Wednesday, July 11, 2007

Security and Access Lists(Cisco routers)

Access lists are similar to packet filtering on an NT server. They are lists of conditions that are set by the administrator to control access to particular network segment by controlling access to a specific router's interface. Access lists are used for controlling access to sensitive networks, and for optimizing the network traffic. Access lists can be used to control inbound or outbound traffic on the interface. It's important to understand that the direction (inbound or outbound) is relative to the router's interface. For example, if the server is connected to one of the router's interfaces, the packet addressed to that server is an outbound traffic for the router's interface.
Once the access list is applied to the interface, all packets are analyzed and compared with entries in the access list. If one of the conditions in the access list matches the packets information (could be IP address, network address, port number, protocol type), the router acts according to instructions in that access list.
· Packet is compared with each line in the access list, starting with line 1, then line 2 , and so on.
· Once the packet matches the condition on one of the lines in the access list, the router acts upon that condition and no further comparisons take place
· If the packet does not match any of the conditions on the access list, the packet is discarded. This is the same as having deny any entry in the access list. This is important to remember when creating the access list.
Access lists can be used to control IP and IPX traffic.
There are two types of access lists - standard and extended access lists. Standard access list can analyze the packet based on the source IP address. Packets source IP address can be used to either allow or deny access (either inbound or outbound) to the interface.
Extended access list can, in addition to source IP address, also include entries for:
· Destination IP address
· Port number
· Protocol type
A router can have many different access lists, but only one access list is allowed per interface.
There are two steps in configuring access list (either standard or extended):
1. Create access list in global configuration mode
2. Apply the access list to the interface in interface configuration mode
Each access list must have a unique number. This number must be within a specific range, depending on the type of access list. You must know the following access list numbers:

Access list number Access list type
1-99 IP standard access list
100-199 IP extended access list
200-299 Protocol type-code access list
800-899 IPX standard access list
900-999 IPX extended access list
1000-1099 IPX SAP access list

Commands to configure access lists:
From the configuration mode type access-list [number] [permit or deny] [source address]
For example, access-list 10 deny Will create an access list number 10 with the condition to deny packets with the source address of

It's important to remember that all access lists have implicit deny at the last line. So, when we created our access list 10, it looks like this:

deny any

This means that all traffic will be denied. This is not what we wanted to achieve. To correct this problem, and deny only packets with source address, we need to add another line to our access list. Once again, type access-list 10 permit any

Now our access list looks like this:
permit any
deny any

The last line deny any will always be there because it is inserted automatically by the router, but it will never be used because once the condition is met, (either deny, or allow any), the router does not read any further lines in the access list.
When creating access list with a deny directive, it's important to add another line that allows all or some traffic, or you will just shut down the router.

When creating an access list that includes an entire network or subnet, you should use wildcard masking. Wildcard mask is somewhat similar to the subnet mask. Here is an example:

access-list 12 permit

In this example we created access list that permits traffic from all hosts on a network The wildcard mask of tells the router that the first 3 octets must match up exactly, and the last octet is any number from 0 to 255.

You can have many access lists on a router, but they don't do anything until you apply an access list to an interface.

To apply an access list to an interface, you must first enter an interface configuration mode. For example, from the config mode type int e0 The router prompt will change to
Router(config-if)#, indicating that all the changes made here will only be applied to an interface e0. To apply an access list, type
Router(config-if)#ip access-group 10 [in or out]

For example to apply an access list 10 to control an outbound traffic, type ip access-group 10 out

To deactivate an access list type no ip access list 10 out

On a router with only 2 interfaces - one serial and one Ethernet, applying an access list for an inbound traffic to the serial interface produces the same effect as applying the same access list to the Ethernet interface for an outbound traffic. For multiport router you have to decide whether to apply an access list to an inbound or outbound traffic based on the needs of the network.

Extended access lists

Standard access lists are very simple to configure, but they can only filter the traffic based on the source address. If you want to filter the traffic based on the source and destination address, as well as port number, you need to use extended access lists. Extended access lists also have one important function - logging.

Configuring extended access lists is similar to configuring standard access lists. You begin with creating access list from a global configuration mode. Use numbers 100-199 for extended access list. If you enter access-list 101 ? you will see a lot more parameters available to configure. This is because the router knows by looking at the access list number that you are working with an extended access list.
Router(config)#access-list 101 permit tcp any tcp eq 23

This access list will permit tcp traffic on port 23 (telnet) from ip address to any ip number. Instead of using a port number, you can use the name of the tcp protocol, telnet for example, or it could be dns, echo, ftp, or other tcp protocol.

You can use wildcard masks with extended access lists just like with standard access lists.

To log events triggered by the access list add log parameter to the access list. Like this:
access-list 101 permit ip any tcp eg 23 log

The logging feature can be useful if you want to log the traffic going in or out of the particular interface. To log all traffic, just create an access list that permits all traffic and add log parameter to it.

IPX access lists

IPX access lists are similar to IP access lists. There are standard and extended IPX access lists.
Unlike IP access list, standard IPX access list can filter traffic based on source and destination address.

The syntax for creating standard IPX access list is:
access-list [number] [permit/deny] [source] [destination]
Just like IP access list IPX access list is created from the global configuration mode

For example: access-list 801 permit 40 80
This access list will permit IPX traffic from network 40 to network 80. We use number 801 because IPX access list number must be between 800-899

In order to define any network in IPX access list you use -1 (minus one)

For example access-list 805 deny -1 -1 will deny IPX traffic from any network to any network.
Just like in IP access list there is an implicit deny at the end of IPX access list.

To apply an IPX access list, first go to an interface configuration mode, then type
Router(config-if)#ipx access-group [number] [in or out]
For example:
Router(config-if)#ipx access-group 801 in

Extended IPX access lists

With extended IPX access lists you can filter the traffic based on Source network/node address, destination network/node address, IPX protocol (like SPX, SAP, NetBios, etc.), IPX socket (similar to TCP port number).

The syntax for creating IPX extended access list is:access-list [number] [permit/deny] [protocol] [source] [socket] [destination] [socket]
The [number] must be between 900-999 to tell the router that it's reading an extended IPX access list.

Also, just like with IP access list, you can add log parameter to the end of IPX extended access list to log events generated by the access list.

access-list 901 deny spx any sap any sap log
This access list will deny sap traffic from any network to any network and events will be logged.

Another example:
access-list 902 deny rip 300 rip 600 log
This access list will deny all IPX rip (not the same as IP RIP) from entering from network 300 to network 600, and all events will be logged.

The procedure and syntax for applying the extended IPX access list to the interface is the same as with standard IPX access list.

Monitoring access lists

There are several commands that you can use to view your access lists: from privileged mode
Show access-list will display all access lists configured on the router, access lists numbers and all the lines in them.

To view IP access lists, use show ip interface (or sh ip int)This will display ip interfaces configurations, including numbers of outgoing and inbound access lists.

To view IPX access list you can use show ipx interface This will show interfaces that are configured with IPX protocols, and IPX access lists associated with them.

Another useful command to view access lists is show run entered from the privileged mode. This will show running configuration, and will show access groups applied to particular interfaces.

1 comment:

Anonymous said...

Also, it could only require a little over three years to complete.
A couple of major accrediting agencies encompass most
of those. They also require cardiac and physical rehabilitation.
Here is my weblog :: dsm iv tr depression disorders