Professional Documents
Culture Documents
AITA\SWBU\CCNA\08
Objectives
The Topics Covered Introduction to Security Types of attacks Mitigating attacks Access-lists Standard Extended Named Monitoring Access-lists
AITA\SWBU\CCNA\08
Introduction to Security
AITA\SWBU\CCNA\08
Attacks
APPLICATION-LAYER ATTACKS AUTOROOTERS BACKDOORS DENIAL OF SERVICE (DOS) AND DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS
(MANY OTHERS)
AITA\SWBU\CCNA\08
Mitigating Attacks
APPLIANCES
IDS IPS
STATEFUL IOS FIREWALL INSPECTION ENGINE FIREWALL VOICE TRAVERSAL ICMP INSPECTION AUTHENTICATION PROXY
AITA\SWBU\CCNA\08
Access Lists
Purpose:
Used to permit or deny packets moving through the router Permit or deny Telnet (VTY) access to or from a router Create dial-on demand (DDR) interesting traffic that triggers dialing to a remote location
AITA\SWBU\CCNA\08
Important Rules
Packets are compared to each line of the assess list in sequential order Packets are compared with lines of the access list only until a match is made Once a match is made & acted upon no further comparisons take place An implicit deny is at the end of each access list If no matches have been made, the packet will be discarded
AITA\SWBU\CCNA\08
AITA\SWBU\CCNA\08
AITA\SWBU\CCNA\08
ACL Guidelines
One access list per interface, per protocol, or per direction More specific tests at the top of the ACL New lists are placed at the bottom of the ACL Individual lines cannot be removed
End ACLs with a permit any command Create ACLs & then apply them to an interface ACLs do not filter traffic originated from the router Put Standard ACLs close to the destination Put Extended ACLs close the the source
AITA\SWBU\CCNA\08
10
Permit or deny?
Router(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match any any source host host A single host address
AITA\SWBU\CCNA\08
12
AITA\SWBU\CCNA\08
13
AITA\SWBU\CCNA\08
14
AITA\SWBU\CCNA\08
15
Wildcards
What are they??? Used with access lists to specify a. Host Network Part of a network
AITA\SWBU\CCNA\08
16
Block Sizes
64 Rules: 32 16 8 4
When specifying a range of addresses, choose the closest block size Each block size must start at 0 A 0 in a wildcard means that octet must match exactly A 255 in a wildcard means that octet can be any value The command any is the same thing as writing out the wildcard: 0.0.0.0 255.255.255.255
AITA\SWBU\CCNA\08
17
AITA\SWBU\CCNA\08
18
Without an ACL any user can Telnet into the router via VTY and gain access
Controlling access
Create a standard IP access list Permitting only the host/hosts authorized to Telnet into the router Apply the ACL to the VTY line with the access-class command
AITA\SWBU\CCNA\08
19
Example
Lab_A(config)#access-list 50 permit 172.16.10.3 Lab_A(config)#line vty 0 4 Lab_A(config-line)#access-class 50 in (implied deny)
AITA\SWBU\CCNA\08
20
Allows you to choose... IP Source Address IP Destination Address Protocol Port number
AITA\SWBU\CCNA\08
21
Extended IP ACLs
Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address access list <1200-1299> IPX summary address access list <200-299> Protocol type-code access list <300-399> DECnet access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list Router(config)#access-list 110 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward
AITA\SWBU\CCNA\08
22
Extended IP ACLs
Router(config)#access-list 110 deny ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol igrp Cisco's IGRP routing protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol tcp Transmission Control Protocol udp User Datagram Protocol Router(config)#access-list 110 deny tcp ? A.B.C.D Source address any Any source host host A single source host AITA\SWBU\CCNA\08 23
Steps (cont.)
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255 RouterA(config)#ip access-group 110 in or RouterA(config)#ip access-group 110 out
AITA\SWBU\CCNA\08
25
AITA\SWBU\CCNA\08
26
Shows only the IP access lists configured show ip access-list Shows which interfaces have access lists set show ip interface Shows the access lists & which interfaces have access lists set show running-config
AITA\SWBU\CCNA\08
27