Cisco security architectures: Phần 2

pdf
Số trang Cisco security architectures: Phần 2 176 Cỡ tệp Cisco security architectures: Phần 2 9 MB Lượt tải Cisco security architectures: Phần 2 0 Lượt đọc Cisco security architectures: Phần 2 0
Đánh giá Cisco security architectures: Phần 2
4.1 ( 4 lượt)
Nhấn vào bên dưới để tải tài liệu
Đang xem trước 10 trên tổng 176 trang, để tải xuống xem đầy đủ hãy nhấn vào bên trên
Chủ đề liên quan

Nội dung

Chapter 7: Cisco Router Access Lists Overview In the previous chapters, we have reviewed the operation of many protocols. As we will see, an understanding of the inner workings of these protocols and their address structure is critical to the proper construction and implementation of Cisco access lists. In this chapter, we will begin our discussion by defining Cisco access lists and examining their role in securing Cisco networks. We then examine the Cisco methodology for constructing and maintaining Cisco access lists. Once we have a basic understanding of how access lists are constructed, we will begin our discussion of IP access lists and provide detailed examples showing their use. We will also make a distinction between traditional IP access lists and next-generation IP access lists. Next-generation IP access lists provide significant enhancements beyond the capability of traditional IP access lists. Cisco Access List Technology We will begin by discussing why access lists are important to Cisco security. There are many facets to security and one of the most important is the capability to control the flow of data packets within a network. Specifically, preventing packets from entering a network by examining information within the packet header is critical. This capability is typically termed "packet filtering" and is one of the most important uses of Cisco access lists although, as we shall see, it is not the only use. Packet filtering allows you to control data flows in your network based on source and destination IP addresses and the type of application used. For example, packet filtering allows you to prevent packets from entering your network if the packets are part of a telnet session that originated from certain address ranges. Additionally, you can prevent all packets from a certain IP address range from entering your network, regardless of the application used. These kinds of functions are especially useful when applied to routers. In many cases, routers serve as a boundary between administrative domains. The term "administrative domain" is used to indicate a general grouping of network devices such as workstations, servers, routers, and network links that are maintained by a single administrative group. Many times the term "autonomous system" is used to serve the same designation, but autonomous system has a very specific meaning in computer networks, so we will use administrative domain instead. Different administrative domains normally have different security policies, and there is usually limited access between data networks in separate administrative domains. In most cases, an administrative domain makes up a company's corporate network, although some large companies may have many administrative domains. One of the functions served by routers is to tie these separate administrative domains together. Routers serve this function, for example, as a connection point between a corporate LAN and the Internet or between two or more corporate networks. In these situations, routers are uniquely suited to filter packets because every packet between the two administrative domains must pass through the router. Additionally, a router is usually necessary to enable data network connectivity between geographically separated organizations, so no additional equipment or software is needed to enable the security functions of packet filtering. Although special hardware can be installed in many server platforms to provide WAN connectivity between separate organizations, these solutions typically do not scale very well. Servers usually do not offer the same range of protocols and physical interfaces as a Cisco router. Although an adequate solution can be built from various server hardware and software for small organizations, many organizations prefer an "off the shelf" solution. All the functionality for creating a complex security perimeter solution is contained within the Cisco IOS; no add-on software packages or hardware components need to be purchased. Cisco uses the term Internetwork Operating System (IOS) to designate the operating system used by Cisco routers. The operating system on Cisco routers provides many of the same features of more traditional operating systems, like Unix and Windows, but it also provides many specialized features. It controls the system hardware such as memory and interfaces, and also takes care of executing necessary system tasks like moving packets and building dynamic information such as the routing and ARP tables. When an administrator issues commands at a router prompt to modify a routers' configuration, the commands interface with the IOS. One of the most powerful features of the Cisco router IOS is its capability to intelligently filter packets flowing between data networks. This capability is provided through the creation and application of access lists. Access Lists Defined An access list is an ordered list of statements denying or permitting packets based on matching criteria contained within the packet. Let's examine this definition in greater detail. An access list is an ordered list. In other words, the order in which the statements are created in an access list is very important. One of the most common mistakes made when creating access lists is entering the access list statements in an incorrect order. Access list statements can either permit or deny packets. Additionally, it should be pointed out now that there is always an implicit "Deny All" statement at the end of a Cisco access list. A packet that is not explicitly permitted will be rejected by the implicit Deny All statement at the end of the access list. Another common mistake when creating access lists is forgetting this fact. The criteria used to permit or deny packets is based solely on information contained within the packet itself. Usually, this information is restricted to information contained within the layer 3 or layer 4 header. Therefore, with few exceptions, access lists cannot use information above layer 4 to filter packets. Although application-specific commands may be contained in the data portion of the packet, an access list is not capable of filtering based on this information. For example, an access list is not capable of filtering specific FTP commands. The one caveat to this is the use of Context-Based Access Control (CBAC), which has the capability to filter packets based on wellknown application layer information. CBAC will be covered in detail in Chapter 8, "Advanced Cisco Router Security Features." The above discussion is not meant to imply that the only function of access lists is packet filtering. This is most certainly not the case. Cisco access lists are used for many purposes other than packet filtering. In fact, anytime a list of permitted addresses and/or protocols is needed to define which packets are to be included in a process, an access list is used. Some of the other situations in which access lists can be used are as follows: •Dial on Demand: Access lists are used to define which packets are permitted to cause a dial connection to occur. This is commonly called defining interesting packets. •Queuing Features: Access lists define which types of packets are allocated to different types of outgoing queues so that some classes of packets are given priority over others. •Routing Update Filters: Access lists prevent certain network routes from being advertised or accepted by routing protocols. •Router Access: Access lists control telnet and SNMP access to the router itself. This is in contrast to filtering packets that pass through the router. As can be seen from this list, access lists play an integral role in many features used in Cisco routers, but not all of these features are related to security. In addition to examining the use of access lists for packet filtering, we will briefly examine the use of access lists to control access to the router and their use in filtering routing protocol updates. Many sources also provide information on these and other uses of access lists on the Cisco web site. The remainder of this chapter will concentrate on the use of access lists for packet filtering. Creating Access Lists We now turn our attention to the creation and operation of access lists. The basic syntax of an access list is: Access-list [1—1199] [permit|deny] [protocol|protocol-keyword] [source source-wildcard|any] [source port] [destination destinationwildcard|any] [destination port] [precedence precedencea] [options] We will discuss each of these fields in detail next. Actual commands are in bold, and the other statements are English equivalents of the command syntax. Each section of the command is separated on its own line with a number to facilitate discussion. In practice, each access list entry normally appears on a single line in the router configuration. Access-list [access list number 1—1199] [permit or deny] [some protocol] [source address and mask] [source port number or range] [destination address and mask] [destination port number or range] [options] A few words need to be said about the above command structure. First, not all the fields are required. Only fields 1, 2, and 4 are required in every type of access list. Most access lists also include fields 3 and 6. Each field is discussed below: [access list number 1—1199] The actual number that is used varies, depending on the type of access list used. Different types of access lists use different numbers. An IP access list, for example, uses a different number than an IPX access list. There are many different types of access lists. [permit or deny] A permit or deny statement is always required. This is how you specify whether the packets that match an access list entry are to be allowed or denied access. [some protocol] Quite a few different protocols can be filtered using an access list. A short list includes IP, IPX, AppleTalk, DECnet, VINES, and XNS. It is also possible to filter on MAC layer addresses. Within most protocol stacks, there are usually additional protocols that can be filtered. For example, filters can also be created for TCP, UDP, and ICMP, all of which use IP at the network layer. [source address and mask] The source address and mask of the packets is always required. The source address is normally the layer 3 address of the packet, unless the access list is a MAC layer filter. The mask portion tells the router how much of the address to match when filtering packets. The concept is similar to a subnet mask. For instance, you may want to match all packets originating from the 10.10.0.0 255.255.0.0 subnet. The mask allows you to tell the router to match only the first two octets of the address. If no mask is specified, an exact match is assumed. If 10.10.0.0 is typed, the access list entry would only match packets with a source address of 10.10.0.0 (a very unlikely source address). Although the principle is the same, the syntax of this mask is different than a network mask. We cover this topic in greater detail later. In addition to the use of an actual address, many protocols also support the use of the "any" keyword. [source port number or range] This field is used when filtering on layer 4 information. It allows you to specify a particular higherlayer port. If the access list protocol is TCP, for example, you could specify a source TCP port of 25 (SMTP). You can also use symbols like GT for "greater than," LT for "less than," and RANGE to create specific ranges of port numbers. [destination address and mask] This field has the same parameter structure as the source address and mask. [destination port number or range] This field has the same parameter structure as the source port number or range. [options] This field allows a variety of additional fields to be matched in the access list entry. The contents of the field vary depending on the type of access list. A typical option for a TCP access list would be "established," indicating the access list entry would examine the packet to see if the ACK or RST bit is set. The "log" option is also common, indicating that matches of the access list entry should be logged to the router's buffer or a syslog server. Other options include filtering on TOS and IP precedence. We will cover each of these fields for particular IP access lists later in this chapter. Access lists for other protocols will be discussed in later chapters. Access List Details The code below is a portion of a sample access list configuration for a Cisco router applied to the serial 0 interface. Only the relevant portions of the configuration are shown. interface Serial0 ip address 170.10.10.1 255.255.255.0 ip access-group 101 in ! access-list 101 permit tcp any any established access-list 101 permit udp any gt 1023 host 160.10.2.100 eq 53 access-list 101 permit ip any host 160.10.2.101 access-list 101 permit icmp any any echo-reply Figure 7—1 shows the router this sample configuration is taken from. Figure 7—1: A diagram showing the router from which the sample configuration is taken. For the moment, try not to be too concerned about interpreting what this access list is doing; we will cover this topic in greater detail later. Instead concentrate on examining how the access list statements have been created and how the access list has been applied. Notice that the access list has been created in one section and there is a separate command for applying the access list to the serial interface. Also notice that the access list is applied to the serial interface in a particular direction. The direction indicates whether packets are examined as they arrive (in) or leave (out) an interface on the router. The English translation of this access list is included below. Each access list entry appears on a separate line in bold. Access-list 101 permit tcp any any established This permits TCP from any host to any host if the ACK or RST bit is set, which indicates it is part of an established connection. Note that the first packet in a TCP conversation does not have the ACK bit set. Essentially, the established keyword is designed to prevent TCP conversations from being initiated from the untrusted side of a router while allowing packets that are part of an already established TCP conversation to go through. Access-list 101 permit udp any gt 1023 host 160.10.2.100 eq 53 This permits UDP from any host with a client source port (ports below 1024 are reserved for servers) to host 160.10.2.100 with destination port DNS (53). Access-list 101 permit ip any host 160.10.2.101 This permits IP from any host to host 160.10.2.101. Access-list 101 permit icmp any any echo-reply This permits ICMP from any host to any host if the packet is a response to a ping request (echoreply). Access-list 101 deny ip any any This denies all other packets (this line is implicit and does not appear unless explicitly typed). Some of the the access list syntax may be unfamiliar right now. In later sections, we will cover the syntax of different types of IP access lists in greater detail. Applying Access Lists For those unfamiliar with IOS commands, the block of code below displays the commands to actually create the access list shown eariler in the sample access list configuration code and apply it to the interface. 2514a config term 2514(config)a access-list 101 permit tcp any any established 2514(config)a access-list 101 permit udp gt 1023 any host 160.10.2.100 eq 53 2514(config)a access-list 101 permit ip any host 160.10.2.101 2514(config)a access-list 101 permit icmp any any eq echo-reply 2514(config)a interface serial 0 2514(config-if)a ip access-group 101 in 2514(config-if)a exit 2514(config)a exit 2514a Notice that the access list entries in the code here are entered in the same order in which they appear in the earlier configuration code. This is no accident. New access list entries are always added to the bottom of the existing access list; there is currently no mechanism for adding entries into a specific position in the access list without deleting and recreating the entire access list. This is extremely important because, as we mentioned earlier, access lists are ordered lists. They are evaluated from the top down. Once a matching entry is found, the access list processing function exits and no more entries are considered. The following flowchart shown in Figure 7—2 illustrates this process. Figure 7—2: A logical flowchart illustrating how packets are matched against the entries in an access list. The access list code contains several points of interest. First, notice that only TCP/IP protocols are used in this example, yet numerous protocols other than those in the TCP/IP suite can be specified. Table 7—1 shows the types of access lists that can be created for various protocols. The number range on the right side of the table specifies the access list number range that is used when creating an access list of the specified type. Table 7—1: Access Lists Protocols and Their Number Ranges Protocol Range IP 1—99 Extended IP 100—199 Ethernet type code 200—299 Ethernet address 700—799 Transparent bridging (protocol type) 200—299 Transparent bridging (vendor code) 700—799 Extended transparent bridging 1100—1199 DECNet and extended DECNet 300—399 XNS 400—499 Extended XNS 500—599 AppleTalk 600—699 Source-route bridging (protocol type) 200—299 Source-route bridging (vendor code) 700—799 IPX 800—899 Extended IPX 900—999 IPX SAP 1000—1099 Standard VINES 1—100 Extended VINES 101—200 Simple VINES 201—300 When an access list is created, a number is assigned to the access list within a specific range. This number is used in all subsequent references to the access list. For example, in the configuration code, we used access list number 101. Looking in Table 7—1, we see that this could either be an Extended IP access list or an Extended VINES access list. In this case, it is an Extended IP access list, which we can tell by looking at the actual access list commands. Notice further in the configuration code that this number is used to reference the access list when it is applied to the serial 0 interface. This brings us to the next point of interest regarding our sample configuration. Notice that there is a separate command beneath the serial 0 interface referencing access list 101. This command is how we indicate to the router that the access list will check packets either arriving or leaving this interface. If no commands apply the access list to an interface, creating the access list serves little purpose with regard to packet filtering. We could, however, create an access list for use with one of the other technologies mentioned earlier, in which case it would not be applied to an interface. For the most part, we will not cover other uses of access lists in this book. Until the access list is applied to an interface, no packet filtering occurs. To reiterate, simply creating an access list is only the first step. To actually enable packet filtering using the created access list, the access list must be applied to an interface. It has already been stated that the command applying the access list to an interface is what indicates to the router that packets arriving or leaving the interface are subject to filtering. The direction of the filtering can be selected by using the keyword "in" or "out." Notice in the sample configuration code the use of the keyword "in." This tells the router to apply the access list filter to packets arriving inbound on the serial 0 interface. This corresponds to packets arriving from outside administrative domains and applies to packets arriving from the Internet. If we specify "out" as the keyword, we would be filtering packets that are leaving the serial 0 interface. This corresponds to packets originating from the Ethernet E0 interface in Figure 7—1, which means we would be filtering our own packets as they leave our administrative domain. Although this is certainly possible and sometimes desirable, it would not be what we want in this particular example. A key point is that an outbound access list does not filter packets originated by the router itself. Even if a packet originated by the router matches a deny entry in an outbound access list, the packet will not be filtered. Essentially, packets originated by the router itself are not subject to outbound access list restrictions. Inbound packets destined for the router are subject to an inbound access list. This difference is important. If we were running a routing protocol on the serial interface of the router in Figure 7—1, we would need to explicitly allow routing updates in our access list. Otherwise, the implicit Deny All in the inbound access list would deny the routing updates. One additional point worth noting is that an interface may have both an inbound and outbound access list for each protocol supported, but it may not have more than one of each for any particular protocol. We could have an Extended IP access list outbound, for example, on the serial 0 interface in our configuration, but we could not have an additional Extended IP access list inbound. Figure 7—3 shows a visual representation of this.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.