NETWORK SECURITY ACCESS LISTS STANDARDS AND …
NETWORK SECURITY ACCESS LISTS STANDARDS AND EXTENDED
Security is the important topic in new CCNA exam because Cisco routers and switches forming the backbone to today's network infrastructures, it becomes especially important to keep security in mind. Should your backbone be breached, the entire network could be crippled, sensitive information could be eavesdropped on, and data could be corrupted or altered in a way that could have drastic effects on your operations. For this reason, Cisco expects you to have a general understanding of network security.
In section we would cover following topics
• Describing the increase in security threats and the need for a security policy
• Explaining general methods to mitigate threats
• Describing the functions of common security appliances/applications
• Describing the recommended practices of securing network devices
Top of Form
Bottom of Form
Network Definitions Characteristics Components locations
The first assignment in understanding how to build a computer network is defining what a network is and understanding how it is used to help a business meet its objectives.
Network is a combination of computer hardware, cabling, network devices, and computer software used together to allow computers to communicate with each other.
A network is basically all of the components (hardware and software) involved in connecting computers across small and large distances. Networks are used to provide easy access to information, thus increasing productivity for users.
Network hardware is mainly made by two basic components: the entities that want to share the information or resources, such as servers and workstations, and the medium that enables the entities to communicate, which is a cable or a wireless medium.
Servers, Workstations, and Hosts
Host
The term host refers to any computer or device that is connected to a network and sends or receives information on that network. A host can be a server, a workstation, a printer with its own network card, or a device such as a router.
The server
is a special computer that contains more disk space and memory than are found on client workstations. The server has special software installed that allows it to function as a server.
Workstation
The workstation also is known as a client, which is just a basic computer running a client operating system such as Windows XP or Linux. A typical network involves having users sit at workstations, running such applications as word processors or spreadsheet programs.
Network Characteristics
The following characteristics should be considered in network design and ongoing maintenance:
• Availability.
Availability is typically measured in a percentage based on the number of minutes that exist in a year. Therefore, uptime would be the number of minutes the network is available divided by the number of minutes in a year.
• Cost
includes the cost of the network components, their installation, and their ongoing maintenance.
• Reliability
defines the reliability of the network components and the connectivity between them. Mean time between failures (MTBF) is commonly used to measure reliability.
• Security
includes the protection of the network components and the data they contain and/or the data transmitted between them.
• Speed
includes how fast data is transmitted between network end points (the data rate).
• Scalability
defines how well the network can adapt to new growth, including new users, applications, and network components.
• Topology
describes the physical cabling layout and the logical way data moves between components.
• Many different types and locations of networks exist. You might use a network in your home or home office to communicate via the Internet, to locate information, to place orders for merchandise, and to send messages to friends. You might have work in a small office that is set up with a network that connects other computers and printers in the office. You might work in a large enterprise in which many computers, printers, storage devices, and servers communicate and store information from many departments over large geographic areas.
• Networks carry data in many types of environments, including homes, small businesses, and large enterprises. In a large enterprise, a number of locations might need to Communicate with each other, and you can describe those locations as follows:
[pic]
Corporate office:
A Corporate or main office is a site where everyone is connected via a network and where the bulk of corporate information is located. A Corporate office can have hundreds or even thousands of people who depend on network access to do their jobs. A main office might use several connected networks, which can span many floors in an office building or cover a campus that contains several buildings.
Remote locations:
A variety of remote access locations use networks to connect to the main office or to each other.
Branch offices:
In branch offices, smaller groups of people work and communicate with each other via a network. Although some corporate information might be stored at a branch office, it is more likely that branch offices have local network resources, such as printers, but must access information directly from the main office.
Home offices:
When individuals work from home, the location is called a home office. Home office workers often require on-demand connections to the main or branch offices to access information or to use network resources such as file servers.
Mobile users:
Mobile users connect to the main office network while at the main office, at the branch office, or traveling. The network access needs of mobile users are based on where the mobile users are located.
Network Components
All of these networks share many common components. As we describe in definition that network is basically sharing of information via network components. So network component play a major role in designing and maintaining network. Some most essential network components listed here.
|Network Components |
|Applications |network-aware |network unaware |
|Protocols |open standard |proprietary |
|Computer |Windows, Macintosh OS, UNIX, Linux |
|Networking Devices |hubs, bridges, switches, routers, firewalls, wireless access points, modems |
|Media types |copper,coxial,utp, fiber cabling |
Types of Networks
Organizations of different structures, sizes, and budgets need different types of networks. Networks can be divided into one of two categories:
• peer-to-peer
• server-based networks
Peer-to-Peer Network
A peer-to-peer network has no dedicated servers; instead, a number of workstations are connected together for the purpose of sharing information or devices. Peer-to-peer networks are designed to satisfy the networking needs of home networks or of small companies that do not want to spend a lot of money on a dedicated server but still want to have the capability to share information or devices like in school, college, cyber cafe
Server-Based Networks
In server-based network data files that will be used by all of the users are stored on the one server. With a server-based network, the network server stores a list of users who may use network resources and usually holds the resources as well.
This will help by giving you a central point to set up permissions on the data files, and it will give you a central point from which to back up all of the data in case data loss should occur.
Network Communications
• Computer networks use signals to transmit data, and protocols are the languages computers use to communicate.
• Protocols provide a variety of communications services to the computers on the network.
• Local area networks connect computers using a shared, half-duplex, baseband medium, and wide area networks link distant networks.
• Enterprise networks often consist of clients and servers on horizontal segments connected by a common backbone, while peer-to-peer networks consist of a small number of computers on a single LAN.
Network Security Types of attacks
Security is a fundamental component of every network design. When planning, building, and operating a network, you should understand the importance of a strong security policy.
Network Security
A security policy defines what people can and can't do with network components and resources.
Need for Network Security
In the past, hackers were highly skilled programmers who understood the details of computer communications and how to exploit vulnerabilities. Today almost anyone can become a hacker by downloading tools from the Internet. These complicated attack tools and generally open networks have generated an increased need for network security and dynamic security policies.
The easiest way to protect a network from an outside attack is to close it off completely from the outside world. A closed network provides connectivity only to trusted known parties and sites; a closed network does not allow a connection to public networks.
Because they have no Internet connectivity, networks designed in this way can be considered safe from Internet attacks. However, internal threats still exist.
There is a estimates that 60 to 80 percent of network misuse comes from inside the enterprise where the misuse has taken place.
With the development of large open networks, security threats have increased significantly in the past 20 years. Hackers have discovered more network vulnerabilities, and because you can now download applications that require little or no hacking knowledge to implement, applications intended for troubleshooting and maintaining and optimizing networks can, in the wrong hands, be used maliciously and pose severe threats.
An adversary
A person that is interested in attacking your network; his motivation can range from gathering or stealing information, creating a DoS, or just for the challenge of it
Types of attack:
Classes of attack might include passive monitoring of communications, active network attacks, close-in attacks, exploitation by insiders, and attacks through the service provider. Information systems and networks offer attractive targets and should be resistant to attack from the full range of threat agents, from hackers to nation-states. A system must be able to limit damage and recover rapidly when attacks occur.
There are five types of attack:
Passive Attack
A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information that can be used in other types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capturing authentication information such as passwords. Passive interception of network operations enables adversaries to see upcoming actions. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledge of the user.
Active Attack
In an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealth, viruses, worms, or Trojan horses. Active attacks include attempts to circumvent or break protection features, to introduce malicious code, and to steal or modify information. These attacks are mounted against a network backbone, exploit information in transit, electronically penetrate an enclave, or attack an authorized remote user during an attempt to connect to an enclave. Active attacks result in the disclosure or dissemination of data files, DoS, or modification of data.
Distributed Attack
A distributed attack requires that the adversary introduce code, such as a Trojan horse or back-door program, to a “trusted” component or software that will later be distributed to many other companies and users Distribution attacks focus on the malicious modification of hardware or software at the factory or during distribution. These attacks introduce malicious code such as a back door to a product to gain unauthorized access to information or to a system function at a later date.
Insider Attack
An insider attack involves someone from the inside, such as a disgruntled employee, attacking the network Insider attacks can be malicious or no malicious. Malicious insiders intentionally eavesdrop, steal, or damage information; use information in a fraudulent manner; or deny access to other authorized users. No malicious attacks typically result from carelessness, lack of knowledge, or intentional circumvention of security for such reasons as performing a task
Close-in Attack
A close-in attack involves someone attempting to get physically close to network components, data, and systems in order to learn more about a network Close-in attacks consist of regular individuals attaining close physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information. Close physical proximity is achieved through surreptitious entry into the network, open access, or both.
One popular form of close in attack is social engineering in a social engineering attack, the attacker compromises the network or system through social interaction with a person, through an e-mail message or phone. Various tricks can be used by the individual to revealing information about the security of company. The information that the victim reveals to the hacker would most likely be used in a subsequent attack to gain unauthorized access to a system or network.
Phishing Attack
In phishing attack the hacker creates a fake web site that looks exactly like a popular site such as the SBI bank or paypal. The phishing part of the attack is that the hacker then sends an e-mail message trying to trick the user into clicking a link that leads to the fake site. When the user attempts to log on with their account information, the hacker records the username and password and then tries that information on the real site.
Hijack attack
Hijack attack In a hijack attack, a hacker takes over a session between you and another individual and disconnects the other individual from the communication. You still believe that you are talking to the original party and may send private information to the hacker by accident.
Spoof attack
Spoof attack In a spoof attack, the hacker modifies the source address of the packets he or she is sending so that they appear to be coming from someone else. This may be an attempt to bypass your firewall rules.
Buffer overflow
Buffer overflow A buffer overflow attack is when the attacker sends more data to an application than is expected. A buffer overflow attack usually results in the attacker gaining administrative access to the system in a ommand prompt or shell.
Exploit attack
Exploit attack In this type of attack, the attacker knows of a security problem within an operating system or a piece of software and leverages that knowledge by exploiting the vulnerability.
Password attack
Password attack An attacker tries to crack the passwords stored in a network account database or a password-protected file. There are three major types of password attacks: a dictionary attack, a brute-force attack, and a hybrid attack. A dictionary attack uses a word list file, which is a list of potential passwords. A brute-force attack is when the attacker tries every possible combination of characters.
Network Security Mitigating Common Threats
Improper and incomplete network device installation is an often-overlooked security threat that, if left unaddressed, can have terrible results. Software-based security measures alone cannot prevent intended or even accidental network damage caused by poor installation. Now we will describe how to mitigate common security threats to Server Routers and Switches.
Physical Installations
Physical installations involve four types of threats:
hardware, electrical, environmental, and maintenance.
Hardware threats
Hardware threats involve threats of physical damage to the router or switch hardware. Mission-critical Cisco network equipment should be located in wiring closets or in computer or telecommunications rooms that meet these minimum requirements:
• The room must be locked with only authorized personnel allowed access.
• The room should not be accessible via a dropped ceiling, raised floor, window, ductwork, or point of entry other than the secured access point.
• If possible, use electronic access control with all entry attempts logged by security systems and monitored by security personnel.
• If possible, security personnel should monitor activity via security cameras with automatic recording.
• Hardware threats involve physical damage to network components, such as servers, routers, and switches
Electrical threats
Electrical threats include irregular fluctuations in voltage, such as brownouts and voltage spikes, Electrical threats, such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss, can be limited by adhering to these guidelines:
• Install uninterruptible power supply (UPS) systems for mission-critical Cisco network devices.
• Install backup generator systems for mission-critical supplies.
• Plan for and initiate regular UPS or generator testing and maintenance procedures based on the manufacturer-suggested preventative maintenance schedule.
• Install redundant power supplies on critical devices.
• Monitor and alarm power-related parameters at the power supply and device levels.
Environmental threats
Environmental threats include very low or high temperatures, moisture, electrostatic, and magnetic Interference Environmental threats, such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry), also require mitigation. Take these actions to limit environmental damage to Cisco network devices:
• Supply the room with dependable temperature and humidity control systems. Always verify the recommended environmental parameters of the Cisco network equipment with the supplied product documentation.
• Remove any sources of electrostatic and magnetic interference in the room.
• If possible, remotely monitor and alarm the environmental parameters of the room.
Maintenance threats
Maintenance threats include not having backup parts or components for critical network components; not labeling components and their cabling correctly Maintenance threats include poor handling of key electronic components, electrostatic discharge (ESD), lack of critical spares, poor cabling, poor labeling, and so on. Maintenance-related threats are a broad category that includes many items. Follow the general rules listed here to prevent maintenance-related threats:
• Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection, or incorrect termination.
• Use cable runs, raceways, or both to traverse rack-to-ceiling or rack-to-rack connections.
• Always follow ESD procedures when replacing or working with internal router and switch device components.
• Maintain a stock of critical spares for emergency use.
• Do not leave a console connected to and logged into any console port. Always log off administrative interfaces when leaving a station.
• Do not rely upon a locked room as the only necessary protection for a device. Always remember that no room is ever totally secure. After intruders are inside a secure room, nothing is left to stop them from connecting a terminal to the console port of a Cisco router or switch.
Cisco's IOS Firewall
Intrusion detection
A deep packet inspection tool that lets you monitor, intercept, and respond to abuse in real time by referencing 102 of the most common attack and intrusion detection signatures.
ICMP inspection
Basically permits responses to ICMP packets like ping and traceroute that come from inside your firewall while denying other ICMP traffic.
Authentication proxy
A feature that makes users authenticate any time they want to access the network's resources through HTTP, HTTPS, FTP, and Telnet. It keeps personal network access profiles for users and automatically gets them for you from a RADIUS or TACACS+ server and applies them as well.
Per-user firewalls
These are basically personalized, user-specific, downloadable firewalls obtained through service providers. You can also get personalized ACLs and other settings via AAA server profile storage.
Denial of service (DoS) detection and prevention
A feature that checks packet headers and drops any packets it finds suspicious.
Access Control List Standard and Extended
ACLs are basically a set of commands, grouped together by a number or name that is used to filter traffic entering or leaving an interface.
When activating an ACL on an interface, you must specify in which direction the traffic should be filtered:
• Inbound (as the traffic comes into an interface)
• Outbound (before the traffic exits an interface)
• Inbound ACLs:
Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. If the packet is permitted by the tests, it is processed for routing.
Outbound ACLs:
Incoming packets are routed to the outbound interface and then processed through the outbound ACL.
Universal fact about Access control list
• ACLs come in two varieties:Numbered and named
• Each of these references to ACLs supports two types of filtering: standard and extended.
• Standard IP ACLs can filter only on the source IP address inside a packet.
• Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet.
• There are two actions an ACL can take: permit or deny.
• Statements are processed top-down.
• Once a match is found, no further statements are processed—therefore, order is important.
• If no match is found, the imaginary implicit deny statement at the end of the ACL drops the packet.
• An ACL should have at least one permit statement; otherwise, all traffic will be dropped because of the hidden implicit deny statement at the end of every ACL.
No matter what type of ACL you use, though, you can have only one ACL per protocol, per interface, per direction. For example, you can have one IP ACL inbound on an interface and another IP ACL outbound on an interface, but you cannot have two inbound IP ACLs on the same interface.
Access List Ranges
|Type |Range |
|IP Standard |1–99 |
|IP Extended |100–199 |
|IP Standard Expanded Range |1300–1999 |
|IP Extended Expanded Range |2000–2699 |
Standard ACLs
A standard IP ACL is simple; it filters based on source address only. You can filter a source network or a source host, but you cannot filter based on the destination of a packet, the particular protocol being used such as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), or on the port number. You can permit or deny only source traffic.
Extended ACLs:
An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters, which allow administrators more flexibility and control.
Named ACLs
One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by number, which is not too descriptive of its use. With a named ACL, this is not the case because you can name your ACL with a descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL simply numbered 1. There are both IP standard and IP extended named ACLs.
Another advantage to named ACLs is that they allow you to remove individual lines out of an ACL. With numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create the entire list.
Configuration Guidelines
• Order of statements is important: put the most restrictive statements at the top of the list and the least restrictive at the bottom.
• ACL statements are processed top-down until a match is found, and then no more statements in the list are processed.
• If no match is found in the ACL, the packet is dropped (implicit deny).
• Each ACL needs either a unique number or a unique name.
• The router cannot filter traffic that it, itself, originates.
• You can have only one IP ACL applied to an interface in each direction (inbound and outbound)—you can't have two or more inbound or outbound ACLs applied to the same interface. (Actually, you can have one ACL for each protocol, like IP and IPX, applied to an interface in each direction.)
• Applying an empty ACL to an interface permits all traffic by default: in order for an ACL to have an implicit deny statement, you need at least one actual permit or deny statement.
• Remember the numbers you can use for IP ACLs.Standard ACLs can use numbers ranging 1–99 and 1300–1999,and extended ACLs can use 100–199 and 2000–2699.
• Wildcard mask is not a subnet mask. Like an IP address or a subnet mask, a wildcard mask is composed of 32 bits when doing the conversion; subtract each byte in the subnet mask from 255.
There are two special types of wildcard masks:
0.0.0.0 and 255.255.255.255
A 0.0.0.0 wildcard mask is called a host mask
255.255.255.255. If you enter this, the router will cover the address and mask to the keyword any.
Placement of ACLs
Standard ACLs should be placed as close to the destination devices as possible.
Extended ACLs should be placed as close to the source devices as possible.
Network security Reconnaissance attack
A reconnaissance attack occurs when an adversary tries to learn information about your network
Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities.
Reconnaissance is also known as information gathering and, in most cases, precedes an actual access or DoS attack. First, the malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive. Then the intruder determines which services or ports are active on the live IP addresses. From this information, the intruder queries the ports to determine the type and version of the application and operating system running on the target host.
Reconnaissance is somewhat analogous to a thief investigating a neighborhood for vulnerable homes, such as an unoccupied residence or a house with an easy-to-open door or window. In many cases, intruders look for vulnerable services that they can exploit later when less likelihood that anyone is looking exists.
Access Attacks
An access attack occurs when someone tries to gain unauthorized access to a component, tries to gain unauthorized access to information on a component, or increases their privileges on a network component. Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
DoS Attacks
DoS attacks involve an adversary reducing the level of operation or service, preventing access to, or completely crashing a network component or service.
Password Attacks
A password attack usually refers to repeated attempts to identify a user account, password, or both. These repeated attempts are called brute-force attacks. Password attacks are implemented using other methods, too, including Trojan horse programs, IP spoofing, and packet sniffers.
Password attack threat-mitigation methods
A security risk lies in the fact that passwords are stored as plaintext. You need to encrypt passwords to overcome risks. On most systems, passwords are processed through an encryption algorithm that generates a one-way hash on passwords. You cannot reverse a one-way hash back to its original text. Most systems do not decrypt the stored password during authentication; they store the one-way hash. During the login process, you supply an account and password, and the password encryption algorithm generates a one-way hash. The algorithm compares this hash to the hash stored on the system. If the hashes are the same, the algorithm assumes that the user supplied the proper password.
Remember that passing the password through an algorithm results in a password hash. The hash is not the encrypted password, but rather a result of the algorithm. The strength of the hash is that the hash value can be recreated only with the original user and password information and that retrieving the original information from the hash is impossible. This strength makes hashes perfect for encoding passwords for storage. In granting authorization, the hashes, rather than the plain password, are calculated and compared.
Password attack threat-mitigation methods include these guidelines:
• Do not allow users to have the same password on multiple systems. Most users have the same password for each system they access, as well as for their personal systems.
• Disable accounts after a specific number of unsuccessful logins. This practice helps to prevent continuous password attempts.
• Do not use plaintext passwords. Use either a one-time password (OTP) or an encrypted password.
• Use strong passwords. Strong passwords are at least eight characters long and contain uppercase letters, lowercase letters, numbers, and special characters. Many systems now provide strong password support and can restrict users to strong passwords only.
The standard authentication protocols used by various network services, such as RAS and VPN, for authentication include the following:
Password Authentication Protocol
Password Authentication Protocol (PAP) The Password Authentication Protocol sends the user’s username and password in plain text. It is very insecure because someone can analyze and interpret the logon traffic. This is the authentication protocol used by the basic authentication method mentioned previously.
Challenge Handshake Authentication Protocol
Challenge Handshake Authentication Protocol (CHAP) With the Challenge Handshake Authentication Protocol, the server sends a client a challenge (a key), which is combined with the user’s password. Both the user’s password and the challenge are run through the MD5 hashing algorithm (a formula), which generates a hash value, or mathematical answer, and that hash value is sent to the server for authentication. The server uses the same key to create a hash value with the password stored on the server and then compares the resulting value with the hash value sent by the client. If the two hash values are the same, the client has supplied the correct password. The benefit is that the user’s credentials have not been passed on the wire at all.
Microsoft Challenge Handshake Authentication Protocol MS-CHAP
Microsoft Challenge Handshake Authentication Protocol MS-CHAP uses the Microsoft Point-to-Point Encryption (MPPE) protocol along with MS-CHAP to encrypt all traffic from the client to the server. MS-CHAP is a distinction of the CHAP authentication protocol and uses MD4 as the hashing algorithm versus MD5 used by CHAP.
MS-CHAPv2
MS-CHAPv2 With MS-CHAP version 2 the authentication method has been extended to authenticate both the client and the server. MS-CHAPv2 also uses stronger encryption keys than CHAP and MS-CHAP.
Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) The Extensible Authentication Protocol allows for multiple logon methods such as smartcard logon, certificates, Kerberos, and public-key authentication. EAP is also frequently used with RADIUS, which is a central authentication service that can be used by RAS, wireless, or VPN solutions.
How to configure standard access list on router
In this article we will configure standard access list.
In this article we will use a RIP running topology. Which we have created in RIP routing practical.
[pic]
Download this RIP routing topology and open it in packet tracer
Rip Routing
Because a standard access list filters only traffic based on source traffic, all you need is the IP address of the host or subnet you want to permit or deny. ACLs are created in global configuration mode and then applied on an interface. The syntax for creating a standard ACL is
access-list {1-99 | 1300-1999} {permit | deny} source-address [wildcard mask]
Three basic steps to configure Standard Access List
• Use the access-list global configuration command to create an entry in a standard ACL.
• Use the interface configuration command to select an interface to which to apply the ACL.
• Use the ip access-group interface configuration command to activate the existing ACL on an interface.
With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective you should be able to do following:
• Match a specific host,
• Match an entire subnet,
• Match an IP range, or
• Match Everyone and anyone
Match specific hosts
Task
Your task is to block 10.0.0.3 from gaining access on 40.0.0.0. While 10.0.0.3 must be able to communicate with networks. Other computer from the network of 10.0.0.0 must be able to connect with the network of 40.0.0.0.
Decide where to apply ACL and in which directions.
Our host must be able to communicate with other host except 40.0.0.0 so we will place this access list on FastEthernet 0/1 of R2 (2811) connected to the network of 40.0.0.0. Direction will be outside as packet will be filter while its leaving the interface. If you place this list on R1(1841) then host 10.0.0.3 will not be able to communicate with any other hosts including 40.0.0.0.
To configure R2 double click on it and select CLI (Choose only one method result will be same)
R2>enable
R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny host 10.0.0.3
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out
OR
R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny 10.0.0.3 0.0.0.0
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully replay.
PC>ping 40.0.0.3
Pinging 40.0.0.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 40.0.0.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>ping 30.0.0.3
Pinging 30.0.0.3 with 32 bytes of data:
Request timed out.
Reply from 30.0.0.3: bytes=32 time=140ms TTL=126
Reply from 30.0.0.3: bytes=32 time=156ms TTL=126
Reply from 30.0.0.3: bytes=32 time=112ms TTL=126
Ping statistics for 30.0.0.3:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 112ms, Maximum = 156ms, Average = 136ms
As we applied access list only on specific host so other computer from the network of 10.0.0.0 must be able to connect with the network of 40.0.0.0. To test do ping from 10.0.0.2 to 40.0.0.3
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 40.0.0.3
Pinging 40.0.0.3 with 32 bytes of data:
Request timed out.
Reply from 40.0.0.3: bytes=32 time=141ms TTL=126
Reply from 40.0.0.3: bytes=32 time=140ms TTL=126
Reply from 40.0.0.3: bytes=32 time=125ms TTL=126
Ping statistics for 40.0.0.3:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 125ms, Maximum = 141ms, Average = 135ms
Match an entire subnet
Task
Your task is to block the network of 10.0.0.0 from gaining access on 40.0.0.0. While 10.0.0.0 must be able to communicate with networks .
Wildcards
Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks.
Formula to calculate wild card mask for access list
The key to matching an entire subnet is to use the following formula for the wildcard mask. It goes as follows:
Wildcard mask = 255.255.255.255 – subnet
So for example if my current subnet was 255.0.0.0, the mask would be 0.255.255.255.
255.255.255.255
255 .0 .0 .0 -
----------------
0. 255 .255.255
----------------
Once you have calculated the wild card mask rest is same as we did in pervious example
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully replay.
Now do ping from 10.0.0.2 to 40.0.0.3 and further 30.0.0.2 result should be same as the packet is filtering on network based
Match an IP range
You are a network administrator at . You task is to block an ip range of 10.3.16.0 – 10.3.31.255 from gaining access to the network of 40.0.0.0
Solutions
Our range is 10.3.16.0 – 10.3.31.255. In order to find the mask, take the higher IP and subtract from it the lower IP.
10.3.31.255
10.3.16.0 -
--------------
0.0.15.255
--------------
In this case the wildcard mask for this range is 0.0.15.255.
To permit access to this range, you would use the following:
R2>enable Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.3.16.0 0.0.15.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
One thing to note is that each non-zero value in the mask must be one less than a power of 2, i.e. 0, 1, 3, 7, 15, 31, 63, 127, 255.
Match Everyone and Anyone
This is the easiest of Access-Lists to create, just use the following:
access-list 1 permit any
or
access-list 1 permit 0.0.0.0 255.255.255.255
Secure telnet session via standard ACL
This is among the highly tested topic in CCNA exam. We could use extended ACL to secure telnet session but if you did that, you'd have to apply it inbound on every interface, and that really wouldn't scale well to a large router with dozens, even hundreds, of interfaces.Here's a much better solution:
Use a standard IP access list to control access to the VTY lines themselves.
To perform this function, follow these steps:
1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.
2. Apply the access list to the VTY line with the access-class command
Secure R2 in a way that only 20.0.0.2 can telnet it beside it all other telnet session should be denied
R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 3 permit host 20.0.0.2
R2(config)#line vty 0 4
R2(config-line)#password vinita
R2(config-line)#login
R2(config-line)#access-class 3 in
To test do telnet from 20.0.0.2 first is should be successful.
PC>ipconfig
IP Address......................: 20.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
User Access Verification
Password:
R2>
Now telnet it from any other pc apart from 20.0.0.2. it must be filter and denied
PC>ipconfig
IP Address......................: 20.0.0.3
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
% Connection refused by remote host
PC>
How to configure extended access list on router
In this article we will configure Extended access list. If you want to read the feature and characteristic of access list reads this previous article.
In this article we will use a RIP running topology. Which we created in RIP routing practical.
[pic]
Download this RIP routing topology and open it in packet tracer
Rip Routing
Three basic steps to configure Extended Access List
• Use the access-list global configuration command to create an entry in a Extended ACL.
• Use the interface configuration command to select an interface to which to apply the ACL.
• Use the ip access-group interface configuration command to activate the existing ACL on an interface.
An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters, which allow administrators more flexibility and control.
access-list access-list-number {permit | deny} protocol source source-wildcard [operator port]
destination destination-wildcard [operator port] [established] [log]
|Command Parameters |Descriptions |
|access-list |Main command |
|access-list-number |Identifies the list using a number in the ranges of 100–199 or 2000– 2699. |
|permit | deny |Indicates whether this entry allows or blocks the specified address. |
|protocol |IP, TCP, UDP, ICMP, GRE, or IGRP. |
|source and destination |Identifies source and destination IP addresses. |
|source-wildcard and |The operator can be lt (less than), gt (greater than), eq (equal to), or neq (not equal to). The port number referenced can |
|destination-wildcard |be either the source port or the destination port, depending on where in the ACL the port number is configured. As an |
| |alternative to the port number, well-known application names can be used, such as Telnet, FTP, and SMTP. |
|established |For inbound TCP only. Allows TCP traffic to pass if the packet is a response to an outbound-initiated session. This type of |
| |traffic has the acknowledgement (ACK) bits set. (See the Extended ACL with the Established Parameter example.) |
|log |Sends a logging message to the console. |
Before we configure Extended Access list you should cram up some important port number
Well-Known Port Numbers and IP Protocols
|Port Number |IP Protocol |
|20 (TCP) |FTP data |
|21 (TCP) |FTP control |
|23 (TCP) |Telnet |
|25 (TCP) |Simple Mail Transfer Protocol (SMTP) |
|53 (TCP/UDP) |Domain Name System (DNS) |
|69 (UDP) |TFTP |
|80 (TCP) |HTTP |
With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective you should be able to do following:
• Block host to host
• Block host to network
• Block Network to network
• Block telnet access for critical resources of company
• Limited ftp access for user
• Stop exploring of private network form ping
• Limited web access
• Configure established keyword
Block host to host
Task
You are the network administrator at . Your company hire a new employee and give him a pc 10.0.0.3. your company's critical record remain in 40.0.0.3. so you are asked to block the access of 40.0.0.3 from 10.0.0.3. while 10.0.0.3 must be able connect with other computers of network to perfom his task.
Decide where to apply ACL and in which directions.
As we are configuring Extended access list. With extended access list we can filter the packed as soon as it genrate. So we will place our access list on F0/0 of Router1841 the nearest port of 10.0.0.3
To configure Router1841 (Hostname R1) double click on it and select CLI
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 101 deny ip host 10.0.0.3 40.0.0.3 0.0.0.0
R1(config)#access-list 101 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. It should be reqest time out. Also ping other computers of network including 40.0.0.2. ping shuld be sucessfully.
Block host to network
Task
Now we will block the 10.0.0.3 from gaining access on the network 40.0.0.0. ( if you are doing this practical after configuring pervious example don't forget to remove the last access list 101. With no access-list command. Or just close the packet tracer without saving and reopen it to be continue with this example.)
R1(config)#access-list 102 deny ip host 10.0.0.3 40.0.0.0 0.255.255.255
R1(config)#access-list 102 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 102 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also ping computers of other network. ping shuld be sucessfully.
Once you have calculated the wild card mask rest is same as we did in pervious example
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully replay.
Network to Network Access List
Task
Student’s lab is configured on the network of 10.0.0.0. While management's system remain in the network of 40.0.0.0. You are asked to stop the lab system from gaining access in management systems
Now we will block the network of 10.0.0.0 from gaining access on the network 40.0.0.0. ( if you are doing this practical after configuring pervious example don't forget to remove the last access list 101. With no access-list command. Or just close the packet tracer without saving and reopen it to be continue with this example.)
R1(config)#access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also ping computers of other network. ping shuld be sucessfully.
Network to host
Task
For the final scenario you will block all traffic to 40.0.0.3 from the Network of 10.0.0.0 To accomplish this write an extended access list. The access list should look something like the following.
R1(config)#interface fastethernet 0/0
R1(config-if)#no ip access-group 103 in
R1(config-if)#exit
R1(config)#no access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
R1(config)#access-list 104 deny ip 10.0.0.0 0.255.255.255 40.0.0.3 0.0.0.0
R1(config)#access-list 104 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3.It should be reqest time out. Also ping computers of other network. ping shuld be sucessfully.
Application based Extended Access list
In pervoius example we filter ip base traffic. Now we will filter applicaion base traffic. To do this practical either create a topology as shown in figure and enable telnet and http and ftp service on server or download this pre configured topology and load it in packet tracer.
Extended Access list
[pic]
The established keyword
The established keyword is a advanced feature that will allow traffic through only if it sees that a TCP session is already established. A TCP session is considered established if the three-way handshake is initiated first. This keyword is added only to the end of extended ACLs that are filtering TCP traffic.
You can use TCP established to deny all traffic into your network except for incoming traffic that was first initiated from inside your network. This is commonly used to block all originating traffic from the Internet into a company's network except for Internet traffic that was first initiated from users inside the company. The following configuration would accomplish this for all TCP-based traffic coming in to interface serial 0/0/0 on the router:
R1(config)#access-list 101 permit tcp any any established
R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
Although the access list is using a permit statement, all traffic is denied unless it is first established from the inside network. If the router sees that the three-way TCP handshake is successful, it will then begin to allow traffic through.
To test this access list double click on any pc from the network 10.0.0.0 and select web brower. Now give the ip of 30.0.0.2 web server. It should get sucessfully access the web page. Now go 30.0.0.2 and open command prompt. And do ping to 10.0.0.2 or any pc from the network the 10.0.0.0. it will request time out.
Stop ping but can access web server
We host our web server on 30.0.0.2. But we do not want to allow external user to ping our server as it could be used as denial of services. Create an access list that will filter all ping requests inbound on the serial 0/0/0 interface of router2.
R2(config)#access-list 102 deny icmp any any echo
R2(config)#access-list 102 permit ip any any
R2(config)#interface serial 0/0/0
R2(config-if)#ip access-group 102 in
To test this access list ping from 10.0.0.2 to 30.0.0.2 it should be request time out. Now open the web browser and access 30.0.0.2 it should be successfully retrieve
Grant FTP access to limited user
You want to grant ftp access only to 10.0.0.2. no other user need to provide ftp access on server. So you want to create a list to prevent FTP traffic that originates from the subnet 10.0.0.0/8, going to the 30.0.0.2 server, from traveling in on Ethernet interface E0/1 on R1.
R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 20
R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 21
R1(config)#access-list 103 deny tcp any any eq 20
R1(config)#access-list 103 deny tcp any any eq 21
R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/1
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
Grant Telnet access to limited user
For security purpose you don’t want to provide telnet access on server despite your own system. Your system is 10.0.0.4. create a extended access list to prevent telnet traffic that originates from the subnet of 10.0.0.0 to server.
R1(config)#access-list 104 permit tcp host 10.0.0.4 30.0.0.2 0.0.0.0 eq 23
R1(config)#access-list 104 deny tcp 10.0.0.0 0.255.255.255 30.0.0.2 0.0.0.0 eq 23
R1(config)#access-list 104 permit ip any any
R1(config)#interface fast 0/1
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- mn education standards and benchmarks
- nist standards and guidelines
- standards and accountability in education
- assisted living standards and regulations
- naeyc early learning standards and assessment
- educational standards and curriculum
- standards and indicators for cultural competence
- early childhood standards and benchmarks
- network security engineer certifications
- network security certification jobs
- network security engineer certification
- instrumentation standards and specifications