Академический Документы
Профессиональный Документы
Культура Документы
Objectives
DMZ (Demilitarised Zone)management
Server deployment: security needs according to server specification eg printer
access, file management, data management, email
Border systems: Intrusion Detection Systems (IDS) eg firewalls filters and rules,
email monitoring, application and packet monitoring, signature management,
trust, network behavioural norms; access control eg traffic filters, route
redirection
User access: user group eg group membership, user group allocation,
attribution of rights; user eg personal attribution of rights, continual review of
rights allocation; rights eg file, server, service, data, hardware, printer, email
Physical security: power resilience and supply; physical access control eg lock
and key, electronic access control, personnel based security, biometrics;
hardware and systems redundancy; backup eg data, configuration, imaging;
recovery policies
2 Network Security
1
11/15/2015
3 Network Security
4 Network Security
2
11/15/2015
6 Network Security
3
11/15/2015
7 Network Security
8 Network Security
4
11/15/2015
9 Network Security
Packet Filtering:
The ACL can extract the following
information from the packet header,
test it against its rules and make
permit or deny decisions based on:
Source IP address.
Destination IP address.
and….
TCP/UDP source port.
TCP/UDP destination port.
Packet Filtering
works at Layer 3.
10 Network Security
5
11/15/2015
11 Network Security
For Example:
Web HTML OK
for Network A
but not for
Network B.
12 Network Security
6
11/15/2015
What is an ACL?
An Access Control List (ACL) is:
A sequential list of permit or deny statements.
Apply to IP addresses (Layer 3 header)
Apply to upper-layer protocols (Layer 4 header).
Controls whether a router permits or denies packets to pass through
the router.
A commonly used object in the Cisco IOS.
Also used to select certain types of traffic to be analyzed, forwarded
or processed.
o e.g. Network Address Translation (NAT), securing Telnet or SSH access
to the router.
13 Network Security
What is an ACL?
By default, a router does not have any ACLs.
As each packet comes through an interface with an associated ACL:
The ACL is checked from top to bottom.
o One line at a time.
Matches the pattern defined in the ACL statement to the specified
area of the incoming packet.
Stops checking when it finds a matching statement.
o Takes the defined action (permit or deny).
If no match is present, the default is to deny the packet.
14 Network Security
7
11/15/2015
What is an ACL?
Guidelines:
Firewall Routers
Each protocol,
outbound or inbound
traffic
15 Network Security
16 Network Security
8
11/15/2015
17 Network Security
Fa0/0 S0/0/0
18 Network Security
9
11/15/2015
Inbound
ACL
Inbound
ACL
20 Network Security
10
11/15/2015
Inbound
ACL
Implicit
Deny
21 Network Security
Outbound
ACL
22 Network Security
11
11/15/2015
Outbound
ACL
23 Network Security
Outbound
ACL Implicit
Deny
24 Network Security
12
11/15/2015
ACLs do not block packets that originate within the router. (i.e.
pings, telnets, ssh, etc.)
25 Network Security
26 Network Security
13
11/15/2015
27 Network Security
Extended:
28 Network Security
14
11/15/2015
29 Network Security
30 Network Security
15
11/15/2015
31 Network Security
32 Network Security
16
11/15/2015
33 Network Security
34 Network Security
17
11/15/2015
35 Network Security
36 Network Security
18
11/15/2015
37 Network Security
38 Network Security
19
11/15/2015
A single-entry ACL with only one deny entry has the effect of denying
all traffic.
You must have at least one permit statement in an ACL or all traffic is
blocked.
39 Network Security
40 Network Security
20
11/15/2015
41 Network Security
For Example:
To create a numbered ACL designated 10 that would permit
network 192.168.10.0 /24, you would enter:
42 Network Security
21
11/15/2015
For Example:
The remark keyword is used for documentation and makes
access lists a great deal easier to understand.
43 Network Security
44 Network Security
22
11/15/2015
45 Network Security
46 Network Security
23
11/15/2015
47 Network Security
48 Network Security
24
11/15/2015
Any Host
Subnet Hosts
49 Network Security
50 Network Security
25
11/15/2015
00000000.00000000.11111110.11111111
51 Network Security
52 Network Security
26
11/15/2015
OR
OR
OR
OR
53 Network Security
54 Network Security
27
11/15/2015
55 Network Security
Example 1:
Allow only traffic from network 192.168.10.0 to exit the network
on S0/0/0. Block any traffic from any other network.
56 Network Security
28
11/15/2015
Example 2:
Deny any traffic from host 192.168.10.10 and allow any other
192.160.10.0 traffic to exit the network on S0/0/0. Block any
traffic from any other network.
57 Network Security
Example 3:
Deny any traffic from host 192.168.10.10 and allow any other
subnet traffic to exit the network on S0/0/0.
58 Network Security
29
11/15/2015
List number
in – restricts incoming connections
out – restricts outgoing connections
59 Network Security
60 Network Security
30
11/15/2015
61 Network Security
31
11/15/2015
63 Network Security
64 Network Security
32
11/15/2015
65 Network Security
66 Network Security
33
11/15/2015
67 Network Security
Extended ACLs
Extended ACLs are used more often than standard ACLs
because they provide a greater range of control.
Extended ACLs can check:
Source packet address.
Destination address.
Protocol.
Port number or service.
Full Syntax:
68 Network Security
34
11/15/2015
Extended ACLs
The ability to filter on protocol and port number allows you to
build very specific extended ACLs.
69 Network Security
70 Network Security
35
11/15/2015
71 Network Security
Permit:
If this packet matches the test conditions, allow this packet to be
processed.
Deny:
If this packet matches the test conditions, drop it.
72 Network Security
36
11/15/2015
Router(config)# access-list
access-list-number
{ permit | deny }
protocol
source [source-wildcard]
destination [destination-wildcard]
operator [operand (port number / name)]
established
73 Network Security
74 Network Security
37
11/15/2015
Router(config)# access-list
access-list-number
{ permit | deny }
protocol
source [source-wildcard]
destination [destination-wildcard]
operator [operand (port number / name)]
established
75 Network Security
76 Network Security
38
11/15/2015
Router(config)# access-list
access-list-number
{ permit | deny }
protocol
source [source-wildcard]
destination [destination-wildcard]
operator [operand (port number / name)]
established
(Optional) The
decimal number or
name of a TCP or
UDP port.
77 Network Security
78 Network Security
39
11/15/2015
79 Network Security
Command Protocol
Operator +
Source Operand
Number
Permit/Deny Destination
80 Network Security
40
11/15/2015
Command Protocol
Responses
Number Source
Permit/Deny Destination
The nature of HTTP requires that traffic flow back into the network. All
incoming traffic, except for the established connections, is blocked from
entering the network.
81 Network Security
82 Network Security
41
11/15/2015
Deny FTP:
Deny all ftp
from
192.168.11.0.
eq ftp
eq ftp-data
83 Network Security
Deny Telnet:
Deny all telnet
from
192.168.11.0.
eq telnet
84 Network Security
42
11/15/2015
85 Network Security
There are specific examples of the above in the text and the
curriculum.
86 Network Security
43
11/15/2015
References
Blue Coat System (2007) Technology Primer: QoS and Bandwidth Management. USA
Cisco Inc (2009) CCNA Exploration Course Booklet: LAN Switching and Wireless Version 4.0. Cisco
Networking Academy Program. Cisco Press. ISBN-10:1587132540
Cisco Inc (2009) CCNA Exploration Course Booklet: Network Fundamentals 4.0. Cisco Networking
Academy Program. Cisco Press.
Stallings W – Network Security Essentials: Applications and Standards (Pearson, 2008) ISBN-10:
0132303787
Bishop, M. (2003). What is computer security?. Security & Privacy, IEEE, 1(1), 67-69.
Kaufman, C., Perlman, R., & Speciner, M. (2002). Network security: private communication in a public
world. Prentice Hall Press.
Bhaiji Y – Network Security Technologies and Solutions: CCIE Professional Development (Cisco
Press, 2008) ISBN-10: 1587052466
44