5.1 Using ACLs to Secure Networks 5.1.

1 A TCP Conversation ACLs enable you to control traffic into and out of your network. This control can be as simple as permitting or denying network hosts or addresses. However, ACLs can also be configured to control network traffic based on the TCP port being used. 5.1.2 Packet Filtering Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on Source IP address Destination IP address ICMP message type

The ACL can also extract upper layer information and test it against its rules. Upper layer information includes: TCP/UDP source port TCP/UDP destination port

5.1.3 What is an ACL? An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet. The ACL enforces one or more corporate security policies by applying a permit or deny rule to determine the fate of the packet. ACLs can be configured to control access to a network or subnet. The Three Ps A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can configure one ACL per protocol, per direction, per interface. ACLs perform the following tasks: Limit network traffic to increase network performance. Provide traffic flow control. ACLs can restrict the delivery of routing updates. Provide a basic level of security for network access. Decide which types of traffic to forward or block at the router interfaces. Control which areas a client can access on a network. Screen hosts to permit or deny access to network services.

5.1.4 ACL Operation ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.

Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.

A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" instruction. Instead of proceeding into or out of an interface, the router drops all of these remaining packets.

There is a key caveat associated with this "deny all" behavior: For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list. 5.1.5 Types of Cisco ACLs Standard ACLs Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter. Because of the implied "deny any" at the end, all other traffic is blocked with this ACL. Standard ACLs are created in global configuration mode. Extended ACLs Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control. Extended ACLs are created in global configuration mode. 5.1.6 How a Standard ACL Works Step 1. Create an access list by specifying an access list number or name and access conditions. Step 2. Apply the ACL to interfaces or terminal lines. The first match determines whether the software accepts or rejects the address. Because the software stops testing conditions after the first match, the order of the conditions is critical. If no conditions match, the address is rejected. 5.1.7 Numbering and Naming ACLs

Regarding numbered ACLs, in case you are wondering why numbers 200 to 1299 are skipped, it is because those numbers are used by other protocols. This course focuses only on IP ACLs. For example, numbers 600 to 699 are used by AppleTalk, and numbers 800 to 899 are used by IPX. 5.1.8 Where to Place ACLs Every ACL should be placed where it has the greatest impact on efficiency. The basic rules are:

Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. 5.1.9 General Guidelines for Creating ACLs

5.2 Configuring Standard ACLs 5.2.1 Entering Criteria Statements 5.2.2 Configuring a Standard ACL

access-list 2 deny host 192.168.10.1

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 2 deny 192.168.0.0 0.0.255.255

access-list 2 permit 192.0.0.0 0.255.255.255

The full syntax of the standard ACL command is as follows: Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log] The full syntax of the standard ACL command to filter a specific host is as follows: Router(config)#access-list access-list-number [deny | permit] source [log] To remove the ACL, the global configuration no access-list command is used. The remark keyword is used for documentation and makes access lists a great deal easier to understand. Each remark is limited to 100 characters.

5.2.3 ACL Wildcard Masking 5.2.4 Applying Standard ACLs to Interfaces After a standard ACL is configured, it is linked to an interface using the ip access-group command:

Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out} To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL. 5.2.4 Applying Standard ACLs to Interfaces Using an ACL to Control VTY Access Filtering Telnet traffic is typically considered an extended IP ACL function because it filters a higher level protocol. However, because you are using the access-class command to filter incoming or outgoing Telnet sessions by source address and apply filtering to VTY lines, you can use standard ACL statements to control VTY access. The command syntax of the access-class command is: access-class access-list-number {in [vrf-also] | out}

5.2.5 Editing Numbered ACLs To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command. To remove the remark, use the no form of this command.

5.2.6 Creating Standard Named ACLs The figure shows the steps to create a standard named ACL. Step 1. Starting from the global configuration mode, use the ip access-list command to create a named ACL. ACL names are alphanumeric, must be unique and must not begin with a number. Step 2. From the named ACL configuration mode, use the permit or deny statements to specify one or more conditions for determining if a packet is forwarded or dropped.

Step 3. Return to privileged EXEC mode with the end command.

5.2.7 Monitoring and Verifying ACLs #show access-lists 5.2.8 Editing Named ACLs Starting with Cisco IOS Software Release 12.3, named IP ACLs allow you to delete individual entries in a specific ACL. You can use sequence numbers to insert statements anywhere in the named ACL.

5.3 Configuring Extended ACLs For more precise traffic-filtering control, you can use extended ACLs numbered 100 to 199 and 2000 to 2699 providing a total of 800 possible extended ACLs. Extended ACLs can also be named. Like standard ACLs, extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL. For example, an extended ACL can simultaneously allow e-mail traffic from a network to a specific destination while denying file transfers and web browsing.

5.3.2 Configuring Extended ACLs The procedural steps for configuring extended ACLs are the same as for standard ACLs, you first create the extended ACL and then activate it on an interface. However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs. With the established parameter, the router will allow only the established traffic to come back in and block all other traffic. 5.3.3 Applying Extended ACLs to Interfaces

5.3.4 Creating Named Extended ACLs Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names. Step 1. Starting in the global configuration mode, use the ip access-list extended name command to define a named extended ACL. Step 2. In named ACL configuration mode, specify the conditions you want to allow or deny. Step 3. Return to privileged EXEC mode and verify your ACL with the show access-lists [number | name] command. Step 4. As an option and recommended step, save your entries in the configuration file with the copy running-config startup-config command. To remove a named extended ACL, use the no ip access-list extended name global configuration command. 5.4 Configure Complex ACLs 5.4.1 What are Complex ACLs

5.4.2 Dynamic ACLs Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lockand-key ACLs. Lock-and-key is available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs.

Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular period; idle and absolute timeouts are possible. Benefits: Dynamic ACLs have the following security benefits over standard and static extended ACLs: Use of a challenge mechanism to authenticate individual users. Simplified management in large internetworks. In many cases, reduction of the amount of router processing that is required for ACLs. Reduction of the opportunity for network break-ins by network hackers. Creation of dynamic user access through a firewall, without compromising other configured security restrictions.