Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security



Similar documents
Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Router s Configuration

LAB II: Securing The Data Path and Routing Infrastructure

IPv6 Workshop: Location Date Security Trainer Name

Lab Configure Cisco IOS Firewall CBAC

Firewall Technologies. Access Lists Firewalls

Configure Cisco IOS Firewall to use stateful packet inspection for IPv6. Configure Cisco IOS Firewall to use packet filtering for IPv6.

Network Security 1. Module 8 Configure Filtering on a Router

FIREWALLS & CBAC. philip.heimer@hh.se

Virtual Fragmentation Reassembly

Lab Configure IOS Firewall IDS

Cisco Configuring Commonly Used IP ACLs

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Adding an Extended Access List

Firewall Stateful Inspection of ICMP

Firewall Authentication Proxy for FTP and Telnet Sessions

CCNA Access List Sim

Lab Developing ACLs to Implement Firewall Rule Sets

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

Lab Exercise Configure the PIX Firewall and a Cisco Router

Securing Networks with PIX and ASA

Controlling Access to a Virtual Terminal Line

CCNA 2 v5.0 Routing Protocols Final Exam Answers

Firewall Support for SIP

Configuring NetFlow Secure Event Logging (NSEL)

LAB THREE STATIC ROUTING

Configuring Denial of Service Protection

Lab 6.1 Configuring a Cisco IOS Firewall Using SDM

Configuring Static and Dynamic NAT Simultaneously

Skills Assessment Student Training Exam

Configuring NetFlow Secure Event Logging (NSEL)

3.1 Connecting to a Router and Basic Configuration

- Basic Router Security -

CISCO IOS FIREWALL DESIGN GUIDE

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Lab 5.5 Configuring Logging

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

Packet Tracer - Troubleshooting IPv4 and IPv6 Addressing Topology

Configuring Control Plane Policing

PT Activity 8.1.2: Network Discovery and Documentation Topology Diagram

8 steps to protect your Cisco router

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

IOS Zone Based Firewall Step-by-Step Basic Configuration

ICND IOS CLI Study Guide (CCENT)

RSA Security Analytics

Lab 8: Confi guring QoS

Firewall Stateful Inspection of ICMP

CCNA Security 1.1 Instructional Resource

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Sample Configuration Using the ip nat outside source static

CSCE 465 Computer & Network Security

Enabling Remote Access to the ACE

Lab QoS Classification and Policing Using CAR

Security and Access Control Lists (ACLs)

Lab Review of Basic Router Configuration with RIP. Objective. Background / Preparation. General Configuration Tips

Troubleshooting the Firewall Services Module

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

Table of Contents. Configuring IP Access Lists

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Configuring Network Address Translation

- QoS Classification and Marking -

Lab Characterizing Network Applications

Internetwork Expert s CCNA Security Bootcamp. IOS Firewall Feature Set. Firewall Design Overview

Basic Software Configuration Using the Cisco IOS Command-Line Interface

Applicazioni Telematiche

Configuring Class Maps and Policy Maps

Troubleshooting the Firewall Services Module

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

Configuring Network Security with ACLs

Lab Configuring Access Policies and DMZ Settings

Chapter 4: Lab A: Configuring CBAC and Zone-Based Firewalls

South America Workshop. WALC 2006 (Quito, Ecuador July 06) Management Tools

Securizarea Calculatoarelor și a Rețelelor 13. Implementarea tehnologiei firewall CBAC pentru protejarea rețelei

Cisco Secure PIX Firewall with Two Routers Configuration Example

Cisco Firewall Technology

DNS Commands ip dns spoofing

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

IP Filter/Firewall Setup

Configuring the Cisco Secure PIX Firewall with a Single Intern

Welcome to Todd Lammle s CCNA Bootcamp

Configuring Network Address Translation (NAT)

Flow-Based per Port-Channel Load Balancing

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

GLBP - Gateway Load Balancing Protocol

Lab 3 Routing Information Protocol (RIPv1) on a Cisco Router Network

GregSowell.com. Mikrotik Security

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Chapter 3 Using Access Control Lists (ACLs)

Troubleshooting IP Access Lists

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Monitoring and analyzing audio, video, and multimedia traffic on the network

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Router Lab Reference Guide

Introduction to Cisco router configuration

Lab 2 - Basic Router Configuration

Transcription:

City Guatemala 30 January - 1 February 07 Pedro Lorga (lorga@fccn.pt) Simon Muyal (muyal@renater.pt) Piers O'Hanlon (p.ohanlon@cs.ucl.ac.uk)

Laboratory Exercise: Objectives In this laboratory exercise you will complete the following tasks: Configure filters for IPv6 traffic; Access Control to VTY lines; IPv6 Firewall Analyzing and troubleshooting problems 2/11

Visual Objective You will use OSPF scenario you previously saved for this exercise (all routers in Area 0). Figure 1 IPv6 security scenario 3/11

Setup/Scenario There will be 4 students per router. The distribution will be the same as in the OSPFv3 exercise. 2001:DB8:CAFE:A::/64 LAB Address Space 2001:DB8:CAFE::/48 192.168.0.0/16 Router #1 Router #2 ::1 2001:DB8:CAFE:12::/64 ::1 ::2 ::2 2001:DB8:CAFE:B::/64 ::1 ::2 2001:DB8:CAFE:13::/64 Router #3 2001:DB8:CAFE:23::/64 ::3 ::3 ::3 ::3 2001:DB8:CAFE:C::/64 2001:DB8:CAFE:34::/64 2001:DB8:CAFE:D::/64 ::4 ::4 2001:DB8:CAFE:45::/64 ::4 Router #4 ::4 2001:DB8:CAFE:46::/64 2001:DB8:CAFE:E::/64 Router #5 Router #6 ::6 ::5 2001:DB8:CAFE:56::/64 ::5 ::5 ::6 ::6 2001:DB8:CAFE:F::/64 Figure 2 Scenario Topology Preparing the LAB If your router is not yet configured, load the configuration from the flash memory: RouterX# copy flash:iniv6-ospf running-config RouterX# wr 4/11

Task 1: IPv6 traffic filters Note that the routers you are using in these exercises have IOS that support the mentioned features. At home remember to check them, as you may not have all functionalities. Several different methods of configuring access-lists have been implemented in Cisco IOS over the past years. In this module we will use the latest approach. The way used to configure access-list in the routers in this module is: Router3# conf t Router3#(config)# ipv6 access-list <name_access_list> Router3#( config-ipv6-acl)# <deny/permit> The permit clause is: permit protocol {source-ipv6-prefix/prefix-length any host source-ipv6-address} [operator [port-number]] {destination-ipv6- prefix/prefix-length any host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number dohtype]] [dscp value] [flow-label value] [fragments] [log] [loginput] [mobility] [mobility-type [mh-number mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name] The deny clause is: deny protocol {source-ipv6-prefix/prefix-length any host source-ipv6-address} [operator [port-number]] {destination-ipv6- prefix/prefix-length any host destination-ipv6-address} [operator [port-number]] [dest-option-type [doh-number dohtype]] [dscp value] [flow-label value] [fragments] [log] [loginput] [mobility] [mobility-type [mh-number mh-type]] [routing] [routing-type routing-number] [sequence value] [timerange name] [undetermined-transport] Step 1: Configure Access-lists Configure an access-list to only permit incoming IPv6 traffic from your direct neighbor(s) (see figure 2). Insert them in the permit clause of your IPv6 accesslist. Step 2: Applying Access Lists to your interfaces Apply the access-list to you interfaces in the in direction. (Tip: ipv6 traffic-filter ) Can they ping you now? Check the OSPF process. Is it up? (Tip: allow the link-local addresses also in your configuration) 5/11

Try to ping again. Step 3: Checking your Access-lists Explicitly deny any IPv6 ICMP on your access-list. Ask anyone (not directly connected to you) to ping your router. See in what access-list line are the requests being counted. (Tip: show ipv6 access-list ) Although you deny any ICMP, why can your neighbour ping your router and the others don t? Step 4: Allowing a Port Number and a Protocol Create a new access-list. Instead of permitting all IPv6, only allow the telnet port from your neighbour(s). (Tip: permit ipv6 tcp.) Apply this access-list to the interface. Try to ping the router. Add another line to the access-list, adding the protocol ICMP to the allowed conditions. Can you ping now? Check your access-list and see what packets are matching your configuration. Step 5: Controlling access to VTY Lines As you know, you should restrict access to your routers, to only a small number of PCs or networks that you control. Create an IPv6 access-list to only allow your direct neighbours to access your network. Use only the source IP address, don t use the protocol configuration. (Tip: permit ipv6 ) Now apply this access-list to your VTY. (Tip: line vty 0 <ending_vty access-class ) Step 6: IPv6 Firewall 6/11

The latest IOS allows you take advantage of some new features, like firewall. With it you can both inspect packets and use ACL, described previously. For you to see the output of this exercise, you will need a FTP server and client. Configure your router to inspect FTP packets. (Tip: ipv6 inspect name ) Apply this rule to the interface you wish. (Tip: ipv6 inspect ). Now run the FTP from the PCs. Verify that the traffic runs through the interfaces you are inspecting. Check the output. (Tip: show ipv6 inspect ) Summary After completing these exercises, you should be able to: Configure and apply IPv6 access-lists Restrict access to VTY Configure Cisco Inspect Firewall 7/11

Appendix Step 1: Configure Access-lists Router1# configure terminal Router1(config)# ipv6 access-list v6test Router1(config-ipv6-acl)# permit ipv6 host 2001:DB8:CAFE:3::1 any Router1(config-ipv6-acl)# permit ipv6 host 2001:DB8:CAFE:13::3 any Router1(config-ipv6-acl)# permit ipv6 host 2001:DB8:CAFE:34::3 any Router1(config-ipv6-acl)# exit Step 2: Applying Access Lists to your interfaces In IPv4 the command to apply an access-list to an interface was ip access-group <access-list_number_or_name> <in out>. In IPvt the command is ipv6 traffic filter. Router1(config)# interface FastEthernet1 Router1(config-if)# ipv6 traffic-filter v6test in If you notice, you don t peer with any neighbors now. The reason is that the updates are sent via link local addresses. You have to permit these packets to your router. Router1(config)# ipv6 access-list v6test Router1(config-ipv6-acl)# permit ipv6 FE80::/16 any Test again. You should be able to ping your direct neighbour. Step 3: Checking your Access-lists To explicitly deny any IPv6 ICMP configure: Router1(config)# ipv6 access-list v6test Router1#(config-ipv6-acl)# deny icmp any any To check the access-list counters do: Router1# show ipv6 access-list v6test IPv6 access list v6test permit ipv6 host 2001:DB8:CAFE:3::1 any sequence 10 permit ipv6 host 2001:DB8:CAFE:13::3 any (7 matches) sequence 20 permit ipv6 host 2001:DB8:CAFE:34::3 any sequence 30 permit ipv6 FE00::/8 any (10 matches) sequence 40 deny icmp any any (5 matches) sequence 50 8/11

If you try to ping from router 3, you get a reply, but none from router 4. This happens because you configured the allowance of all IPv6 packets from your neighbour before you denied the ICMP. If you change the order of the lines, you won t get any answer to your pings from any neighbour. Step 4: Allowing a Port Number and a Protocol Create a new access-list. Eg: Router1# configure terminal Router1(config)# ipv6 access-list v6proto Router1#(config-ipv6-acl)# permit tcp host 2001:DB8:CAFE:3::1 any eq telnet Router1#(config-ipv6-acl)# permit tcp host 2001:DB8:CAFE:13::3 any eq telnet Router1#(config-ipv6-acl)# permit tcp host 2001:DB8:CAFE:34::3 any eq telnet Router1#(config-ipv6-acl)# permit ipv6 FE00::/8 any Apply the access-list to the interface. You can t ping the routers, because you are only allowing TCP and traffic to Port 23 (telnet). You can also use other ports and commands (gt greater than, lt less than, etc.). To permit ICMP: Router1#(config-ipv6-acl)# permit icmp any any Step 5: Controlling access to VTY lines Create an access-list to the allowed machines/networks: Router1(config)# ipv6 access-list v6lines Router1#(config-ipv6-acl)# permit ipv6 host 2001:DB8:CAFE:3::1 any Router1#(config-ipv6-acl)# permit ipv6 host 2001:DB8:CAFE:13::3 any Router1#(config-ipv6-acl)# permit ipv6 host 2001:DB8:CAFE:34::3 any Router1#(config-ipv6-acl)# exit Router1(config)# line vty 0 15 Router1(config-line)# ipv6 access-class v6lines in 9/11

Test with telnet by different routers. Step 6: IPv6 Firewall To configure your router to inspect FTP packets do: Router1(config)# ipv6 inspect name v6ftp-inspect ftp timeout 60 To apply this rule to the interface do: Router1(config)# interface FastEthernet 1 Router1(config-if)# ipv6 inspect v6ftp-inspect in Run the FTP between the two PCs. Check the output from the inspect: show Router1# show inspect name v6ftp-inspect To activate audit-trail: Router1(config)# ipv6 inspect name v6ftp-inspect ftp audit-trail on To activate alerts: Router1(config)# ipv6 inspect name v6ftp-inspect ftp alert on 10/11

Some useful commands Another feature, namely PAM Port-to-application Mapping, existing in Cisco IOS, allows you to customize TCP or UDP port numbers for network services or applications. Using the port information, PAM establishes a table of default port-toapplication mapping information at the firewall. The information in the PAM table enables Context-based Access Control (CBAC) supported services to run on nonstandard ports. PAM also supports host or subnet specific port mapping, which allows you to apply PAM to a single host or subnet using standard ACLs. Host or subnet specific port mapping is done using standard ACL. Eg: create an access-list and then apply it: Router1(config)# ipv6 port-map application-name port port [list acl-name] To check the output from this command, type: Router1# show ipv6 port-map [ ] 11/11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information