4/23/2018 Understanding Cisco Cybersecurity Fundamentals

2.12 Understanding the Network Infrastructure

Packet Filtering with ACLs

Open Transcript

ACLs provide a basic level of security for network access. Without any ACLs configured on a router, all packets pass
through the router and onto the network. ACLs can be configured on a router that is positioned between two parts of the
network to control traffic that is entering or exiting a specific part of the internal network. An ACL on the router, for example,
can allow one host to access a part of the network while, at the same time, preventing another host from accessing that
same area.

35%

Initializing...
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 1/5
4/23/2018 Understanding Cisco Cybersecurity Fundamentals
Initializing...

The ACL that is shown in the above figure allows host A to access the human resources network but prevents host B from
accessing the human resources network.

To provide the security benefits of ACLs, at a minimum, configure ACLs at the network perimeter. This configuration
provides a basic buffer from the outside network, or from a less controlled area of the network, onto network segments
requiring more security. On these network edge routers, an ACL should be configured for each network protocol that is
configured on the router interfaces.

Access Control List Example

The simplest type of firewall is a packet filter. As the name implies, packet filters look at individual packets in isolation.
Based on the contents of the packet and the configured policy, they decide to permit or deny packets from entering or
exiting the router interface. Packet filters generally have robust options for differentiating desirable and undesirable packets.

Common options include:

• Source and destination IP addresses at the network layer.

• Protocol differentiation at the transport layer: TCP, UDP, ICMP, OSPF, and so on

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 2/5
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

• When the transport layer is TCP or UDP, source and destination ports can be specified.

• When the transport layer is ICMP, types and codes can be specified.

• When the traffic is TCP, the presence of the ACK bit or the RST bit can be verified. Under normal TCP connection flow,
neither of these bits is ever set in the first packet of a new TCP connection.

Packet filtering is commonly implemented on Cisco IOS routers and switches. ACLs are used to classify packets. ACLs can
be used for various functions on a Cisco IOS router. For example, they can be used to classify which packets are permitted
into a priority queue. They can be used to classify which networks an OSPF process will advertise or which network
advertisements an OSPF process will accept. They can be used to classify which packets will have their forwarding path
specified by a policy-based route.

When an ACL is applied to an interface with the access-group command, it implements a packet filter. Consider the
following ACL applied to the gi0/1 interface in the inbound direction regarding the topology that is depicted above:

access-list 100 permit tcp any 10.10.10.10 eq www

access-list 100 permit tcp any 10.10.10.10 eq 443
access-list 100 permit tcp any 10.10.10.11 eq www
access-list 100 permit tcp any 10.10.10.11 eq 443
access-list 100 permit tcp any 10.10.10.12 eq ftp
access-list 100 permit tcp any 10.10.10.12 eq ftp-data
access-list 100 deny ip any any log
!
interface gi0/1
ip address 10.100.100.1 255.255.255.0
ip access-group 100 in
<output omitted>

The ACL describes a policy of what is permitted and denied from the user subnet to the server subnet. To be effective, it can
either be applied inbound on the interface connecting to the user subnet or it can be applied outbound to the interface
connected to the server subnet. Some points of interest in this example include:

• Clients on the user subnet are permitted to send packets to TCP ports 80 and 443 on the two web servers on the server
subnet.

• Clients on the user subnet are permitted to send packets to TCP ports 20 and 21 on the FTP server on the server
subnet.

• Standard FTP will function. Clients establish the control channel by connecting to port 21 on the FTP server. When the
client requests a data transfer, it will obtain an ephemeral TCP port from its operating system and convey the appropriate
port to the FTP server. The server will then open a data channel by connecting from TCP port 20 to the specified
ephemeral port on the client. All packets that are sent from the client to the server that is associated with this data
connection will be sent to TCP port 20.

• Passive FTP will not function. Clients establish the control channel by connecting to port 21 on the FTP server. When the
client requests a data transfer, it specifies the request as passive. The server application then requests an ephemeral
port from its operating system and communicates the port to the client. The client then initiates the data channel by
connecting to the ephemeral port on the server. This connection would not be allowed by the ACL as written, which is a
single example of the difficulty packet filters have in handling protocols which use dynamically negotiated connections.

• No connections are allowed from the user subnet to the SQL server. The SQL server is there to provide real time data to
be presented by the web servers. Access to the data must be through the interface that is provided by the web servers.
The SQL server is largely protected from the user subnet.

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 3/5
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

• There is an explicit deny for all other packets as the last entry in the ACL. While this line is not required to deny all
packets that were not matched by earlier entries, it does serve two purposes. First, hit counters are maintained for each
line in the ACL. The administrator can use the show access-list 100 command to view the ACL and each entry’s hit
count. Without the explicit deny, there would be no record of the number of packets that were denied by the ACL. Also,
the explicit deny uses the log argument, which will cause the generation of syslog messages that are associated with
the denies, which can facilitate central audit trails of rejected traffic. Unfortunately, ACL logging can be CPU intensive
and can negatively affect other functions of the network device. It should therefore be used with discretion.

Note

By default, there is an implicit deny ip any any entry at the end of every ACL. Anything that is not explicitly
permitted is denied.

The ip access-group command is then used to apply the access list to an interface.

A primary focus of the security analysts is to investigate the ACL-related logs to identify or correlate attacks on the network.
It would also be beneficial if a security analyst can assist the network administrators in troubleshooting or fixing certain issue
by looking at the logs.

Mar 30 2016 11:41:48.681 EDT: %SEC-6-IPACCESSLOGP: list 185 denied tcp 172.16.1.92(59078)

Take a sample scenario where there is a complaint that the hosts on the 172.16.1.0/24 subnet cannot access the
192.168.2.1 Internal web server. For example, the above denied tcp log message indicates the connection from the source
IP address, 172.16.1.92, to the destination IP address, 192.168.2.1 on TCP port 80, is denied.

With the basic knowledge of the access control list, a security analyst can quickly verify the ACL configuration regarding the
192.168.2.1 web server and the hosts on the 172.16.1.0/24 subnet. In this case, if it is not intended to deny the traffic from
the hosts on the 172.16.1.0/24 subnet to the 192.168.2.1 web server on TCP port 80, and it looks to be a configuration
issue, the security analyst can report the findings to the network administrator.

Content Review Question

In an ACL, if a traffic flow is not explicitly permitted, what will be the result of the traffic flow once it has expired testing
of all the access control entries in the list?

The traffic will be implicitly permitted.

The traffic will be explicitly permitted.

The traffic will be explicitly denied.

The traffic will be implicitly denied.

Submit
https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 4/5
4/23/2018 Understanding Cisco Cybersecurity Fundamentals

Content Review Question

Which one of the following commands is required on an interface in order to apply an ACL as a packet filter?

access-class

ip access-group

ip access-list

< SGA group id >

Submit

https://ondemandelearning.cisco.com/cybersec-nil/secfnd/sections/2/pages/12 5/5