Named ACLs

Overview

A named access list can be either a standard or extended access list, with the only difference being that it is identified by name rather than by number. The IOS command for starting a named access list is slightly different than a numbered access list, in that the command starts with ip access-list rather than just access-list, see below:

router>enable
router#configure terminal
router(config)#ip access-list <standard | extended> <name>
router(config-std-nacl)#<permit | deny> <source host or network> <wildcard> <destination host or network> <wildcard>
router(config-ext-nacl)#<permit | deny> <protocol> <source host or network> <wildcard> <destination host or network> <wildcard> <operator> <port>

Video Tutorial

 In this tutorial, I write a named access list (extended) and apply it to the router to permit traffic to a web server on port 80

LAN Security

Overview

Today, network attacks are most often generated from within the local area network. This may be due to the fact that network perimeter defenses have improved with newer and more advance firewall and intrusion detection technologies. Even though perimeter defenses have improved, the entire network can still be compromised from within, by an untrained or trained user, who unknowingly or knowingly, unleashes an attack from within the network.

Layer 2 Switch Security

Layer 2 Switch Security Best Practice

1. Manually configure all user ports as access ports (unless connected VOIP Phone)
2. Do not use default VLAN – VLAN 1
3. Disable CDP on all ports (useful for ports used for VOIP phones)
4. Enable PortFast on all access ports
5. Enable BPDU guard on all access ports
6. Configure port-security for access ports.
7. Disable all unused ports
8. Manually configure all trunk ports
9. Do not use default VLAN – VLAN 1
10. Do not use defualt native VLAN – VLAN 1
11. Disable DTP on all trunk ports
12. Enable root guard on STP root ports

IOS Commands

S1(config)#int range fa0/1-24
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 22
S1(config-if)#no cdp enable
S1(config-if)#spanning-tree portfast
S1(config-if)#spanning-tree bpduguard enable
S1(config-if)#shutdown

S1(config)#int range fa0/1-4
S1(config-if)#switchport port-security
S1(config-if)#switchport port-security maximum 2
S1(config-if)#switchport port-security violation shutdown
S1(config-if)#switchport port-security mac-address sticky
S1(config-if)#switchport port-security aging time 120
S1(config-if)#storm-control broadcast level 75.5
S1(config-if)#storm-control action shutdown

S1(config)#int range Gig1/1-2
S1(config-if)#switchport mode trunk
S1(config-if)#switchport trunk allowed vlan 20,30,40,91
S1(config-if)#switchport trunk native vlan 91
S1(config-if)#switchport nonegotiate
S1(config-if)#no cdp enable

S2(config-if)#spanning-tree guard root
S3(config-if)#spanning-tree guard root

S1#show vlan
S1#show interfaces switchport
S1#show running-config
S1#show port-security
S1#show storm-control
S1#show spanning-tree

S1(config)#spanning-tree portfast default
S1(config)#spanning-tree portfast bpduguard default

Video Tutorials

If you want to follow along with the video, click here to download the Packet Tracer starter file: layer2-security-ccna-security_begin.zip

In part 1, I diagram a sample local area network and discuss layer 2 security and attacks

In part 2, I configure all of the switchports with: user access mode, an unused VLAN, CDP disabled, portfast and bpduguard enables, and all unused ports shutdown

In part 3, I configure port-security and storm control on the active user switchports

In part 4, I manually configure the trunk ports, disallow the default VLAN, configure the Native VLAN
with an unused VLAN, disable DTP, and configure Spanning Tree root guard

Context-Based Access Control (CBAC)

CBAC Overview

Context-Based Access Control (CBAC) is both a stateful and an application firewall that can filter traffic at the network layer (IP addresses and protocols), the transport layer (ports, TCP and UDP sessions), the session layer (the state of the conversation), and the application layer (protocols for specific applications, as well as multi-channel applications like FTP). By working across multiple layers and working with Syslog as well, Context-Based Access Control (CBAC) provides: traffic filtering, traffic inspection, intrusion detection, and generation of audits and alerts. Compared to earlier Cisco implementations of stateful firewalls CBAC is a more advanced stateful firewall because it can inspect other protocols like UDP, and ICMP, as well as examining services like DNS, SMTP and protocols that rely on application layer controls:

1. TCP established ACLs – inspects TCP control flags (ACK, SYN, RST, FIN etc.)
2. Reflexive ACLs – inspects TCP control flags (ACK,SYN, RST, FIN, etc.)
inspects source and destination addresses,
inspects source and destination ports,
creates temporary ACLs (ACEs)
3. CBAC (Context-based Access Control) – inspects and monitors:
TCP connection setup,
UDP session information,
TCP sequence numbers,
DNS queries and replies,
ICMP message types,
Applications that rely on multiple connections (tftp, ftp, multimedia),
Embedded addresses (NAT, PAT),
Application Layer information

 Sample CBAC Network Topology

How to Configure CBAC

To configure CBAC you need an inside ACL and an outside ACL. Both ACLs should be extended ACLs and should be applied to the router interfaces inbound. Remember, that for ACLs to function they need to be applied to an interface (like fa0/0 or s0/0) either inbound or outbound, relative to the perspective from within the router (inbound coming into the router’s interface and outbound leaving the router’s interface). In addition to the two ACLs you will need to configure an Inspection list of the protocols and services to be inspected by the router and apply it to the inside interface in the inbound direction (leaving the local network). The inspection list is important because it dictates which outgoing packets, and protocols will be inspected, and will generate temporary dynamic ACLs permitting the returning data from the outside interface.

Inside extended access-list should permit traffic to leave the network:
R1(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any
R1(config)# access-list 100 permit udp 192.168.1.0 0.0.0.255 any
R1(config)# access-list 100 permit icmp 192.168.1.0 0.0.0.255 any
R1(config)# access-list 100 deny ip any any

Inside access-list applied to the inside interface in the inbound direction:
R1(config)# interface Fa0/1
R1(config-if)# ip access-group 100 in

Outside extended access-list should deny most traffic from entering the network:
R1(config)# access-list 101 permit eigrp any any
R1(config)# access-list 101 permit icmp any any echo-reply
R1(config)# access-list 101 permit icmp any any unreachable
R1(config)# access-list 101 permit icmp any any time-exceeded
R1(config)# access-list 101 deny ip any any

Outside access-list applied to the outside interface in the inbound direction:
R1(config)# interface S0/0/0
R1(config-if)# ip access-group 101 in

The named inspection list of protocols and services to be inspected:
R1(config)# ip inspect name CBAC-FW tcp
R1(config)# ip inspect name CBAC-FW udp
R1(config)# ip inspect name CBAC-FW tftp

The named inspection list applied to the inside interface in the inbound direction:
R1(config)# interface Fa0/1
R1(config-if)# ip inspect CBAC-FW in

Video Tutorials

In this series of tutorials, I configure and troubleshoot a CBAC firewall on a Cisco router using a Netlab remote network.

 In part 1, I discuss the concept of the CBAC stateful firewall and outline the sample network topology

In part 2, I explain the CLI commands used to create the inside and outside ACLs and the Inspect list

In part 3, I configure, test and troubleshoot the CBAC stateful firewall

TCP Established & Reflexive ACLs

Video Tutorials – TCP Established ACLs

In part 1, I demonstrate how an access list based firewall functions in a sample network scenario with a private LAN and public DMZ. 

In part 2, I demonstrate how a hacker could bypass an access list firewall by masquerading the port number. I also demonstrate how to solve this problem by using a tcp-established access list.

Video Tutorials – Reflexive ACLs

In part 1, I discuss differences between TCP established access lists and reflexive access lists. I outline a sample network topology and how to configure a reflexive access list in that scenario.

In part 2, using remote access to a router through Netlab, I configure and troubleshoot a reflexive access list.

Extended Access Lists – ACL

Overview

Extended access lists offer greater flexibility than standard access list due to the fact that you can filter, not only source IP addresses, but also destination IP addresses, as well as other protocols ports and services, like TCP port 23 telnet for instance. Since you are able to declare both the source and the destination addresses, you can apply the extended ACL on the router that is closest to the source network, this allows you to immediately filter packets from the network, without allowing them to traverse the entire network before being filtered and dropped; applied in this way extended ACLs can conserve bandwidth and router resources.

Standard ACL (1-99)

Extended ACL (100-199)

applied closest to the destination applied closest to the source
Denies or Permits:
source IP address
Denies or Permits:
source IP address,
destination IP address,
port or service (optional)

Two Steps:

1. create the access list (standard or extended)
2. apply the access list to an interface (inbound or outbound)

1. Create:

Standard ACL (1-99, and 2000-2699):
denies or permits: 1) source IP address
Extended ACL (100-199):
denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional)

2. Apply:

Where to apply an ACL?
A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.
An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.

IOS Commands

Extended access list command formats:
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> host <source ip address> host <destination ip address> <operator> <port or service>
access-list <100-199> <deny | permit> <protocol> <source ip address> <wildcard bits> <destination ip address> <wildcard bits>

Extended access list examples:

Deny and permit a source class c network to a destination class c network: 
router(config)#access-list 100 deny ip 192.168.1.0 0.0.0.255
192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Deny or permit a source host to a destination /24 network:
router(config)#access-list 100 deny ip 192.168.1.100 0.0.0.0 192.168.4.0 0.0.0.255
router(config)#access-list 100 deny ip host 192.168.1.100 192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip 192.168.1.101 0.0.0.0 192.168.4.0 0.0.0.255
router(config)#access-list 100 permit ip host 192.168.1.101 192.168.4.0 0.0.0.255

Deny or permit any host to any destination on port 80 (http):
router(config)#access-list 100 deny tcp any any eq 80
router(config)#access-list 100 permit tcp any any eq 80

Deny or permit all hosts: 
router(config)#access-list 100 deny any any
router(config)#access-list 100 permit any any

Apply the access list to a router interface outbound and inbound

router(config)#interface fastethernet 0/0
router(config-if)#ip access-group 100 out

router(config)#interface fastethernet 0/1
router(config-if)#ip access-group 100 in

Video Tutorial

If you would like to follow along in Packet Tracer, click here to download the PT starter file:

In part 1, I demonstrate how to write and apply a basic extended access list

In part 2, I demonstrate how to permit only a port (service) using an extended access list 

Standard Access Lists – ACL

Standard Access Lists Overview

Access lists are used as a form of firewall security on a router. Access lists are statements that a router will use to check traffic against, and if there is a match, the router can filter that traffic by either permitting or denying the packets based on the access list statement. Cisco routers can be configured to utilize a variety of access lists with the most basic being the standard ACL, or access list.  The standard access list number range is 1 to 99 and 2000 to 2699. The basic access lists in the Cisco CCNA curriculum are the standard access list, the extended access list and the named access list. The named access list is given a name instead of a number and is configured to be either a standard or extended access list.

Access lists are written and read line-by-line, each line in the access list is a statement or rule. At the end of the access list is an implicit “deny all” or “deny any,” meaning even though you cannot see it, there is a “deny all” at the end of the access list. This can cause a problem because many people assume that by default an access list is permissive, and that you only have to write statements that deny the traffic you want to filter, and that everything else will be permitted, but this is in fact false.

Two Steps

1. create the access list (standard or extended)
2. apply the access list to an interface (inbound or outbound)

1. Create the ACL

Standard ACL (1-99, and 2000-2699):
denies or permits: 1) source IP address
Extended ACL (100-199):
denies or permits: 1) source IP address, 2) destination IP address, 3) port (service) (optional)

2. Apply the ACL

Where to apply an ACL?
A standard ACL is applied inbound or outbound on the router interface that is closest to the destination of the traffic.
An extended ACL is applied inbound or outbound on the router interface that is closest to the source of the traffic.
{loadposition adposition6}

Cisco IOS CLI Commands

Standard access list command format:  access-list <1-99> <deny | permit> <source ip address> <wildcard bits>
Standard access list command format:  access-list <1-99> <deny | permit> host <source ip address>

examples:

Deny or permit a class c network: 
router(config)#access-list 1 deny 192.168.1.0 0.0.0.255
router(config)#access-list 1 permit 192.168.2.0 0.0.0.255

Deny or permit a host:
router(config)#access-list 1 deny 192.168.1.100 0.0.0.0
router(config)#access-list 1 deny host 192.168.1.100
router(config)#access-list 1 permit 192.168.1.101 0.0.0.0
router(config)#access-list 1 permit host 192.168.1.101

Deny or permit all hosts: 
router(config)#access-list 1 deny any
router(config)#access-list 1 permit any

Apply the access list to a router interface outbound and inbound

router(config)#interface fastethernet 0/0
router(config-if)#ip access-group 1 out

router(config)#interface fastethernet 0/1
router(config-if)#ip access-group 1 in

Video Tutorial

If you want to follow along with the tutorial click here to download the Packet Tracer start file: acl-standard1-begin.zip

In part 1, I cover the basics of writing and applying a standard ACL on a Cisco router

In part 2, I discuss how access lists are executed line-by-line and access list statements need to be written from specific to general  

In part 3, I demonstrate why standard access lists are placed closest to the destination

AAA and RADIUS

AAA and Radius Overview

AAA is a set of security protocols for securing access to an network device like a router, firewall or a switch, and also an end device like a server or host computer. AAA stands for Authentication, Authorization and Accounting. Authentication refers to how you login to the device meaning, usernames, passwords and encryption. Authorization refers to your granted privilege level once you have been authenticated to the system, and example of this would be the difference between and admin or root privileges and regular user privileges. Accounting refers to keeping a record of user activities and like access times, commands used, files accessed etc.. Having AAA security features enabled and configured enhances the security of your network, your users, and your data.

With Cisco network devices like firewalls, routers, and switches, you can implement AAA security by utilizing the device’s built in database to store usernames and encrypted passwords however this is not the optimal way of implementing AAA security because you will have to duplicate your efforts over and over again on each network device. A better way of implementing AAA security is to have one or two external AAA devices that handle all authentication, authorization and accounting on the network. That way all of your network devices and clients can authenticate usernames and passwords to the same database. An external server based authentication system can be configured to work in conjunction with a Windows server Active Directory database of users or other LDAP based user database. Cisco network devices can be configured to work in conjunction with RADIUS or TACACS+ authentication servers, or Cisco offers its own authentication server that supports both RADIUS and TACACS+, Cisco Secure ACS.

Video Tutorials

In part 1, I start the WinRadius server, create a database, add a user, and test the connection  

In part 2, I configure AAA services on the router and configure it to send user authentication to the Radius server

In part 3, I configure AAA services with Cisco CLI and Cisco SDM, in order for the router to send authentication to a Radius server