لطفا منتظر باشید ...
Router Security to Protect the Network
All the topics discussed to this point in the chapter have covered the different steps that an administrator needs to take to protect the router itself. The next step you need to learn is how to configure the router to protect the network behind it. This can be done by using access lists or enhanced access lists, such as dynamic or time-based access lists. If a device is running a security image, those networks can also be protected by using Context-Based Access Control (CBAC).
Access Lists
On a router, access lists are used as packet filters to decide which packets can go across a certain interface. Packets that are allowed on an interface are called permitted packets and packets that are not allowed are called denied packets. Access lists can consist of one or more statements that determine what data is permitted and denied on an interface. The statements are known as Access Control Entries (ACE). It is important to use well-written access lists to restrict access because Cisco router security is highly dependent on them for filtering packets as they travel across the network.A router can identify an access list by either a name or a number. Table 8-2 lists some of the commonly used access list numbers and their associated types.
| Access List Number | Type |
|---|---|
| 199 | IP standard access list |
| 100199 | IP extended access list |
| 800899 | IPX standard access list |
| 10001099 | IPX SAP access list |
| 13001999 | IP standard access list (expanded range) |
| 20002699 | IP extended access list (expanded range) |
- Standard IP access lists
This type can filter IP packets based on the source address only. - Extended IP access lists
This type can filter IP packets based on several attributes, including the following:- - Source IP address
- - Destination IP address
- - Source TCP or UDP port
- - Destination TCP or UDP port
- - Protocol
The command syntax for a standard numbered access list is as follows:
Table 8-3 describes the commands you can use when configuring a numbered access list.
access-list access-list-number {deny | permit } source [source-wildcard ]
| Command | Description |
|---|---|
| access-list-number | Serves dual purposes:
|
| Deny | Drops all packets matching the specific source address. |
| Permit | Allows all packets matching the specific source address to flow through the interface. |
| Source | Specifies the IP address of a host or group of hosts (if a wildcard mask is specified). |
| source-wildcard | The wildcard mask is applied to the source group of hosts whose packets are to be examined. |
Example 8-7. Example Access List
Network 10.0.0.0 is a class A address whose second octet specifies a subnet; the subnet mask is 255.255.0.0. The third and the fourth octets of the 10.0.0.0 address specify a particular host. The access list in Example 8-7 would accept one address from subnet 1 and reject all other addresses from that subnet. The last line indicates that this access list would accept addresses on all other 10.0.0.0 subnets.NOTEWhen building either standard numbered or named access lists, by default, the end of the access list is an implicit deny all statement. Also, if you do not use a mask, the mask defaults to 0.0.0.0.In addition to the keywords described previously, standard numbered IP access lists support the keywords described in Table 8-4.
Brussels(config)# access-list 1 permit 10.1.4.3
Brussels(config)# access-list 1 deny 10.1.0.0 0.0.255.255
Brussels(config)# access-list 1 permit 10.0.0.0 0.255.255.255
| Keyword | Description |
|---|---|
| any | Specifies any host. This is the same as typing 0.0.0.0 255.255.255.255. |
| host | Specifies an exact host match. This is the same as using a mask of 0.0.0.0. |
| log | Enables the logging of packets that match the deny or permit statement. |
[View full width]access-list access-list-number {deny | permit } {protocol-number | protocol-keyword } {
ip access-list standard access-list-name {deny | permit } source {source-wildcard }
source source-wildcard | any | host } operator {source-port } {destination destination-wildcard | any | host } operator {destination-port } [established ] [log | log-input ]Table 8-6 describes the commands that can be used when configuring extended numbered access lists.
| Command | Description |
|---|---|
| access-list-number | Represents the number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699. |
| Deny | Denies access if the conditions are matched. |
| Permit | Permits access if the conditions are matched. |
| protocol-number | Specifies an integer in the range from 0 to 255 representing an Internet protocol number. |
| protocol-keyword | Represents the name of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp , or udp. |
| source | Represents the number of the network or host from which the packet is being sent. |
| source-wildcard | Represents the wildcard bits to be applied to source. |
| source-port | Specifies the port from which the packet originated. |
| destination | Represents the number of the network or host to which the packet is being sent. |
| destination-wildcard | Represents the wildcard bits to be applied to the destination. |
| destination-port | Specifies the port to which the packet is being sent. |
| operator | Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).If the operator is positioned after the source and source-wildcard , it must match the source port.If the operator is positioned after the destination and destination-wildcard , it must match the destination port.The range operator requires two port numbers. All other operators require one port number. |
| established | Represents the TCP protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK, FIN, PSH, RST, or URG control bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
| log | Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)The message includes the access list number; whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. By default, the message is generated for the first packet that matches and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. |
| log-input | Includes the input interface and source MAC address or VC in the logging output. |
| any | Specifies any host. This is the same as using 0.0.0.0 255.255.255.255. |
| host | Specifies an exact host match. This is the same as a wildcard mask of 0.0.0.0. |
Example 8-8. Example of an Extended Numbered Access List
In this example, all TCP packets with destination 134.34.0.0 are permitted. All SMTP packets going to 134.35.1.1, which is a mail server, are permitted by this access list.[View full width]ip access-list extended access-list-name {deny | permit } {protocol-number |
Brussels(config)# access-list 101 permit tcp any 134.34.0.0 0.0.255.255
Brussels(config)# access-list 101 permit tcp any host 134.35.1.1 eq smtp
protocol-keyword } { source source-wildcard | any | host } operator {source-port } {destination destination-wildcard | any | host } operator {destination-port } [established ] [log | log-input ]All keywords have the same meaning as with the numbered extended access lists.NOTEYou can add a comment in a named access list that helps you recognize an access list with the remark keyword. A remark can contain up to 100 characters.
Access lists must be applied to a router interface to take effect. When an access list is applied to an interface, you also have to configure the direction of the data flow, as shown in Figure 8-1.
access-list 101 remark allow traffic to mail server
Figure 8-1. Access List Direction
- Inbound
The access list is applied to packets flowing toward the router interface. - Outbound
The access list is applied to packets flowing away from the router interface.
The interface command to apply an access list to an interface is as follows:
Table 8-7 describes the keywords you can use when assigning the access list to an interface.
ip access-group {access-list-number | access-list-name } { in | out }
| Keyword | Description |
|---|---|
| access-list-number | Number of the IP standard or extended numbered access list |
| access-list-name | Name of the IP standard or extended named access list |
| In | Filters on inbound packets |
| Out | Filters on outbound packets |
Enhanced Access Lists
Several types of enhanced access lists can be configured on a router. So far, only standard and extended access lists have been discussed in this chapter. Enhanced access lists were designed to secure routers and their networks better. They all have special features, and selection depends on your particular needs for security. The following types of access lists are available:
- Dynamic access lists
- Time-based access lists
- Reflexive access lists
Dynamic Access Lists
Dynamic access lists, also known as lock-and-key, create specific, temporary openings in response to user authentication. It is highly recommended to use a TACACS+ server for the authentication of the user. TACACS+ provides authentication, authorization, and accounting services and is discussed in more detail in Chapter 11. In the example illustrated in Figure 8-2, no TACACS+ server has been included for authentication for the sake of simplicity. Figure 8-2 shows a user connected to the Internet. The user is trying to connect to a device in the internal network.
Figure 8-2. Dynamic Access List
[View full size image]
Because you should not count on the user to issue the access-enable command correctly, you need the line that follows under vty 0 4. The access-enable command is used to create a temporary access list entry in a dynamic access list.
Tokyo(config)#username user password te5t
The autocommand used in this example is executed immediately when a user logs in via Telnet access.NOTEThe 10 in the syntax above is the idle timeout of the access list and can be overridden by the timeout in the dynamic access list.You can define an extended access list that is applied when any user logs in to the router and the access-enable command is issued. The maximum absolute time for this hole in the filter is set to 15 minutes. After 15 minutes, the hole closes whether or not anyone is using it. The name dyntest is needed but is not significant.
Tokyo(config)#line vty 0 4
Tokyo(config-line)#login local
Tokyo(config-line)#autocommand access-enable host timeout 10
After that, define the access list needed to block everything except the ability to use Telnet to access the router. Users must telnet into this router to authenticate themselves as a valid users. Therefore, the following line is needed for users to be able to telnet into this router:
Tokyo(config)#access-list 101 dynamic dyntest timeout 15 permit ip any any
Now you only have to apply the access list to the interface on which users are coming.
Tokyo(config)#access-list 101 permit tcp any host 142.2.65.6 eq telnet
When using the show access-lists command, the access list looks like this before any user has used Telnet to reach the router:[View full width]Tokyo#sh access-lists
Tokyo(config)#interface FastEthernet0/0
Tokyo(config-if)#ip access-group 101 in
Extended IP access list 101
Dynamic dyntest permit ip any any
permit tcp any host 142.2.65.6 eq telnet
Tokyo#
If users now access the router via Telnet, they must provide their usernames and passwords
to open the hole:C:\>telnet 142.2.65.5
User Access Verification
Username: user
Password:
No input access group defined for FastEthernet0/0.
[Connection to 142.2.65.6 closed by foreign host]
Brussels#telnet 142.2.65.6
Trying 142.2.65.6 ... Open
User Access Verification
Username: user
Password:
[Connection to 142.2.65.6 closed by foreign host]
Brussels#
If you now take a look at the access list again, it looks like the following code:
A hole has been created in the access list. The user should now be able to have complete IP access to any destination IP address from the source address (in the example, 142.2.65.5).
Tokyo#sh access-list
Extended IP access list 101
Dynamic dyntest permit ip any any
permit ip host 142.2.65.5 any (4 matches) (time left 586)
permit tcp any host 142.2.65.6 eq telnet (40 matches)
Tokyo#
Time-Based Access Lists
In a time-based access list, the hole is created for a certain amount of time. The following commands are needed in order to configure a time-based access list:
This example allows users coming in on Ethernet 0/0 to have web access from 8:00 to 18:00 during all weekdays. Instead of weekdays, you can use several other keywords, such as the following:
Brussels(config)#int ethernet0/0
Brussels(config-if)#ip access-group time in
Brussels(config-if)#exit
Brussels(config)#ip access-list extended time
Brussels(config-ext-nacl)#permit tcp any any eq www time-range webaccess
Brussels(config-ext-nacl)#exit
Brussels(config)#time-range webaccess
Brussels(config-time-range)#periodic weekdays 8:00 to 18:00
Brussels(config-time-range)#end
Brussels#
Friday Friday
Monday Monday
Saturday Saturday
Sunday Sunday
Thursday Thursday
Tuesday Tuesday
Wednesday Wednesday
daily Every day of the week
weekdays Monday thru Friday
weekend Saturday and Sunday
Reflexive Access Lists
With reflexive access lists, you have the ability to filter network traffic at a router, based on IP upper-layer protocol session information. Reflexive access lists can be defined by extended named IP access lists only. You cannot define reflexive access lists with numbered or standard named access lists. Reflexive access lists have significant differences from other types of access lists. They contain only temporary entries. These entries are automatically created when a new IP session begins and are removed when the session ends. Reflexive access lists are not applied directly to the interface, but are nested within an extended named IP access list that is applied to that interface. The syntax to define a reflexive access list is as follows:
Define the reflexive access list using the permit entry and the reflect option. Then you can apply the extended access list to an interface. After you define a reflexive access list in one IP extended access list, you must nest the reflexive access list within a different extended named IP access list with the evaluate command. Example 8-9 should make that procedure clear.
ip access-list extended name
permit protocol any any reflect reflection-name [timeout seconds]
Example 8-9. Example of an Reflexive Access List
With this configuration, before any TCP session has been initiated, the show access-lists displays the following:
interface Serial0/0
ip access-group incoming in
ip access-group outgoing out
!
ip access-list extended outgoing
permit tcp any any reflect tcptraffic
!
ip access-list extended incoming
permit eigrp any any
deny icmp any any
evaluate tcptraffic
Notice that the reflexive access does not have anything showing up in this output. Before any TCP sessions have been initiated, no traffic has triggered the reflexive access list, and the list is empty. After a Telnet connection is initiated, the show access-lists look like this:
Tokyo#show access-lists
Extended IP access list incoming
permit eigrp any any
deny icmp any any (26 matches)
evaluate tcptraffic
Extended IP access list outgoing
permit tcp any any reflect tcptraffic
Reflexive IP access list tcptraffic
Now a temporary entry is generated that stays there for another 289 seconds.
Tokyo#show access-lists
Extended IP access list incoming
permit eigrp any any
deny icmp any any (26 matches)
evaluate tcptraffic
permit ospf any any
Extended IP access list outgoing
permit tcp any any reflect tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 142.2.65.6 eq 11001 host 142.2.65.5 eq telnet (25 matches) (time left 289)
