10 Access Lists Flashcards
What are Access Lists ?
An access list is essentially a list of conditions that categorize packets, and they really come in handy when you need to exercise control over network traffic. An ACL would be your tool of choice for decision making in these situations. One of the most common and easiest-to-understand uses of access lists is to filter unwanted packets when implementing security policies. For example, you can set them up to make very specific decisions about regulating traffic patterns so that they’ll allow only certain hosts to access web resources on the Internet while restricting others. With the right combination of access lists, network managers have the power to enforce nearly any security policy they can invent. Creating access lists is a lot like programming a series of if-then statements—if a given condition is met, then a given action is taken. If the specific condition isn’t met, nothing happens and the next statement is evaluated. Access-list statements are basically packet filters that packets are compared against, categorized by, and acted upon accordingly. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list causes the router to analyze every packet crossing that interface in the specified direction and take the appropriate action.
Three important rules that a packet follows when it’s being compared with an access list :
■ The packet is always compared with each line of the access list in sequential order—it will always start with the first line of the access list, move on to line 2, then line 3, and so on.
■ The packet is compared with lines of the access list only until a match is made. Once it matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
■ There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded.
Standard access lists
These ACLs use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such as Web, Telnet, UDP, and so on.
Extended access lists
Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the Protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic.
Named access lists
Technically there really are only two access lists since named access lists are either standard or extended and not actually a distinct type. They’re created and referred to differently than standard and extended access lists are, but they’re still functionally the same.
Inbound access lists
When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won’t be routed because they’re discarded before the routing process is invoked.
Outbound access lists
When an access list is applied to outbound packets on an interface, packets are routed to the outbound interface and then processed through the access list before being queued.
General access-list guidelines that you should keep in mind when creating and implementing access lists on a router :
■ You can assign only one access list per interface per protocol per direction. This means that when applying IP access lists, you can have only one inbound access list and one outbound access list per interface. When you consider the implications of the implicit deny at the end of any access list, it makes sense that you can’t have multiple access lists applied on the same interface in the same direction for the same protocol. That’s because any packets that don’t match some condition in the first access list would be denied, and there wouldn’t be any packets left over to compare against a second access list!
■ Organize your access lists so that the more specific tests are at the top.
■ Anytime a new entry is added to the access list, it will be placed at the bottom of the list (use a text editor for access lists).
■ You can’t remove one line from an access list. If you try to do this, you will remove the entire list. This is why it’s best to copy the access list to a text editor before trying to edit the list. The only exception is when you’re using named access lists.
■ Unless your access list ends with a permit any command, all packets will be discarded if they do not meet any of the list’s tests. This means every list should have at least one permit statement or it will deny all traffic.
■ Create access list permit and deny statements first and then apply them to an interface. Any access list applied to an interface without access list test statements already created will not filter traffic.
■ Access lists are designed to filter traffic going through the router. They will not filter traffic that has originated from the router.
■ Place IP standard access lists as close to the destination as possible. This is the reason we don’t really want to use standard access lists in our networks. You can’t put a standard access list close to the source host or network because you can only filter based on source address and all destinations would be affected as a result.
■ Place IP extended access lists as close to the source as possible. Since extended access lists can filter on very specific addresses and protocols, you don’t want traffic to traverse the entire network just to be denied. By placing this list as close to the source address as possible, you can filter traffic before it uses up precious bandwidth.
Mitigating Security Issues with ACLs
The most common attack is a denial of service (DoS) attack. Although ACLs can help with a DoS, you really need an intrusion detection system (IDS) and intrusion prevention system (IPS) to help prevent these common attacks. Cisco sells the new Firepower and Firepower Threat Defense (FTD) products that is the best next generation firewall (NGFW) in the industry. Here’s a list of the many security threats you can mitigate with ACLs:
■ IP address spoofing, inbound
■ IP address spoofing, outbound
■ Denial of service (DoS) TCP SYN attacks, blocking external attacks
■ DoS TCP SYN attacks, using TCP Intercept
■ DoS smurf attacks
■ Denying/filtering ICMP messages, inbound
■ Denying/filtering ICMP messages, outbound
■ Denying/filtering Traceroute
List of rules to live by when configuring ACLs from the Internet to your production network to mitigate security problems:
■ Deny any source addresses from your internal networks.
■ Deny any local host addresses (127.0.0.0/8).
■ Deny any reserved private addresses (RFC 1918).
■ Deny any addresses in the IP multicast address range (224.0.0.0/4).
Standard Access Lists Configuration
Standard IP access lists filter network traffic by examining the source IP address in a packet. You create a standard IP access list by using the access-list numbers 1–99 or numbers in the expanded range of 1300–1999 because the type of ACL is generally differentiated numerically. Based on the number used when the access list is created, the router knows which type of syntax to expect as the list is entered. By using numbers 1–99 or 1300–1999, you’re telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines.
Access Lists Number Ranges
Corp(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<2700-2799> MPLS access list
<300-399> DECnet access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
Denying a host
By using the access-list numbers 1–99 or 1300–1999, you’re telling the router that you want to create a standard IP access list, which means you can only filter on source IP address. Once you’ve chosen the access-list number, you need to decide whether you’re creating a permit or deny statement.
Corp(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
The next step is more detailed because there are three options available in it:
- The first option is any parameter, used to permit or deny any source host or network.
- The second choice is to use an IP address to specify either a single host or a range of them.
- The last option is to use the host command to specify a specific host only. The any command is pretty obvious—any source address matches the statement, so every packet compared against this line will match. The host command is relatively simple too, as you can see here:
Corp(config)#access-list 10 deny host ?
Hostname or A.B.C.D Host address
Corp(config)#access-list 10 deny host 172.16.30.2
This tells the list to deny any packets from host 172.16.30.2. The default parameter is host. In other words, if you type access-list 10 deny 172.16.30.2, the router assumes you mean host 172.16.30.2 and that’s exactly how it will show in your running-config.
Wildcard Masking
Wildcards are used with access lists to specify an individual host, a network, or a specific range of a network or networks. Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this:
172.16.30.5 0.0.0.0
The four zeros represent each octet of the address. Whenever a zero is present, it indicates that the octet in the address must match the corresponding reference octet exactly. To specify that an octet can be any value, use the value 255. Here’s an example of how a /24 subnet is specified with a wildcard mask:
172.16.30.0 0.0.0.255
Controlling VTY (Telnet/SSH) Access
- Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.
- Apply the access list to the VTY line with the access-class in command.
Lab_A(config)#access-list 50 permit host 172.16.10.3
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in
Because of the implied deny any at the end of the list, the ACL stops any host from telnetting into the router except the host 172.16.10.3 regardless of the individual IP address on the router being used as a target. It’s a good idea to include an admin subnet address as the source instead of a single host, but the reason I demonstrated this was to show you how to create security on your VTY lines without adding latency to your router.
