Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Security: CCIE Routing & Switching Advanced Technologies Class

    Încărcat de

    g_tarik1980
    18 vizualizări9 pagini
    CCIE Routing and Switching Advanced Technologies Class Security IPv4 Access-List Overview Standard Access-Lists - Match only on source ip address Extended Access-Lists - Match on. IP protocol number source address destination address protocol options - TCP / UDP ports (eq,neq, lt, gt, range) access-list hits can be logged to - Console / Monitor / Buffer / Syslog log options - "log" includes list

    Descriere originală:

    Titlu original

    Ieatc Rs.v4.Day.05.Part.02.Security.1.00

    Drepturi de autor

    © Attribution Non-Commercial (BY-NC)

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    CCIE Routing and Switching Advanced Technologies Class Security IPv4 Access-List Overview Standard Access-Lists - Match only on source ip address Extended Access-Lists - Match on. IP protocol number source address destination address protocol options - TCP / UDP ports (eq,neq, lt, gt, range) access-list hits can be logged to - Console / Monitor / Buffer / Syslog log options - "log" includes list

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    18 vizualizări9 pagini

    Security: CCIE Routing & Switching Advanced Technologies Class

    Încărcat de

    g_tarik1980
    CCIE Routing and Switching Advanced Technologies Class Security IPv4 Access-List Overview Standard Access-Lists - Match only on source ip address Extended Access-Lists - Match on. IP protocol number source address destination address protocol options - TCP / UDP ports (eq,neq, lt, gt, range) access-list hits can be logged to - Console / Monitor / Buffer / Syslog log options - "log" includes list

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 9

    CCIE Routing & Switching Advanced Technologies Class

    Security

    http://www.InternetworkExpert.com

    IPv4 Access-List Overview


    Standard Access-Lists
    Match only on source IP address

    Extended Access-Lists
    Match on
    IP protocol number Source address Destination address Protocol options
    TCP / UDP ports (eq, neq, lt, gt, range) ICMP Type Code

    Packet markings
    DSCP IP Precedence TOS
    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Access-List Logging
    Access-list hits can be logged to
    Console / Monitor / Buffer / Syslog

    Log options
    log includes
    List name / number Permit / deny Protocol name / number Source / destination IP Port numbers

    log-input includes
    All log options + source layer 2 address
    MAC address Input VC
    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Applying Access-Lists Traffic filter


    ip access-group

    Inbound & outbound exec access control


    access-class

    Routing filters
    distribute-list

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Time Based ACLs


    Used to activate access-list entry or entries based on local clock time-range [name]
    Absolute
    At one specific time period

    Periodic
    At one or more recurring time periods
    Daily Weekdays Weekend Mon, Tues, Wed, Thurs, Fri, Sat, Sun

    Applications
    Time based traffic filter Time based QoS Time based ISDN DDR interesting traffic
    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Dynamic ACL Overview AKA lock and key ACLs Used to poke a hole in the firewall based on authentication Some Applications:
    From inside: user must authenticate to send traffic to the Internet From outside: user must authenticate to access internal web server

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Configuring Dynamic ACLs Typically two applications


    With explicit permit
    1. dynamic permit 2. static deny 3. explicit permit

    With implicit deny


    1. dynamic permit 2. implicit deny

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Configuring Dynamic ACLs


    Create the access-list
    access-list 100 dynamic BOB permit ip any any

    Configure authentication & autocommand


    User based
    Username X password Y autocommand access-enable

    Line based
    Line vty 0 4 Autocommand access-enable

    Access-Enable
    Makes the dynamic entry active host option opens hole only for the authenticator

    Apply the access-list


    ip access-group 100 [in | out]
    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Dynamic ACL Example Web client (R3) must first authenticate to R5 before accessing private web server (SW2)

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Reflexive ACL Overview Adds stateful firewall inspection to ACL Subset of CBAC / PIX functionality Watches traffic leave the network, permits traffic back in based on this state information

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Reflexive ACL Configuration Track outbound traffic


    ip access-list extended OUTBOUND
    permit tcp any any reflect STATEFUL permit udp any any reflect STATEFUL permit icmp any any reflect STATEFUL

    Check state table inbound


    ip access-list extended INBOUND
    evaluate STATEFUL deny ip any any (implicit)

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Reflexive ACL Considerations Outbound access-lists do not match locally generated traffic
    Statically permit required traffic back in
    Routing protocols ICMP echo / echo-reply traceroute replies

    Local policy routing


    Forces locally generated traffic to be treated as transit

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Reflexive ACL Example TCP, UDP, and ICMP traffic should only be allowed in R5s Frame Relay connection if it was initiated from VLAN 58

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    TCP Intercept Used to prevent TCP SYN Denial of Service attacks against TCP servers
    typically web

    Tracks number of half open TCP sessions


    SYN sent, SYN ACK replied, no ACK back

    Watch mode
    Passively track TCP connection

    Intercept mode
    Proxy for all connections to server
    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    TCP Intercept Example R5 should proxy for all TCP connections initiated to the web server on VLAN 58 (SW2)

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Local Authorization Privilege levels used to control access to exec commands Default privilege levels
    0 no access 1 user mode access 15 privilege (enable) mode access

    User defined privilege levels


    Levels 2 14 available for assignment

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Local Authorization Moving command privilege down


    Allow privilege 1 to
    Run extended ping Show running config
    Only see what you can configure

    Moving command privilege up


    Revoke privilege 1 from
    Running show commands Using the enable command

    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    Local Authorization
    privilege command
    Exec | Configure | Interface | Router | etc

    Configuration mode determines what option of privilege command to do Example:


    Exec command
    router#

    Configure command
    router(config)#

    Interface command
    router(config-if)#
    Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com

    S-ar putea să vă placă și