Deploying ACLs to Manage Network Security



Similar documents
How Are PowerConnect ACLs Different From Cisco ACLs?

Can PowerConnect Switches Be Used in IP Multicast Networks?

What is VLAN Routing?

How Much Broadcast and Multicast Traffic Should I Allow in My Network?

How Do I Upgrade Firmware and Save Configurations on PowerConnect Switches?

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Can PowerConnect Switches Be Used in VoIP Deployments?

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Testing Network Security Using OPNET

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Firewall Defaults and Some Basic Rules

Configuring Class Maps and Policy Maps

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Configuring RADIUS Server Support for Switch Services

FIREWALLS & CBAC. philip.heimer@hh.se

MailMarshal SMTP in a Load Balanced Array of Servers Technical White Paper September 29, 2003

VLAN Interoperability

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Knowledgebase Solution

Configuring Network Address Translation

Firewall Firewall August, 2003

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Cisco Configuring Commonly Used IP ACLs

Configuring WCCP v2 with Websense Content Gateway the Web proxy for Web Security Gateway

Chapter 11 Cloud Application Development

EXPLORER. TFT Filter CONFIGURATION

Set Up a VM-Series Firewall on the Citrix SDX Server

Lab Developing ACLs to Implement Firewall Rule Sets

Barracuda Link Balancer

> Technical Configuration Guide for Microsoft Network Load Balancing. Ethernet Switch and Ethernet Routing Switch Engineering

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

SIP Trunking Configuration with

Basic Network Configuration

Ranch Networks for Hosted Data Centers

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Technical Note. ForeScout CounterACT: Virtual Firewall

CTS2134 Introduction to Networking. Module Network Security

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Brocade Certified Layer 4-7 Professional Version: Demo. Page <<1/8>>

Configuring Network Address Translation (NAT)

Barracuda Link Balancer Administrator s Guide

VOICE VLAN SUPPORT IN THE DELL POWERCONNECT 6200

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

Chapter 3 Using Access Control Lists (ACLs)

INTRODUCTION TO FIREWALL SECURITY

Chapter 4: Security of the architecture, and lower layer security (network security) 1

IBM. Vulnerability scanning and best practices

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Lucent VPN Firewall Security in x Wireless Networks

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

2. Are explicit proxy connections also affected by the ARM config?

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Fig : Packet Filtering

Using Ranch Networks for Internal LAN Security

Blue Coat Security First Steps Transparent Proxy Deployments

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

IP SAN Best Practices

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Cork Institute of Technology Master of Science in Computing in Education National Framework of Qualifications Level 9

Executive Summary and Purpose

DeltaV System Health Monitoring Networking and Security

Lab Configure IOS Firewall IDS

Networking Security IP packet security

Configuring IP Load Sharing in AOS Quick Configuration Guide

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Deploying Virtual Cyberoam Appliance in the Amazon Cloud Version 10

Load Balancing 101: Firewall Sandwiches

Multi-Homing Dual WAN Firewall Router

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

Linux MPS Firewall Supplement

- Introduction to PIX/ASA Firewalls -

Firewalls. Chapter 3

A Network Design Primer

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

12. Firewalls Content

Overview of WebMux Load Balancer and Live Communications Server 2005

Chapter 15. Firewalls, IDS and IPS

How to Painlessly Audit Your Firewalls

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Avaya G700 Media Gateway Security - Issue 1.0

The Bomgar Appliance in the Network

Web Application Firewall

Hardening Guide. Installation Guide

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG5 How-To Guide. Network Address Translation. July 2011 Revision 1.0

Chapter 11 Network Address Translation

NETASQ MIGRATING FROM V8 TO V9

Transcription:

PowerConnect Application Note #3 November 2003 Deploying ACLs to Manage Network Security This Application Note relates to the following Dell PowerConnect products: PowerConnect 33xx Abstract With new system and network vulnerabilities being exposed daily, it is essential for network administrators to develop security policies to protect corporate assets. Dell PowerConnect switches offer flexible access control functions that implement comprehensive security policies. This document explains how to use access control lists (ACLs) to protect various infrastructure elements, including network segments (both physical and logical), network nodes, and applications. Applicable Network Scenarios ACLs enhance network and system security by filtering traffic on a per-interface and per-resource basis. Interfaces can include physical Ethernet ports, link aggregation groups (LAGs), and virtual local area networks (VLANs). Resources include network-layer protocols such as IP and GRE, as well as the TCP and UDP ports used by applications. Networks and hosts are substantially more secure with ACLs in place. The following two scenarios offer cases in point. Scenario 1: The diagram below depicts a simple network consisting of a single VLAN with no access controls in place to filter out unwanted traffic, such as peer-to-peer file sharing. Internet File sharing traffic on port 1214 Router VLAN 102 192.168.1.0/24 VLAN 102 192.168.1.0/24 PowerConnect 3324 PowerConnect 3324 www.dell.com/networking 1

IDC IDC PowerConnect Application Note #3: Deploying ACLs to Managed Network Security With no access controls to block peer to peer traffic, users may overload the network with such traffic. Further, management may be at legal risk if users engage in illegal file sharing. Scenario 2: The diagram below depicts an enterprise network comprising various segments, systems, and applications, none of which are currently protected by access controls: Management VLAN 101 Public services VLAN 102 Auth server Auth server FTP DNS 10.10.0.0/28 192.168.1.0/26 IMAP SMTP PowerConnect 3324 PowerConnect 3324 Production Web cluster VLAN 103 Virtual IP: 172.16.0.20 Network attached storage VLAN 104 WWW Data 172.16.0.40 172.16.0.18 172.16.1.0/24 LAG:172.16.0.30 10.2.2.0/27 WWW Data 172.16.0.19 VLAN 101 provides authentication servers that validate access to network devices and nodes. There are no filters in place to discriminate between traffic sourced from the authentication servers and other traffic. VLAN 102 provides public services to the Internet, yet there are no filters to protect it from attack. VLAN 103 provides connectivity to a web cluster with a MySQL database and an NFS fileserver. No filters control access to the fileserver or database, leaving them wide open to the rest of the network, including the public services segment. VLAN 104 contains network-attached storage (NAS) devices. These systems store sensitive client and enterprise data, but there are no security policies to protect them from the outside world or other internal segments. www.dell.com/networking 2

Hosts and applications on all four VLANs are vulnerable. Fortunately, ACLs can help enforce a security policy by blocking unwanted traffic. Technology Background ACLs provide a logical, intuitive mechanism for defining security policies by grouping various access control entries (ACEs) together to form a set of rules. A switch processes ACEs in the order they are defined. Thus, a switch compares a frame entering an interface or VLAN against the first ACE defined in an ACL. If the frame matches the criteria of the first ACE, then the switch applies the specified action to the frame. Otherwise, the switch continues to compare the frame to subsequent ACEs. Since switches process ACEs in order, the most commonly matched conditions should be listed first to minimize processing time. If there is no match in any of the ACEs, the switch will discard the frame. This is considered sound security practice. As a rule, ACLs will block access for all traffic except that for which access is explicitly permitted. Configurable ACE actions include permit, meaning the switch will forward a frame, and deny, meaning the switch will discard a frame. Network managers also can use the disable-port option with the deny action to disable the interface and trigger an SNMP trap notification. The switch will send a trap message after receiving traffic that matches the ACL. ACLs may be bound to physical interfaces, link aggregation groups (LAGs), and VLANs. Individual ACEs can match against a variety of criteria, including VLAN ID, IP address, source and destination TCP port, and source and destination UDP port. Where quality of service (QOS) enforcement is a consideration, ACEs also can also be mapped to a given diff-serv code point (DSCP) or IP precedence value. Here is an example of an interface ACL: console# configure console(config)# int ethernet 1/e12 console(config-if)# service-acl input mysql_access The sequence above creates an ACL called mysql_access for inbound traffic on interface 1/e12. Here is an example of a LAG ACL: console# configure console(config)# int port-channel 1 console(config-if)# service-acl input lag_1 The sequence above creates an ACL called lag_1 for inbound traffic on LAG 1 (port-channel 1). Here is an example of a VLAN ACL: console# configure console(config)# int vlan 104 console(config-if)# service-acl input vlan_104 The sequence above creates an ACL called vlan_104 for inbound traffic on VLAN 104. It is important to note that ACLs are just one among several defense mechanisms in the security arsenal, including firewalls, virtual private network (VPN) gateways, intrusion detection systems (IDSs), and www.dell.com/networking 3

others. All these tools have their place. ACLs are an important member of this arsenal because of their ability to keep suspicious traffic from entering the network to begin with. Proposed Solution Overview Scenario 1: An ACL can be deployed to block peer to peer traffic but permit other traffic. The following steps can be taken to eliminate peer to peer traffic from the network in Scenario 1. 1. Build ACL that denies all traffic destined for peer to peer services but permits all other traffic. 2. Apply ACL inbound on VLAN 102. Scenario 2: ACLs can be deployed to allow only that traffic destined for necessary services required to meet operational goals. Segments that provide connectivity to sensitive data stores should only allow traffic sourced from trusted set of secure hosts. The following steps can be taken to increase the security of the network in the Scenario 2. 1. Apply ACL to VLAN 101 that only permits: SSH traffic from any network. 2. Apply ACL to VLAN 102 that only permits: Traffic destined for necessary services: DNS, FTP, WWW, and SMTP. SSH traffic from management subnet (10.10.0.0/28). 3. Apply ACL to VLAN 103 that only permits: HTTP and HTTPS traffic destined for Web server farm (virtual IP: 172.16.1.20). SSH traffic from management subnet (10.10.0.0/28). 4. Apply ACL to LAG 1 (attached to Web server 172.16.1.30 in VLAN 103) that only permits: NFS traffic from web servers (172.16.1.18 and 172.16.1.19) SSH traffic from management subnet (10.10.0.0/28). 5. Apply ACL to interface 1/e12 (attached to database,172.16.1.40, in VLAN 103) that only permits: MySQL traffic from web servers (172.16.1.18 and 172.16.1.19) SSH traffic from management subnet (10.10.0.0/28) 6. Apply ACL to VLAN 104 that only permits: Amanda Backup Services traffic from the database, 172.16.1.40, in VLAN 103 SSH traffic from management subnet (10.10.0.0/28) Step-By-Step Instructions The following configuration guidelines are compatible with Dell PowerConnect 33xx series switches. SCENARIO 1: 1. Build ACL that denies all peer to peer traffic but permits all other traffic. www.dell.com/networking 4

console# config console(config)# ip access-list vlan_102 console(config-ip-al)# deny-tcp any any any 1214 console(config-ip-al)# permit any any any console(config-ip-al)# exit 2. Apply ACL inbound on VLAN 102. console(config)# int vlan 102 console(config-if)# service-acl input vlan_102 console(config-if)# exit console(config)# exit console# copy run start console# exit WARNING: While this example will block peer to peer traffic, the permit-all ACE may allow other undesirable traffic onto the network. For greater security, define ACEs that permit only authorized applications. The switch will implicitly discard all other traffic once ACLs are invoked. SCENARIO 2: 1a. Define ACL for VLAN 101 and respective ACEs. console# config console(config)# ip access-list vlan_101 console(config-ip-al)# permit-tcp any any any 10.10.0.0 0.0.0.15 22 This ACL permits SSH traffic (TCP port 22) is sourced from any network and destined for the 10.10.0.0/28 management network (VLAN 101). All other traffic is implicitly denied. Note the syntax of the mask in the ACL (0.0.0.255). This is the reverse of the commonly used host subnet mask of 255.255.255.0. In this instance, the ACE masks the host part of the IP address, not the network part. Use the following table to determine which masks to use in ACEs: Subnet mask Prefix length ACE mask 255.255.255.0 /24 0.0.0.255 255.255.255.128 /25 0.0.0.127 255.255.255.192 /26 0.0.0.63 255.255.255.224 /27 0.0.0.31 255.255.255.240 /28 0.0.0.15 255.255.255.248 /29 0.0.0.7 255.255.255.252 /30 0.0.0.3 255.255.255.254 /31 unusable 255.255.255.255 /32 0.0.0.0 1b. Apply ACL vlan_101 to VLAN 101. console(config)# int vlan 101 console(config-if)# service-acl input vlan_101 2a. Define ACL for VLAN 102 and respective ACEs. console(config)# ip access-list vlan_102 console(config-ip-al)# permit-tcp any any 192.168.1.0 0.0.0.63 53 console(config-ip-al)# permit-udp any any 192.168.1.0 0.0.0.63 53 www.dell.com/networking 5

console(config-ip-al)# permit-tcp any any 192.168.1.0 0.0.0.63 21 console(config-ip-al)# permit-tcp any any 192.168.1.0 0.0.0.63 143 console(config-ip-al)# permit-tcp any any 192.168.1.0 0.0.0.63 25 console(config-ip-al)# permit-tcp 10.10.0.0 0.0.0.15 any 192.168.1.0 0.0.0.63 22 This ACL permits DNS (TCP and UDP port 53), FTP (TCP port 21), IMAP (TCP port 143), and SMTP (TCP port 25) sourced from any network and destined for 192.168.1.0/26. It also permits SSH traffic (TCP port 22) sourced from 10.10.0.0/28. All other traffic is implicitly denied. 2b. Apply ACL vlan_102 to VLAN 102. console(config)# int vlan 102 console(config-if)# service-acl input vlan_102 3a. Define ACL for VLAN 103 and respective ACEs. console(config)# ip access-list vlan_103 console(config-ip-al)# permit-tcp any any 172.16.1.20 0.0.0.0 80 console(config-ip-al)# permit-tcp any any 172.16.1.20 0.0.0.0 443 console(config-ip-al)# permit-tcp 10.10.0.0 0.0.0.15 any 172.16.1.0 0.0.0.255 22 3b. Apply ACL vlan_103 to VLAN 103. console(config)# int vlan 103 console(config-if)# service-acl input vlan_103 This ACL permits HTTP and HTTPS traffic (TCP ports 80 and 443, respectively) sourced from any network and destined for the web cluster VIP, 172.16.1.20. It also permits SSH traffic sourced from 10.10.0.0/28. All other traffic is implicitly denied. 4a. Define ACL for LAG 1 and respective ACEs. console(config)# ip access-list lag_1 console(config-ip-al)# permit-tcp 172.16.1.18 0.0.0.0 any 172.16.1.30 0.0.0.0 111 console(config-ip-al)# permit-udp 172.16.1.18 0.0.0.0 any 172.16.1.30 0.0.0.0 111 console(config-ip-al)# permit-tcp 172.16.1.18 0.0.0.0 any 172.16.1.30 0.0.0.0 2049 console(config-ip-al)# permit-udp 172.16.1.18 0.0.0.0 any 172.16.1.30 0.0.0.0 2049 console(config-ip-al)# permit-tcp 172.16.1.19 0.0.0.0 any 172.16.1.30 0.0.0.0 111 console(config-ip-al)# permit-udp 172.16.1.19 0.0.0.0 any 172.16.1.30 0.0.0.0 111 console(config-ip-al)# permit-tcp 172.16.1.19 0.0.0.0 any 172.16.1.30 0.0.0.0 2049 console(config-ip-al)# permit-udp 172.16.1.19 0.0.0.0 any 172.16.1.30 0.0.0.0 2049 console(config-ip-al)# permit-tcp 10.10.0.0 0.0.0.15 any 172.16.1.30 0.0.0.0 22 This ACL permits NFS traffic (TCP and UDP ports 111 and 2049) sourced from the web servers and destined for the file server. It also permits SSH traffic (TCP port 22) sourced from 10.10.0.0/28. All other traffic is implicitly denied. 4b. Apply ACL lag_1 to LAG 1. www.dell.com/networking 6

console(config)# int port-channel 1 console(config-if)# service-acl input lag_1 5a. Define ACL for 1/e12 and respective ACEs. console(config)# ip access-list mysql_access console(config-ip-al)# permit-tcp 172.16.1.18 0.0.0.0 any 172.16.1.40 0.0.0.0 3306 console(config-ip-al)# permit-udp 172.16.1.18 0.0.0.0 any 172.16.1.40 0.0.0.0 3306 console(config-ip-al)# permit-tcp 172.16.1.19 0.0.0.0 any 172.16.1.40 0.0.0.0 3306 console(config-ip-al)# permit-tcp 10.10.0.0 0.0.0.15 any 172.16.1.40 0.0.0.0 22 This ACL permits MySQL traffic sourced from the web servers and destined for the database (MySQL uses TCP and UDP ports 3306). It also permits SSH traffic sourced from 10.10.0.0/28. All other traffic is implicitly denied. 5b. Apply ACL mysql_access to interface 1/e12. console(config)# int ethernet 1/e12 console(config-if)# service-acl input mysql_access 6a. Define ACL for VLAN 104 and respective ACEs. console(config)# ip access-list vlan_104 console(config-ip-al)# permit-tcp 172.16.1.40 0.0.0.0 any 10.2.2.0 0.0.0.31 10080 console(config-ip-al)# permit-tcp 10.10.0.0 0.0.0.15 any 10.2.2.0 0.0.0.31 22 This ACL permits Amanda backup traffic (TCP port 10080) sourced from the database and destined for 10.2.2.0/27. It also permits SSH traffic sourced from 10.10.0.0/28. All other traffic is implicitly denied. 6b. Apply ACL vlan_104 to VLAN 104. console(config)# int vlan 104 console(config-if)# service-acl input vlan_104 console(config-if)# exit console(config)# exit console# copy run start console# exit console> Conclusion Upon completion of the above configurations, PowerConnect 33xx switches will filter traffic on perresource and per-host basis. Information in this document is subject to change without notice. 2003 Dell Inc. All rights reserved. This Application Note is for informational purposes only, and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. www.dell.com/networking 7

Trademarks used in this text: Dell, the DELL logo, and PowerConnect are trademarks of Dell Inc.. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own. www.dell.com/networking 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information