Monday, April 23, 2018

IAM Search

Routers and Routing Basics - Access Control Lists (ACLs)

“We Have Data Incoming…”

• Routers filter incoming data for sorting purposes.

– Packets filtered based on destination IP address, subsequently routed out the appropriate interface.

– What if we want only data originating from a special-access subnet to gain access to that certain destination IP address?

• Routers can also filter incoming data to block trafficaccording to defined access rules, called Access Control Lists (ACLs).

Introduction to ACLs

• Access Control Lists (ACLs) are sets of rules that test data as it reaches the router.

• ACLs are sequential lists of permit or deny statements that apply to addresses or Layer 3 and 4 protocols.

– Can be a simple single line-statement that permits packets from a specific host.

– Can be a complex set of rules and conditions that defines network traffic.

How do we use ACLs?

• A router interface accepts or denies incoming packets based on conditions specified in ACLs.

• For any router interface where ACLs are to be applied, there must be:

– An ACL per Layer 3 protocol.

– An ACL for inbound and another ACL for outbound traffic.

– An ACL for each Layer 4 port to be allowed access to.

• Thus ACLs can be used to:

– Preserve bandwidth and enhance network performance

– Provide basic network security

– Provide or deny access to services

How do ACLs work?

• Irrespective of an ACL applying to a router interface or not, incoming frames are checked for validity.

– If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface.

• The router compares incoming packets against each statement in the ACL from the top of the list to the bottom.

• When the first match is found, the router either accepts or rejects the packet according to the rules defined in the statement. No checking against further statements occurs.

– The order of ACL statements is of utmost importance!

• If the packet doesn’t match any ACL statements, it is automatically rejected by the router.

How do I make an ACL?

• There are three types of ACLs:

– Standard ACLs (IP lists use numbers 1-99), applied closest to the destination host/subnet whose access is to be restricted.

– Extended ACLs, (IP lists use numbers 100-199), Applied closest to the source host/subnet whose access is to be restricted.

– Named ACLs

• Steps to creating an access control list:

– Decide if the access list requires a number or if it is to be named.

• ACL number helps define which protocol this list applies to.

– Determine if the list will be used to permit or deny access.

– Specify the host/subnet whose traffic is to be scrutinised.

• When used with a wildcard mask, the result is a match value.

– Where applicable, add test conditions to the statement.

– Lastly, apply the access list to the relevant router interface for either inbound or outbound traffic

Wildcard Masks

• Wildcard masks tell an ACL which bits of IP addresses on incoming packets should be checked against the ACL match value.

• Wildcard masks look like IP subnet masks…

– Both are 32 bits long…

– … Wildcard masks can look like the reverse of subnet masks…

– THE SIMILARITY ENDS THERE!!!

• Binary 0s represent bits that MUST matchthe ACL. Binary 1s represent bits that are ignored.

How to make a Wildcard Mask

• To match a single host: Wildcard Mask = 0.0.0.0

• Eg., we would like to restrict access to the 192.168.14.3 host.

– Convert the host IP address 192.168.14.3 to binary: 11000000.10101000.00001110.00000011

• To restrict access to a single host, the wildcard maskwill be all 0s for every bit of the IP address.

– To match a single IP address, every bit counts!

– Wildcard Mask: 00000000.00000000.00000000.00000000

11000000.10101000.00001110.00000011 → Host IP: 192.168.14.3
00000000.00000000.00000000.00000000 → Wildcard: 0.0.0.0
-------------------------------------------------------------------------------------
11000000.10101000.00001110.00000011 → Match Value

• The match valueis only the IP address whose entire 32 bits equate to 192.168.14.3.

How to make a Wildcard Mask

• To match entire network: Wildcard Mask = Inverse of Subnet Mask.

• Eg., we would like to restrict access to the 172.16.0.0/16 network.

– Convert the network address 172.16.0.0 to binary: 10101100.00010000.00000000.00000000

• To restrict access to the entire network, the wildcard maskwill be all 0s for every bit of the network portion of the IP address.

– The host portion does not matter, as we want to check all packets bound for the network regardless of which host on the network is the destination.

– Wildcard Mask: 00000000.00000000.11111111.11111111

10101100.00010000.00000000.00000000 → Network IP: 172.16.0.0
00000000.00000000.11111111.11111111 → Wildcard: 0.0.255.255
--------------------------------------------------------------------------------------
10101100.00010000.xxxxxxxx. xxxxxxxx    →Match Value

• The match valueis any IP address whose first 16 bits equate to 172.16. Remaining 16 bits can be anything –the ACL doesn’t care!

How to make a Wildcard Mask

• To match a subnet: Wildcard Mask = Inverse of Subnet Mask. Again.

• Eg., we would like to restrict access to the 172.16.16.0/20 subnet.

– Convert the subnet address 172.16.16.0 to binary: 10101100.00010000.00010000.00000000

• To restrict access to a subnet, the wildcard maskwill be all 0s for every bit of the network and subnet portions of the address.

– The host portion does not matter, as we want to check all packets bound for the subnet regardless of which subnet host is the destination.

– Wildcard Mask: 00000000.00000000.00001111.11111111

– Notice the wildcard mask covers half of the third octet, as the first half is the subnet portion and the other half is part of the host portion.

10101100.00010000.00010000.00000000 → Network IP: 172.16.16.0
00000000.00000000.00001111.11111111 → Wildcard: 0.0.15.255
-----------------------------------------------------------------------------------------
10101100.00010000.0001xxxx. xxxxxxxx   → Match Value

• The match valueis any IP address whose first 20 bits equal 172.16.16 –172.16.31. The remaining 12 bits are ignored –ACL still doesn’t care!

How to make a Wildcard Mask

• To match a custom IP address range: Have fun!

• Eg., we would like to restrict access to hosts with odd-numbered IP addresses on the 172.16.16.0/20 subnet.

– Convert the subnet address 172.16.16.0 to binary: 10101100.00010000.00010000.00000000

• To restrict access to a subnet, the wildcard maskwill be all 0s for every bit of the network and subnet portions of the address.

– The host portion does not matter, EXCEPT for the final bit on the right.

– Wildcard Mask: 00000000.00000000.00001111.11111110

– Remember that we’re targeting odd-numbered hosts: 172.16.16.1, .3, .5… so the original IP address must be modified to cater for this.

10101100.00010000.00010000.00000001 → Custom IP: 172.16.16.1
00000000.00000000.00001111.11111110 → Wildcard: 0.0.15.254
--------------------------------------------------------------------------------------
10101100.00010001.0001xxxx. xxxxxxx1   → Match Value

• The match valueare host IPs whose first 20 bits equate to 172.16.16 –172.16.31. The next 11 bits are ignored, but the last bit is crucial –it MUST be a binary 1 to be an odd-numbered address.

Standard ACLs

• Router(config)# access-list list-number[{permit | deny} remark] [sourcesource-wildcard] log

– list-number: A number from 1-99 for standard IP ACLs.

– permit | deny: Permits or denies access for the packet if the conditions are matched.

– remark: Add an optional description of the ACL.

– source: The host/subnet whose traffic is to be scrutinised.

– source-wildcard: Wildcard mask to be applied to the source.

– log: Optional logging message can be sent to the console every time ACLs are referred to.

• Router(config)# interface router-interface

Router(config-if)# ip access-group list-number{in | out}

• Router(config)# line vty 0 4

Router(config-line)# access-classlist-number{in | out}

Extended ACLs

• Router(config)# access-list list-number[dynamic dynamic-name[timeout minutes]] [{permit | deny} remark] protocol [source source-wildcard operator [port [port-number |port-name]]] [destination destination-wildcard operator [port [port-number |port-name]]] established [precedence precedence][tos tos][log log-input][time-range time-range-name]icmp-type icmp-code icmp-message igmp-type fragments

– Extended ACLs are more precise in their definitions, hence can be applied in a more specific fashion –but FAR more complex!

• Both source and destination can be specified.

• ACL can match on port number as well.

• Pre-established connections can be treated differently to new connections, using established option.

• Router(config)# interface router-interface

Router(config-if)# ip access-group list-number{in | out}

Named ACLs

• Router(config)# ip access-list {standard | extended}list-name

– Named ACLs provide the convenience of describing ACLs, rather than just assigning numbers.

– Unlike standard and extended ACLs, we can define as many named ACLs as we like.

• Router(config)# interface router-interface

Router(config-if)# ip access-group list-name{in | out}

Where do I apply ACLs?

• Placement of ACLs is crucial to their effectiveness:

– Must secure the network as defined in the ACL statements.

– Has to be efficient, else network traffic won’t be reduced as hoped.

• In general:

– Extended ACLs can be very specific in their definition, and as such should be placed as close as possible to the source of traffic to be restricted. Eg., deny FTP from LAN on Router A to LAN on Router D.

– Standard ACLs are broadly defined and cannot specify destination address, and as such should be placed as close as possible to the destination of traffic to be restricted. Eg., deny all traffic from LAN on Router A from reaching Router D.

ACLs for firewalls?

• Instead of using a single router or appliance as a firewall, ideally a network firewall using multiple ACLs should be implemented.

• In the above figure the exterior router directs all incoming traffic to the application gateway, or proxy server.

– Exterior router can let in all traffic on only certain specific ports

– Blocks all other traffic on non-standard ports, helping to protect the integrity of the proxy server.

• In turn, the interior router only accepts Internet traffic from the proxy server, not directly from the exterior router.

– Allows control of traffic entering or exiting a specific part of the internal network.


Comments (0)Add Comment

Write comment

security code
Write the displayed characters


busy

Promotions

  • ...more

Disclaimer

Important: All images are copyrighted to their respective owners. All content cited is derived from their respective sources.

Contact us for information and your inquiries. IAMechatronics is open to link exchanges.

IAMechatronics Login