic is denied. For this example, the Legal IP Address space for your network is 192.168.100.0 and we will use Access List number102 for inbound traffic. Apply Access List close to the source of traffic to be denied to prevent packets from traveling to other routers only to be denied. Figure 1 access-list 102 permit tcp any 192.168.100.100 0.0.0.0 eq 80 [implicit deny ip any any] Figure 2

Scenario 2: Your goal is to filter incoming traffic so that users outside your network can access the public web server in the DMZ. No other services are allowed except access to your E-Mail server with a Legal IP Address space of 192.168.100.200. We are using Access List number102 for inbound traffic. access-list 102 permit tcp any 192.168.100.200 0.0.0.0 eq 25 [implicit deny ip any any] In this scenario, the inbound access-list needs to be placed on E0 so that internet users can access the public web server at the DMZ. How Key do fingerprint you apply = AF19 the access FA27 2F94 list 998D to the FDB5 Cisco DE3D Router? F8B5 06E4 A169 4E46 You can create your access list and download your access list to a TFTP server using a text editor or you can create a regular text and use your computer to cut and paste the access list into the router. You can use the console or telnet to one of the interfaces in your router. Example 1: Applying access list 102 (Inbound) to Serial 0: Router>enable Router# Config term Router(config)# interface serial 0 Router(config-if)# ip access-group 102 in Router(config-if)#exit (Config)#exit Example 2: Applying access list 101 (Outbound) to Ethernet 0: Router# Config term Router(config)# interface Ethernet 0 Router(config-if)# ip access-group 101 out Router(config-if)#exit (Config)#exit {activates privileged mode} {enter global configuration mode} {In for Inbound, Out for Outbound} Example 3: To remove access list from Serial 0 Router> Config term Router(config)# interface Serial 0 Router(config-if)#no ip access-group 101 out Router(config-if)#exit (Config)#exit Some helpful commands to monitor and verify the access list. Show running-config {displays active configuration and presence of access group}

show access-list show access-list 1xx show ip access-list show interface serial 0 no access-list 1xx copy running-config start-up config {displays all access-list} {displays access list 1xx only} {displays IP access-list} {displays info on serial 0 interface) {remove access-list 1xx only} {save the active configuration to NVRAM} Access List Guidelines: 1. Access List numbers indicate which protocol is filtered. Extended IP is from 100-199 2. Only one access list per protocol, per direction, per interface is allowed. Key 3. Top-down fingerprint processing. = AF19 FA27 Most 2F94 restrictive 998D FDB5 statements DE3D F8B5 should 06E4 be A169 at 4E46 the top. 4. At the end of the access list is an implicit deny all. Due to the implicit deny, there should be at least one permit statement on every access list. 5. New Entries are added to the bottom. Any new access list are added to the bottom of the list. If modifications are necessary, delete access list and recreate the entire access list off-line such as with text editor and upload any changes from TFTP server or Cut and Paste from a computer. 6. Create access list before applying it to the interface. 7. Access lists only filter traffic going through the router. It does not apply to traffic originated from the router. Protecting your Network with Extended Access List 1. Anti-Spoofing and Filtering: 1.1 Egress Filtering. To prevent your network from being used in spoofed Denial of Service (DOS), apply Egress Filtering at enclave (base, post, camp, station) borders. Allow only valid IP address to exit your network. The access list needs to be placed outbound on the Interface connecting to the Internet. access-list 1xx permit ip <Network-Base-Address> <Hostmask> any access-list 1xx deny ip any any log {log spoofing attempts} 1.2 Ingress Filtering. Accept incoming traffic only if it comes from authorized sources. Configure Remote Access Servers to allow only valid source IP addresses. Ensure that filters are in place to prevent spoofing of dial-up connections. 1.3 Filter incoming traffic from private addresses. Apply inbound access list at the enclave level. access-list 1xx deny ip 0.0.0.0 0.255.255.255 any {historical broadcast} access-list Key fingerprint 1xx deny = AF19 ip 10.0.0.0 FA27 2F94 0.255.255.255 998D FDB5 DE3D F8B5 any 06E4 {private A169 network} 4E46 access-list 1xx deny ip 127.0.0.0 0.255.255.255 any {loopback} access-list 1xx deny ip 169.254.0.0 0.0.255.255 any {link local networks} access-list 1xx deny ip 172.16.0.0 15.0.255.255 any {private networks}

access-list 1xx deny ip 192.0.2.0 0.0.0.255 any {link local networks} access-list 1xx deny ip 192.168.0.0 0.0.255.255 any {private networks} access-list 1xx deny ip 224.0.0.0 15.255.255.255 any {class D multicast} access-list 1xx deny ip 240.0.0.0 7.255.255.255 any {class E multicast} access-list 1xx deny ip 248.0.0.0 7.255.255.255 any {unallocated} access-list 1xx deny ip 255.255.255.2550.0.0.0 any {broadcast} 2. Block well-known Distributed Denial Of Service (DDOS) ports: 2.1 Serbian badman/backdoor.subseven21 (6669/tcp, 2222/tcp, 7000/tcp) 2.2 Subseven (16959/tcp, 27374/tcp, 6711/tcp, 6712/tcp, 6776/tcp) 2.3 Stacheldrant (16660/tcp, 65000/tcp) 2.4 Key Trinoo fingerprint communication = AF19 FA27 ports 2F94 (27665/tcp, 998D FDB5 31335/udp DE3D F8B5 and 06E4 27444/udp) A169 4E46 2.5 Trinity v 3 (33270/tcp, 39168/tcp) Example of inbound access list: access-list 1xx deny tcp any any eq 16959 access-list 1xx deny udp any any eq 27444 3. Block well-knows ICMP exploits: 3.1 Block incoming ICMP echo request (ICMP type 8). This will prevent ping attacks which can crash some systems. It will also prevent outsiders from mapping systems inside your network. Apply this filter on the external router interface to the internet. access-list 1xx deny icmp any any echo-request 3.2 Block outgoing ICMP echo-replies (ICMP type 0). Echo Reply is used by ping. Prevent echo-reply traffic to anyone, especially in response to malicious programs that uses ICMP echo-replies. Apply this filter outbound. access-list 1xx deny icmp any any echo-reply 3.3 Block outgoing ICMP time-exceeded (ICMP type 11). Prevent outsiders from mapping your network. access-list 1xx deny icmp any any time exceeded 3.3 Block outgoing ICMP destination unreachable messages (ICMP type 3 except packet too big messages type 3, code 4). Prevent outsiders from finding out which are valid IP addresses in your network. Since packet-too-big is also ICMP type 3, permitting packet-too-big before denying host unreachable will allow the router to send information to the host that the packets are too large. access-list 1xx permit icmp any any packet-too-big access-list 1xx deny icmp any any host-unreachable

4.0 Let your security policy be your guide. If chat is not allowed, block some of the known chat ports at the network enclave level. Such as: IRC ports 6660 6669/tcp, ICQ ports 1027/tcp, 1029/tcp, 1032/tcp, AIM, 5190/tcp. access-list 1xx deny tcp any any eq 6660 access-list 1xx deny tcp any any eq 1027 access-list 1xx deny tcp any any eq 5190 4.1 If there is no need for echo (7 tcp/udp) and chargen (19 tcp/udp) services, deny these ports on the access-list. Limitations of Extended Access List: 1. Extended access-list examines each packet as a stand-alone entity and cannot determine if the packet is part of an existing conversation through the use of the established keyword. Established is only useful for TCP and not UDP. 2. Extended access list has limited capability of examining information in the layer 4 headers. 3. Human Errors when creating access list can lead to security holes. 3.1 Failure to create and add access list entries in the correct sequence. 3.2 Failure to apply the access list to an interface in the correct direction. 3.3 Failure to apply the access list to an interface. Summary. In this document, we learned about how we can protect our networks using an extended access list. When creating and applying access list always consider the potential effects before implementing it. Monitor the CPU and Memory usage of the router before and after applying the access list. After applying the access list on the router, recommend reviewing the access list you just applied by doing a show access-list. Before denying a recommended port block, monitor the port in your Intrusion Detection System at the DMZ to ensure that the port is not use by legitimate services. Permitting only allowed services and denying all others will be better practice for network security. Recommend frequently visiting security websites, such as the Carnegie Mellon Software Engineering Institute (CERT) at www.cert.org and most notably the System Administration, Networking and Security Institute (SANS) at http://www.sans.org which has a plethora of valuable and much needed information on how to secure your network. Routers can be an effective means to filter traffic when used in a layered approach with other network security devices such as the firewall, anti-virus protection, network based and host based intrusion detection system. As always, Defense in Depth is the best approach to network security. References:

How To Eliminate The Ten Most Critical Internet Security Threats, The Experts Consensus. Version 1.33. 25 June 2001. URL: http://www.sans.org/topten.htm (29 Jun 2001). Increased SubSeven Activity. 26 Jun 2001. URL: http://www.cert.org/current/current_activity.html#subseven (29 Jun 01) Advisory 01-014 New Scanning Activity (with W32-Leaves.worm) Exploiting SubSeven Victims. 23 Jun 2001. URL:http://www.nipc.gov/warnings/advisories/2001/01-014.htm (29 Jun 01) Consensus Roadmap for Defeating Distributed Denial of Service Attacks. A Project of the Key Partnership fingerprint for = Critical AF19 FA27 Infrastructure 2F94 998D Security. FDB5 DE3D Version F8B5 1.10. 06E423 A169 Feb 4E46 2000. URL: http://www.sans.org/ddos_roadmap.htm (24 Jun 2001). Winters, Scott. Top Ten Blocking Recommendations Using Cisco ACLs. Securing the Perimeter with CISCO IOS 12 Routers. 15 AUG 2000. URL: http://www.sans.org/infosecfaq/firewall/blocking_cisco.htm (25 Jun 2001) Benton, Chris. Poor Man s NT Auditing. Verifying That Your Systems Remain Secure With Cheap Tools. SANS Security Essentials Online Course. 9 Feb 2001. 5-51 Held, Gil and Hundley, Kent. Cisco Security Architecture. McGraw-Hill, 1999. 119 171 Interconnecting Cisco Devices, Revision 1.0a: Student Guide. CISCO Systems, 2000. 4-73, 10-3 10-36 Lindsay, Paul. Cisco Reflexive Access Lists. 10 MAY 2001. URL: http://www.sans.org/infosecfaq/firewall/reflex.htm (25 Jun 2001) Benton, Chris. Setting router filters to prevent spoofing examples for Cisco Routers and Check Point FW-1. SANS Flash Advisory Supplement. 1999-2000. URL: http://www.sans.org/newlook/resources/router_filters.htm (25 Jun 2001) Cisco Anti-Spoof Egress Filtering. Revision 1.26. 23 Mar 2000. URL: http://www.sans.org/dosstep/cisco_spoof.htm (25 Jun 2001) Benton, Chris. What is Egress Filtering and How can I Implement It? Egress Filtering v 0.2. 29 Feb 2000. URL:http://www.sans.org/infosecFAQ/firewall/egress.htm (25 Jun 2001)

Last Updated: August 22nd, 2016 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Adelaide 2016 Adelaide, AU Sep 05, 2016 - Sep 10, 2016 Live Event SANS Northern Virginia - Crystal City 2016 Crystal City, VAUS Sep 06, 2016 - Sep 11, 2016 Live Event SANS Network Security 2016 Las Vegas, NVUS Sep 10, 2016 - Sep 19, 2016 Live Event SANS London Autumn London, GB Sep 19, 2016 - Sep 24, 2016 Live Event SANS ICS London 2016 London, GB Sep 19, 2016 - Sep 25, 2016 Live Event MGT517 - Managing Security Ops San Diego, CAUS Sep 26, 2016 - Sep 30, 2016 Live Event Security Leadership Summit Dallas, TXUS Sep 27, 2016 - Oct 04, 2016 Live Event SANS Seattle 2016 Seattle, WAUS Oct 03, 2016 - Oct 08, 2016 Live Event SANS Oslo 2016 Oslo, NO Oct 03, 2016 - Oct 08, 2016 Live Event SANS DFIR Prague 2016 Prague, CZ Oct 03, 2016 - Oct 15, 2016 Live Event SANS Baltimore 2016 Baltimore, MDUS Oct 10, 2016 - Oct 15, 2016 Live Event SANS Tokyo Autumn 2016 Tokyo, JP Oct 17, 2016 - Oct 29, 2016 Live Event SANS Tysons Corner 2016 Tysons Corner, VAUS Oct 22, 2016 - Oct 29, 2016 Live Event SANS San Diego 2016 San Diego, CAUS Oct 23, 2016 - Oct 28, 2016 Live Event SANS FOR508 Hamburg in German Hamburg, DE Oct 24, 2016 - Oct 29, 2016 Live Event SOS SANS October Singapore 2016 Singapore, SG Oct 24, 2016 - Nov 06, 2016 Live Event SANS Munich Autumn 2016 Munich, DE Oct 24, 2016 - Oct 29, 2016 Live Event Pen Test HackFest Summit & Training Crystal City, VAUS Nov 02, 2016 - Nov 09, 2016 Live Event SANS Sydney 2016 Sydney, AU Nov 03, 2016 - Nov 19, 2016 Live Event SANS Gulf Region 2016 Dubai, AE Nov 05, 2016 - Nov 17, 2016 Live Event SANS Miami 2016 Miami, FLUS Nov 07, 2016 - Nov 12, 2016 Live Event European Security Awareness Summit London, GB Nov 09, 2016 - Nov 11, 2016 Live Event SANS London 2016 London, GB Nov 12, 2016 - Nov 21, 2016 Live Event Healthcare CyberSecurity Summit & Training Houston, TXUS Nov 14, 2016 - Nov 21, 2016 Live Event SANS Brussels Autumn 2016 OnlineBE Sep 05, 2016 - Sep 10, 2016 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information