Security

1
Security

• Semester 5, Chapter 10
• Allan Johnson
• Modified by Sean He

2
Access Control Lists
3
Named ACL

• The following is the syntax for a named ACL
• Router(config)ip access-list standardextended
  name
• Once named, the prompt will change depending on
  whether you chose standard or extended to
• Router(config-std-nacl)
• Router(config-ext-nacl)
• Now you simply enter each statement starting with
  the permit or deny. For example, our previous
  ACL
• RTA(config)ip access-list extended NO_WEB
• RTA(config-ext-nacl)deny tcp host 192.168.15.15
  host 172.16.32.1 eq www
• RTA(config-ext-nacl)permit ip any any
• !Then apply it
• RTA(config-if)ip access-group NO_WEB in

4
Time-Based ACLs

• Now you can specify when a particular statement
  should filter packets (or routes).
• First, name the time range in global
  configuration
• RTA(config)time-range USER
• RTA(config-time-range)
• Second, enter the time range using either
  periodic or absolute
• RTA(config-time-range)periodic weekdays 800 to
  1700
• Instead of weekdays, we can use daily, weekends,
  and each of the days of the week (Sunday, Monday,
  etc.)
• To specify an absolute time range, use the
  following syntax
• Router(config-time-range)absolute start-time
  date end-time date
• Third, apply the time-range name to an ACL
  statement
• RTA(config-ext-nacl)deny host 192.168.15.15 host
  172.16.32.1 eq www time-range USER

5
Lock-and-Key

• Begin the Extended ACL by allowing telnet access
  into the firewall router.
• Router(config)access-list 101 permit tcp any
  any eq 23
• Configure a dynamic ACL statement after the
  telnet statement.
• Router(config)access-list 101 dynamic UNLOCK
  timeout 120 permit ip any any
• Configure the rest of the ACL according to your
  security requirements for normal, non-dynamic use.

6
Lock-and-Key (Contd)

• If the router is doing the authenticating,
  configure a username/password in global
  configuration.
• RTA(config)username cisco password bscn
• Configure telnet lines to authenticate locally
  and then automatically create the hole in the
  firewall.
• RTA(config)line vty 0 4
• RTA(config-line)login local
• RTA(config-line)autocommand access-enable host
  timeout 60
• - without host keyword, the users entire
  network is permitted for access

7
Reflexive ACL

• Dynamically matches all incoming traffic with an
  entry to determine if traffic is part of a
  internally created session
• A session initiated inside creates a temporary
  entry that will time out. Returning traffic must
  match all four source/destination parameters to
  be permitted
• Source IP, Destination IP, Source Port,
  Destination Port
• Uses special named ACL arguments
• Does not work with applications whose port
  numbers can changes.
• For example, FTPs port changes from 21 to 20
  when the destination starts sending data.

8
Reflexive ACL Example

• Deny inside users FTP access outside. Allow
  external routing updates. Reflect all other
  traffic.

RTA(config)ip access-list extended
OUTBOUND RTA(config-ext-nacl)deny tcp any any eq
ftp RTA(config-ext-nacl)permit ip any any
reflect TRAFFIC timeout 120 --------- RTA(config)
ip access-list extended INBOUND RTA(config-ext-nac
l)permit bgp any any RTA(config-ext-nacl)evaluat
e TRAFFIC --------- RTA(config)interface serial
0 RTA(config-if)ip access-group OUTBOUND
out RTA(config-if)ip access-group INBOUND in
9
Context-Based Access Control
10
CBAC

• Context-based access control (CBAC) goes beyond
  layer 3 4 header information
• CBAC has four major configuration tasks
• Choose an Interface
• Configure Basic ACLs
• Define CBAC Inspection Rule
• Apply the ACLs and Inspection Rule to the
  Interface

11
Choose Interface - Simple Topology

• Below is a graphic illustrating the Simple
  Topology
• A basic ACL will be applied denying inbound
  traffic on the external interface.
• Outbound traffic should be permitted or it will
  be dropped.
• An inspection rule will be applied for outbound
  traffic on the external interface specifying what
  outbound traffic is to be monitored.
• Inbound traffic will then be compared to dynamic
  ACLs created by the inspection rule.

12
Choose Interface Demilitarized (DMZ) Topology

• Below is a graphic illustrating the DMZ topology
• A basic ACL will be applied denying outbound
  traffic on the internal interface.
• Inbound traffic should be permitted or it will be
  dropped.
• An inspection rule will be applied for inbound
  traffic on the internal interface specifying what
  inbound traffic is to be monitored.
• Outbound traffic will then be compared to dynamic
  ACLs created by the inspection rule.

13
Configure Basic ACLs

• For CBAC to work properly, you need to make sure
  that you have access lists configured
  appropriately at the interface.
• Start with a basic configuration.
• Permit CBAC traffic to leave the network through
  the firewall.
• Use extended access lists to deny CBAC return
  traffic entering the network through the
  firewall.
• For temporary openings to be created in an access
  list, the access list must be an extended access
  list.
• The access lists should deny CBAC return traffic
  because CBAC will open up temporary holes in the
  access lists to permit returning traffic.
  (Normally, you want the traffic to be blocked.)

14
Define Inspection Rule - Example

• For our previous example, assume we want to
  inspect all UDP connections as well as HTTP and
  FTP.
• RTA(config)ip inspect name FIREWALL udp
• RTA(config)ip inspect name FIREWALL http
• RTA(config)ip inspect name FIREWALL ftp
• The above configurations, when applied, will
  dynamically create ACLs to allow traffic
  returning to the internal network
• This traffic is normally being denied

15
Apply the Inspection Rule

• The Inspection Rule is applied to the interface
  specifying the direction external traffic is
  expected.
• Use the syntax
• Router(config)ip inspect inspection-name
  inout
• For our example
• The Simple Topology
• RTA(config)interface serial 0
• RTA(config-if)ip inspect FIREWALL in
• The DMZ Topology
• RTA(config)interface ethernet 0
• RTA(config-if)ip inspect FIREWALL out

16
CBAC Example
!The following is for the Simple Topology !Only
interface direction change for DMZ Topology
(noted in parenthesis) RTA(config)access-list 1
permit any RTA(config)access-list 101 permit ip
bgp any any !Permit the 5 most common and
harmless ICMP messages RTA(config)access-list
101 permit icmp any any echo-reply RTA(config)acc
ess-list 101 permit icmp any any
time-exceeded RTA(config)access-list 101 permit
icmp any any packet-too-big RTA(config)access-lis
t 101 permit icmp any any traceroute RTA(config)a
ccess-list 101 permit icmp any any
unreachable RTA(config)access-list 101 deny TCP
any any RTA(config)access-list 101 deny UDP any
any RTA(config)access-list 101 deny ip any any
RTA(config)ip inspect name FIREWALL
udp RTA(config)ip inspect name FIREWALL
http RTA(config)ip inspect name FIREWALL
ftp RTA(config)interface serial 0 (DMZethernet
0) RTA(config-if)ip inspect FIREWALL in
(DMZout) RTA(config-if)ip access-group 1 out
(DMZin) RTA(config-if)ip access-group 101 in
(DMZout)