May 29, 2009

Access Control Lists (ACLs)

ACLs don't do anything by themselves, they need to be applied somewhere.

ACLs are processed top-down, the first match causes a break and stop the processing of further entries (until a new packet needs to be processed).

Access lists contain an implicit "deny any" at end.

If an access-list that doesn't exist is specified, it is deemed to permit everything. For example if you do a "ip access-group 100" on an interface without creating ACL 100 first, everything will be permitted. BUT, as soon as you put in the first statement in that ACL, the implicit deny all at the end will come into play. So be careful on production equipment - ALWAYS remove the ACL from the interface first before playing with an ACL.

Applying a non-existent access-list can lead to serious problems when creating the corresponding ACL - because IOS configs are live, you will get erratic behavior.

ACLs use Wildcard Masks

  • Wildcard masks are the binary reverse of subnet masks
  • Wildcard masks can be discontiguous (subnet masks cannot)
  • 0 bit => must match bits in address
  • 1 bit => don't care. No need to match bits in address

ACLs to filter traffic flows:

  • Only one ACL (that could have multiple entries) can be applied per L3protocol, per interface, per direction.
  • Inbound ACLs check the filter condition BEFORE routing table lookup
  • Outbound ACLs checks the filter condition AFTER routing table lookup

General Recommendations:

  • Invest time and carefully place ACLs… consider bandwidth, CPU, etc.
  • Place the ACLs with the most hits at the top of the list if possible.
  • Create ACL first, then apply to interface.
  • Use Standard Access lists when filtering near dest.
  • Use Extended Access lists when filtering near Source, and/or need tospecify protocol, ports, etc.
  • Remember there is always an implicit "deny all" at end of any ACL. Itmight still be a good idea to put an explicit "deny ip any any log" statementfor troubleshooting purposes.

Numbered ACLs

Editing or re-ordering of numbered ACLs (other than adding lines at end) requires to drop the whole ACL and re-create it.

Router(config)# access-list ?

|:------------|:-----------------------------------------:|:------------------------| |Range | Description | Notes |<1-99>|IP standard access list|Match on source address ONLY.| |<100-199>|IP extended access list|Match on source & dest. address, protocol, port, etc.| |<200-299>|Protocol type-code access list|Match on Ethernet protocol type-codes| |<300-399>|DECnet access list| |<400-499>|XNS standard access list| |<500-599>|XNS extended access list| |<600-699>|Appletalk access list| |<700-799>|48-bit MAC address access list| |<800-899>|IPX standard access list| |<900-999>|IPX extended access list |<1000-1099>|IPX SAP access list |<1100-1199>|Extended 48-bit MAC address access list |<1200-1299>|IPX summary address access list |<1300-1999>|IP standard access list (expanded range)|Same as <1-99> |<2000-2699>|IP extended access list (expanded range)|Same as <100-199>

dynamic-extended

Extend the dynamic ACL absolute timer

rate-limit

Simple rate-limit specific access list

Named ACLs

Named ACLs permit deleting specific lines. But they are not supported with every feature (yet).

Router(config)# ip access-list ?

|:------------|:-----------------------------------------:| |Option|Description |standard|Standard Access List |extended|Extended Access List |logging|Control access list logging |log-update|Control access list log updates

Configuration

Standard

access-list 10 permit 192.168.1.0 0.0.0.255 ! interface FastEthernet 0/0 access-group 10 in

Extended

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.255

Named

ip access-list

Dynamic

Time-Based

CBAC (Content Based Access Control)

Traffic Filtering

CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect.

CBAC examines not only network layer and transport layer information but also examines the application-layer protocol information (such as FTP connection information) to learn about the state of the session. This allows support of protocols that involve multiple channels created as a result of negotiations in the control channel. Most of the multimedia protocols as well as some other protocols (such as FTP, RPC, and SQL*Net) involve multiple channels.

Java blocking can be configured to filter HTTP traffic based on the server address or to completely deny access to Java applets that are not embedded in an archived or compressed file.

Traffic Inspection

CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

Inspecting packets at the application layer, and maintaining TCP and UDP session information, provides CBAC with the ability to detect and prevent certain types of network attacks such as SYN-flooding.

CBAC helps to protect against DoS attacks in other ways. CBAC inspects packet sequence numbers in TCP connections to see if they are within expected ranges --CBAC drops any suspicious packets. You can also configure CBAC to drop half- open connections, which require firewall processing and memory resources to maintain. Additionally, CBAC can detect unusually high rates of new connections and issue alert messages. CBAC can help by protecting against certain DoS attacks involving fragmented IP packets.

Alerts and Audit Trails

Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis.

Intrusion Detection

CBAC provides a limited amount of intrusion detection to protect against specific SMTP attacks. With intrusion detection, SYSLOG messages are reviewed and monitored for specific "attack signatures." Certain types of network attacks have specific characteristics, or signatures. When CBAC detects an attacks, it resets the offending connections and sends SYSLOG information to the SYSLOG server.

Configuration

! ip inspect tcp idle-time 30 ip inspect name myCBAC tcp ip inspect name myCBAC udp ip inspect name myCBAC icmp ip inspect name myCBAC http ip inspect name myCBAC ftp ip inspect name myCBAC smtp ip inspect name myCBAC http java-list 1

Only allow java applets downloaded from network 3.0.0.0

! interface Serial0/3 ip address 2.0.0.1 255.0.0.0 ip access-group 100 in

Permit certain types of necessary control traffic in but deny everything else.

ip inspect myCBAC out

Permit the return traffic in - as specified by CBAC.

access-list 100 permit udp any any eq rip

access-list 100 deny ip any any

access-list 1 permit 3.0.0.0 0.255.255.255 ! ip port-map http 8000 list 40 #Map HTTP to port 8000 for internal hosts 192.16.1.0 through .15 ip port-map http 8080 #Map HTTP globally to port 8080 for other hosts ip port-map ftp 8021 #Map FTP globally to port 8021 access-list 40 permit 192.16.1.0 0.0.0.15

  • In the CCIE lab, set both the max-incomplete and one-minute threshold ifasked to configure CBAC. ip inspect max-incomplete high 1000

Start deleting half open connections if they reach 1000.

 ip inspect max-incomplete low 800

Stop deleting half open connections if they reach 800.

 ip inspect one-minute high 500

Start deleting half open connections if they reach 500 in the last minute.

 ip inspect one-minute low 400

Stop deleting half open connections if they reach 400 in the last minute.

 ip inspect tcp max-incomplete host 50 block 5

Allow a maximum of incomplete connections of 50 per host. Block the host for 5 minutes if that treshold is reached..

ip inspect tcp finwait-time

?

ip inspect tcp synwait-time 20

Wait 20 seconds before terminating a half=open connection.

ip inspect tcp idle-time 300

Delete TCP connections when idle for 300 seconds.

ip inspect udp idle-time 300

?

Links

  • [Configuring Context-Based Access Control ][1]
  • [Two-Interface Router with NAT CBAC Configuration][2]
  • [Auth-proxy Authentication Inbound (CBAC, no NAT) Configuration][3]
  • CBAC FAQ
  • [Benefits and Limitations of Context-Based Access Control][5]
  • Configuring Port to Application Mapping

Links

Configuring IP Access Lists

Configuring Commonly Used IP ACLs

[Cisco IOS Access-Lists (O'Reilly Book Sample Chapter) ][9]

Reflexive ACLs

Information

  • Anything that can be done with reflexive ACL's can be done with CBAC -except that CBAC requires IOS FW Feature set.
  • In order of growing safety: (1) established (2) reflexive (3) CBAC
  • Reflexive access-lists (also called IP Session Filtering) is a form ofsession filetring that dynamically create openings to permit the returntraffic from a connection.
  • Reflexive ACLs requires a named extended ACL. Reflexive access lists canbe defined with extended named IP access lists only. You cannot definereflexive access lists with numbered or standard named IP access lists or withother protocol access lists.
  • The reflexive access-list is used in conjunction to another access-list itis evaluated against.
  • You can use reflexive access lists in conjunction with other standardaccess lists and static extended access lists.
  • With reflexive, be careful with timers. "ip reflexive-list timeout"default is 300 sec. Alternatively, it can be specified on each entry of theACL or globally.
  • The reflected ACL doesn't need to be placed at the end of the list.
  • You can use "show access-lists" while a connection is happening to see thedynamically created entries.

Configuration

interface Ethernet 0/0
  ip address 192.168.1.1 255.255.255.0
  ip access-group comingIn in
  ip access-group goingOut out
!
ip access-list extended comingIn
  permit udp any any eq rip
 evaluate myPackets

"myPackets" will be the name of the reflexive ACL - it will be appended to ACL ComingIn

ip access-list extended goingOut
 permit tcp any any eq telnet reflect myPackets timeout 300

With per ACL timeout (in seconds)

ip reflexive-list timeout 600

Global timeout (in seconds )

Links

[Configuring IP Session Filtering (Reflexive Access Lists)][10]

Appendix

  • With basic standard and static extended access lists, you can approximatesession filtering by using the established keyword with the permit command.The established keyword filters TCP packets based on whether the ACK or RSTbits are set. (Set ACK or RST bits indicate that the packet is not the firstin the session, and therefore, that the packet belongs to an establishedsession.) There are two main caveats to doing this: (1) the filter criterionwould be part of an access list applied permanently to an interface and (2) itonly applies to TCP, not UDP.
  • In order of growing safety: (1) established (2) reflexive (3) CBAC

Established ACL that permits the return traffic of established telnet connections.

interface Serial0/3
 ip address 2.0.0.1 255.0.0.0
 ip access-group 100 in

access-list 100 permit tcp any eq telnet any established
access-list 100 permit udp any any eq rip<br> access-list 100 deny ip any any

With basic standard and static extended access lists, you can approximate session filtering by using the established keyword with the permit command. The established keyword filters TCP packets based on whether the ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session, and therefore, that the packet belongs to an established session.) There are two main caveats to doing this: (1) the filter criterion would be part of an access list applied permanently to an interface and (2) it only applies to TCP, not UDP. Reflexive ACLs are better in those regards and should be used for more complete solutions.

  • In order of growing safety: (1) established (2) reflexive (3) CBAC
  • CBAC can be used to filter java applets AND SYN attacks.
  • CBAC doesn't work with ICMP. You must use regular ACLs for that.
  • It the test specify for high/low timers/counts. Do it for both max-incomplete and one minute values.
  • Regular ACLs are applied BEFORE CBAC.
  • Put an explicit deny/log at the end of ACLs to make sure the filter isworking right.
  • Only CBAC can do multiport applications simply and correctly (like FTPTCP20/21).
  • The "ip inspect" statement can be put on either the inside interfaceinbound or outside interface outbound, depending on the desired result (dmz,etc.).
  • You can use "show access-lists" while a connection is happening to see thedynamically created entries.
  • CBAC works with CEF, fast switching and process switching.
  • For firewall FS, the keys are: ip inspect, ip auth-proxy, and ip audit /ip ips
  • Netmeeting also required generic TCP inspection in addition of H.323 ("ipinspect name myCBAC tcp")
  • IOS cannot do both SMTP and ESMTP. Use ESMTP to support both.
  • When doing port-map, the ports are additive - if you add a custom port-map, it adds to the existing port (NBAR is replacive)
r/fsecur_c/ftrafwl/scfcbac.htmration_example09186a0080094110.shtmlration_example09186a00800942ff.shtmltem09186a008009464d.shtmlr/fsecur_c/ftrafwl/scfpam.htm#1000871edcr/securc/scprt3/screflex.htm
Tags: Cisco security policy CCIE study