Please enable JavaScript.
Coggle requires JavaScript to display documents.
Modulo 8: Access control List, 8.6.3 Mitigate ICMP Attacks - Coggle Diagram
Modulo 8: Access control List
8.1 Introduction to Access Control Lists
8.1.1 What is an ACL?
Definition
A set of IOS commands used to filter packets based on header information.
Type
Standard ACL (filters using source IP only)
Extended ACL (filters using source and destination IPs, TCP/UDP ports, protocol types)
8.1.2 Packet Filtering
Standard ACLs
- ACLs only filter at Layer 3 using the source IPv4 address only.
Extended ACLs
- ACLs filter at Layer 3 using the source and / or destination IPv4 address.
8.1.3 Numbered and Named ACLs
Numbered ACLs
ACLs number 1 to 99, or 1300 to 1999 are standard ACLs while ACLs number 100 to 199, or 2000 to 2699 are extended ACLs, as shown in the output.
Named ACLs
Named ACLs is the preferred method to use when configuring ACLs
The following summarizes the rules to follow for named ACLs.
Assign a name to identify the purpose of the ACL.
Names can contain alphanumeric characters.
Names cannot contain spaces or punctuation.
It is suggested that the name be written in CAPITAL LETTERS.
Entries can be added or deleted within the ACL.
8.1.4 ACL Operation
ACLS
ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router.
8.2 Wildcard Masking
8.2.1 Wildcard Mask Overview
wildcard mask
uses the ANDing process to identify which bits in an IPv4 address to match.
Wildcard masks use the following rules
Wildcard mask bit 0
- Match the corresponding bit value in the address
Wildcard mask bit 1
- Ignore the corresponding bit value in the address
8.2.2 Wildcard Mask Types
Wildcard to Match a Host
the wildcard mask is used to match a specific host IPv4 address
Wildcard Mask to Match an IPv4 Subnet
ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network
Wildcard Mask to Match an IPv4 Address Range
ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24, …, 192.168.31.0/24 networks.
8.2.3 Wildcard Mask Calculation
Example
Assume you wanted an ACE in ACL 10 to permit access to all users in the 192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask (i.e., 255.255.255.0) from 255.255.255.255, as shown in the table.
8.2.4 Wildcard Mask Keywords
KeyWords
host
- This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
any
- This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
8.3 Configure ACLs
8.3.1 Create an ACL
When configuring a complex ACL, it is suggested that you:
Use a text editor and write out the specifics of the policy to be implemented.
Add the IOS configuration commands to accomplish those tasks.
Include remarks to document the ACL.
Copy and paste the commands onto the device.
Always thoroughly test an ACL to ensure that it correctly applies the desired policy.
8.3.2 Numbered Standard IPv4 ACL Syntax
To create a numbered standard ACL
Router(config)# access-list access-list-number {deny | permit | remark text} source [source-wildcard] [log]
8.3.3 Named Standard IPv4 ACL Syntax
To create a named standard ACL, use the following global configuration command:
Router(config)# ip access-list standard access-list-name
a named standard IPv4 ACL called NO-ACCESS is created
8.3.4 Numbered Extended IPv4 ACL Syntax
The extended ACL is first configured, and then it is activated on an interface
Router(config-if)# ip access-group {access-list-number | access-list-name} {in | out}
Use the no access-list access-list-number global configuration command to remove an extended ACL.
8.4 Modify ACLs
8.4.1 Two Methods to Modify an ACL
Sometimes the configured ACE does not yield the expected behaviors
Use a Text Editor
Use Sequence Numbers
8.4.2 Text Editor Method
ACLs with multiple ACEs should be created in a text editor.
To correct the error:
Copy the ACL from the running configuration and paste it into the text editor.
Make the necessary changes.
Remove the previously configured ACL on the router. Otherwise, pasting the edited ACL commands will only append (i.e., add) to the existing ACL ACEs on the router.
Copy and paste the edited ACL back to the router.
Assume that ACL 1 has now been corrected
8.4.3 Sequence Number Method
An ACL ACE can also be deleted or added using the ACL sequence numbers.
Use the ip access-list standard command to edit an ACL.
8.4.4 Syntax Checker - Modify IPv4 ACLs
8.5.1 ACL Configuration Guidelines
An ACL is made up of one or more access control entries (ACEs) or statements
Create an ACL globally and then apply it.
Ensure the last statement is an implicit deny any or deny ip any any.
Remember that statement order is important because ACLs are processed top-down.
As soon as a statement is matched the ACL is exited.
Always filter from the most specific to the most generic. For example, deny a specific host and then permit all other hosts.
Remember that only one ACL is allowed per interface, per protocol, per direction.
Remember that new statements for an existing ACL are added to the bottom of the ACL by default.
Remember that router-generated packets are not filtered by outbound ACLs.
Place standard ACLs as close to the destination as possible.
Place extended ACLs as close to the source as possible.
8.5.2 Apply an ACL
The following shows the command syntax to apply an ACL to an interface or to the vty lines.
The figure below shows a named standard ACL applied to outbound traffic.
Named ACL on VTY Lines with Logging
Named Extended ACL Example
8.5 Implement ACLs
8.5.3 Where to Place ACLs
Every ACL should be placed where it is the most efficient.
8.5.4 Standard ACL Placement Example
Following the guidelines for ACL placement, standard ACLs should be located as close to the destination as possible.
R3 S0/1/1 interface (inbound) -
The standard ACL can be applied inbound on the R3 S0/1/1 interface to deny traffic from .10 network. However, it would also filter .10 traffic to the 192.168.31.0/24 (.31 in this example) network. Therefore, the standard ACL should not be applied to this interface.
R3 G0/0/0 interface (outbound) -
The standard ACL can be applied outbound on the R3 G0/0/0 interface. This will not affect other networks that are reachable by R3. Packets from .10 network will still be able to reach the .31 network. This is the best interface to place the standard ACL to meet the traffic requirements.
8.5.7 Extended ACL Placement Example
Extended ACLs should be located as close to the source as possible.
8.6.1 Mitigate Spoofing Attacks
ACLs can be used to mitigate many network threats, such as IP address spoofing and denial of service (DoS) attacks.
All zeros addresses
Broadcast addresses
Local host addresses (127.0.0.0/8)
Automatic Private IP Addressing (APIPA) addresses (169.254.0.0/16)
Reserved private addresses (RFC 1918)
IP multicast address range (224.0.0.0/4)
8.6.2 Permit Necessary Traffic through a Firewall
Domain Name System (DNS), Simple Mail Transfer Protocol (SMTP), and File Transfer Protocol (FTP) are services that often must be allowed through a firewall.
8.6.4 Mitigate SNMP Attacks
An exploit may still be possible if the SNMP packet is sourced from an address that has been spoofed and is permitted by the ACL.
8.7 IPv6 ACLs
8.7.1 IPv6 ACL Overview
Unfortunately, as the migration to IPv6 continues, IPv6 attacks are becoming more pervasive. IPv4 will not disappear overnight. IPv4 will coexist with IPv6 and then gradually be replaced by IPv6.
Sample IPv6 Exploit
8.7.2 IPv6 ACL Syntax
configure an IPv6 ACL, use the ipv6 access-list command to enter into IPv6 ACL configuration mode. Next, use the syntax shown in the figure to configure each access list entry to specifically permit or deny traffic.
8.7.3 Configure IPv6 ACLs
If an administrator configures the deny ipv6 any any command without explicitly permitting neighbor discovery, then the NDP will be disabled.
8.6.3 Mitigate ICMP Attacks
everal ICMP messages are recommended for proper network operation and should be allowed into the internal network:
Echo reply - Allows users to ping external hosts.
Source quench - Requests that the sender decrease the traffic rate of messages.
Unreachable - Generated for packets that are administratively denied by an ACL.
Several ICMP messages are required for proper network operation and should be allowed to exit the network:
Echo - Allows users to ping external hosts.
Parameter problem - Informs the host of packet header problems.
Packet too big - Enables packet maximum transmission unit (MTU) discovery.
Source quench - Throttles down traffic when necessary.
