Documente Academic
Documente Profesional
Documente Cultură
Security
http://www.InternetworkExpert.com
Extended Access-Lists
Match on
IP protocol number Source address Destination address Protocol options
TCP / UDP ports (eq, neq, lt, gt, range) ICMP Type Code
Packet markings
DSCP IP Precedence TOS
Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com
Access-List Logging
Access-list hits can be logged to
Console / Monitor / Buffer / Syslog
Log options
log includes
List name / number Permit / deny Protocol name / number Source / destination IP Port numbers
log-input includes
All log options + source layer 2 address
MAC address Input VC
Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com
Routing filters
distribute-list
Periodic
At one or more recurring time periods
Daily Weekdays Weekend Mon, Tues, Wed, Thurs, Fri, Sat, Sun
Applications
Time based traffic filter Time based QoS Time based ISDN DDR interesting traffic
Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com
Dynamic ACL Overview AKA lock and key ACLs Used to poke a hole in the firewall based on authentication Some Applications:
From inside: user must authenticate to send traffic to the Internet From outside: user must authenticate to access internal web server
Line based
Line vty 0 4 Autocommand access-enable
Access-Enable
Makes the dynamic entry active host option opens hole only for the authenticator
Dynamic ACL Example Web client (R3) must first authenticate to R5 before accessing private web server (SW2)
Reflexive ACL Overview Adds stateful firewall inspection to ACL Subset of CBAC / PIX functionality Watches traffic leave the network, permits traffic back in based on this state information
Reflexive ACL Considerations Outbound access-lists do not match locally generated traffic
Statically permit required traffic back in
Routing protocols ICMP echo / echo-reply traceroute replies
Reflexive ACL Example TCP, UDP, and ICMP traffic should only be allowed in R5s Frame Relay connection if it was initiated from VLAN 58
TCP Intercept Used to prevent TCP SYN Denial of Service attacks against TCP servers
typically web
Watch mode
Passively track TCP connection
Intercept mode
Proxy for all connections to server
Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com
TCP Intercept Example R5 should proxy for all TCP connections initiated to the web server on VLAN 58 (SW2)
Local Authorization Privilege levels used to control access to exec commands Default privilege levels
0 no access 1 user mode access 15 privilege (enable) mode access
Local Authorization
privilege command
Exec | Configure | Interface | Router | etc
Configure command
router(config)#
Interface command
router(config-if)#
Copyright 2007 Internetwork Expert, Inc www.InternetworkExpert.com