Lecture CCNA Security - Chapter 4: Implementing Firewall Technologies

Chapter 4 objectives: Describe numbered and named, standard and extended IP ACLs, configure IP ACLs with IOS CLI and CCP, describe TCP established ACL functionality, describe and configure reflexive ACLs, describe and configure dynamic ACLs,... Inviting you to refer.
Nội dung trích xuất từ tài liệu:
Lecture CCNA Security - Chapter 4: Implementing Firewall TechnologiesChapter 4 - Implementing FirewallTechnologies CCNA SecurityObjectives• Describe numbered and named, standard and extended IP ACLs.• Configure IP ACLs with IOS CLI and CCP.• Describe TCP established ACL functionality.• Describe and configure reflexive ACLs.• Describe and configure dynamic ACLs.• Describe and configure time-based ACLs.• Describe attack mitigation with ACLs.• Describe the major types of firewalls.• Describe and configure CBAC (IOS Staful Packet Inspection) with CLI.• Describe and configure Zone-Based Policy Firewall with CLI and CCP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comACL Topology and Types Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comACL Topology and Types• Refer to 4.1.1.1 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comStandard Numbered IP ACLs Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask]• The first value specifies the ACL number• The second value specifies whether to permit or deny the configured source IP address traffic• The third value is the source IP address that must be matched• The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range• All ACLs assume an implicit deny statement at the end of the ACL• At least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comExtended Numbered IP ACLs Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established]• The first value specifies the ACL number• The second value specifies whether to permit or deny accordingly• The third value indicates protocol type• The source IP address and wildcard mask determine where traffic originates. The destination IP address and wildcard mask are used to indicate the final destination of the network traffic• The command to apply the standard or extended numbered ACL:Router(config-if)# ip access-group number {in | out} Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comExtended Numbered IP ACLs Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [ established] ??? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comNamed IP ACLsRefer to 4.1.1.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comNamed IP ACLs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comApply ACL to the virtual access• An ACL can also be used to permit or deny specific IP addresses from gaining virtual access.• Standard ACLs allow restrictions to be enforced on the originator source IP address or IP address range.• An extended ACL does the same but can also enforce the access protocol such as port 23 (Telnet) or port 22 (SSH). The access-class extended ACL only supports the any (???) keyword as the destination.• The access list must be applied to the vty port.• Router(config-line)# access-class {access-list-name | access-list-number} {in | out}• Or http line• Router(config)# ip http access-class {access-list-name | access-list-number}The log Parameter• R1(config) # access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 22 log *May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0- IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet *May 1 22:17:16.647: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0- IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 9 packetsThere are several pieces of information logged:• The action—permit or deny• The protocol—TCP, UDP, or ICMP• The source and destination addresses• For TCP and UDP—the source and destination port numbers• For ICMP—the message types Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comACL Configuration Guidelines1. ACLs are created globally and then applied to interfaces2. ACLs filter traffic going through the router, or traffic to and from the router, depending on how it is applied3. Only one ACL per interface, per protocol, per direction4. Standard or extended indicates the information that is used to filter packets5. ACLs are process top-down. The most specific statements must go at the top of the list6. All ACLs have an implicit “deny all” statement at the end, therefore every list must have at least one permit statement to allow any traffic to pass Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comUsing Standard IP ACLs• Use a standard ACL to block all traffic from 172.16.4.0/24 network, but allow all other traffic. r1(config)# access-list 1 deny 172.16.4.0 0.0.0.255 r1(config)# access-list 1 permit any r1(config)# interface ethernet 0 r1(config-if)# ip access-group 1 out Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.comUsing Extended IP ACLs • Use an extended ACL to block all FTP traffic from 172.16.4.0/24 network, but allow all other traffic. access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip any any Học viện công nghệ ...