modul 4 Security
Transcript of modul 4 Security
-
8/13/2019 modul 4 Security
1/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 1
Module 4:Security
-
8/13/2019 modul 4 Security
2/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
National Security Telecommunications and InformationSystems Security Committee (NSTISSC)
Network security is the protection of information and
systems and hardware that use, store, and transmit that
information.
Network security encompasses those steps that are taken
to ensure the confidentiality, integrity, and availability of
data or resources.
-
8/13/2019 modul 4 Security
3/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Network security initiatives and network securityspecialists can be found in private and public, large andsmall companies and organizations. The need for networksecurity and its growth are driven by many factors:
1. Internet connectivity is 24/7 and is worldwide2. Increase in cyber crime
3. Impact on business and individuals
4. Legislation & liabilities
5. Proliferation of threats6. Sophistication of threats
-
8/13/2019 modul 4 Security
4/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
ConfidentialityPrevent the disclosure of sensitive information from unauthorized
people, resources, and processes
Integrity
The protection of system information or processes from intentionalor accidental modification
Availability
The assurance that systems and data are
accessible by authorized users when needed
http://www.youtube.com/watch?v=yFRc-wpQc9chttp://www.youtube.com/watch?v=yFRc-wpQc9c -
8/13/2019 modul 4 Security
5/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
-
8/13/2019 modul 4 Security
6/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
-
8/13/2019 modul 4 Security
7/54 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 7
-
8/13/2019 modul 4 Security
8/54 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Filtering: Manage IP traffic by filtering packets passing through a router
Classification: Identify traffic for special handling
-
8/13/2019 modul 4 Security
9/54 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Permit or deny packets moving through the router.
Permit or deny vty access to or from the router.
Without ACLs, all packets could be transmitted to all parts of your network.
-
8/13/2019 modul 4 Security
10/54
-
8/13/2019 modul 4 Security
11/54 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
-
8/13/2019 modul 4 Security
12/54 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Inbound ACL
-
8/13/2019 modul 4 Security
13/54 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
If no ACL statement matches, discard the packet.
-
8/13/2019 modul 4 Security
14/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
-
8/13/2019 modul 4 Security
15/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Standard ACL
Checks source address
Generally permits or denies entire protocol suite
Extended ACLChecks source and destination address
Generally permits or denies specific protocols and applications
Two methods used to identify standard andextended ACLs:
Numbered ACLs use a number for identification
Named ACLs use a descriptive name or number for identification
-
8/13/2019 modul 4 Security
16/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
-
8/13/2019 modul 4 Security
17/54
-
8/13/2019 modul 4 Security
18/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Standard or extended indicates what can be filtered. Only one ACL per interface, per protocol, and per direction is
allowed.
The order of ACL statements controls testing, therefore, the mostspecific statements go at the top of the list.
The last ACL test is always an implicit deny everything elsestatement, so every list needs at least one permit statement.
ACLs are created globally and then applied to interfaces for inboundor outbound traffic.
An ACL can filter traffic going through the router, or traffic to andfrom the router, depending on how it is applied.
When placing ACLs in the network:
Place extended ACLs close to the source
Place standard ACLs close to the destination
-
8/13/2019 modul 4 Security
19/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
-
8/13/2019 modul 4 Security
20/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
0 means to match the value of the corresponding address bit
1 means to ignore the value of the corresponding address bit
-
8/13/2019 modul 4 Security
21/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Match for IP subnets 172.30.16.0/24 to 172.30.31.0/24.
Address and wildcard mask:
172.30.16.0 0.0.15.255
-
8/13/2019 modul 4 Security
22/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
172.30.16.29 0.0.0.0 matchesall of the address bits
Abbreviate this wildcard maskusing the IP address preceded
by the keyword host(host 172.30.16.29)
0.0.0.0 255.255.255.255ignores all address bits
Abbreviate expressionwith the keyword any
-
8/13/2019 modul 4 Security
23/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
-
8/13/2019 modul 4 Security
24/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Activates the list on an interface.
Sets inbound or outbound testing.
no ip access-group access- l is t -number {in | out}removes the ACL from the interface.
ip access-group access-list-number {in | out}
Uses 1 to 99 for the access-list-number.
The first entry is assigned a sequence number of 10, and successive entriesare incremented by 10.
Default wildcard mask is 0.0.0.0 (only standard ACL). no access-list access- l is t -numberremoves the entire ACL.
remarklets you add a description to the ACL.
access-list access-list-number{permit | deny | remark} source [mask]
RouterX(config)#
RouterX(config-if)#
-
8/13/2019 modul 4 Security
25/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Permit my network only
RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny all - not visible in the list)
(access-list 1 deny 0.0.0.0 255.255.255.255)
RouterX(config)# interface ethernet 0RouterX(config-if)# ip access-group 1 out
RouterX(config)# interface ethernet 1RouterX(config-if)# ip access-group 1 out
-
8/13/2019 modul 4 Security
26/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Deny a specific host
RouterX(config)# access-list 1 deny 172.16.4.13 0.0.0.0RouterX(config)# access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)
RouterX(config)# interface ethernet 0RouterX(config-if)# ip access-group 1 out
-
8/13/2019 modul 4 Security
27/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Deny a specific subnet
RouterX(config)# access-list 1 deny 172.16.4.0 0.0.0.255RouterX(config)# access-list 1 permit any(implicit deny all)
(access-list 1 deny 0.0.0.0 255.255.255.255)
RouterX(config)# interface ethernet 0RouterX(config-if)# ip access-group 1 out
-
8/13/2019 modul 4 Security
28/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
-
8/13/2019 modul 4 Security
29/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
ip access-group access-list-number {in | out}
Activates the extended list on an interface
Sets parameters for this list entry
access-list access-list-number{permit | deny}protocol source source-wildcard [operator port]destination destination-wildcard [operator port][established] [log]
RouterX(config)#
RouterX(config-if)#
-
8/13/2019 modul 4 Security
30/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20RouterX(config)# access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
RouterX(config)# interface ethernet 0RouterX(config-if)# ip access-group 101 out
Deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0 out E0
Permit all other traffic
-
8/13/2019 modul 4 Security
31/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23RouterX(config)# access-list 101 permit ip any any(implicit deny all)
RouterX(config)# interface ethernet 0
RouterX(config-if)# ip access-group 101 out
Deny only Telnet traffic from subnet 172.16.4.0 out E0
Permit all other traffic
-
8/13/2019 modul 4 Security
32/54
-
8/13/2019 modul 4 Security
33/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Deny a specific host
RouterX(config)#ip access-list standard troublemakerRouterX(config-std-nacl)#deny host 172.16.4.13RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255
RouterX(config-std-nacl)#interface e0RouterX(config-if)#ip access-group troublemaker out
-
8/13/2019 modul 4 Security
34/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Deny Telnet from a specific subnet
RouterX(config)#ip access-list extended badgroupRouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23
RouterX(config-ext-nacl)#permit ip any anyRouterX(config-ext-nacl)#interface e0RouterX(config-if)#ip access-group badgroup out
-
8/13/2019 modul 4 Security
35/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
access-list access-list-numberremark remark
ip access-list{standard|extended}name
Creates a named ACL comment
Creates a numbered ACL comment
RouterX(config {std- | ext-}nacl)#
RouterX(config)#
remark remark
RouterX(config)#
Creates a named ACL
Or
-
8/13/2019 modul 4 Security
36/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
RouterX# show access-lists {access-list
number|name}
RouterX# show access-listsStandard IP access list SALES
10 deny 10.1.1.0, wildcard bits
0.0.0.25520 permit 10.3.3.130 permit 10.4.4.140 permit 10.5.5.1
Extended IP access list ENG10 permit tcp host 10.22.22.1 any eq
telnet (25 matches)20 permit tcp host 10.33.33.1 any eq ftp30 permit tcp host 10.44.44.1 any eq ftp-
data
Displays all access lists
-
8/13/2019 modul 4 Security
37/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
RouterX# show ip interfaces e0Ethernet0 is up, line protocol is upInternet address is 10.1.1.11/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not setDirected broadcast forwarding is disabledOutgoing access list is not setInbound access list is 1Proxy ARP is enabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sent
ICMP mask replies are never sentIP fast switching is enabledIP fast switching on the same interface is disabledIP Feature Fast switching turbo vectorIP multicast fast switching is enabledIP multicast distributed fast switching is disabled
-
8/13/2019 modul 4 Security
38/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Dynamic ACLs (lock-and-key): Users that want to traverse the router
are blocked until they use Telnet to connect to the router and are
authenticated.
-
8/13/2019 modul 4 Security
39/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Reflexive ACLs: Used to allow outbound traffic and limit inboundtraffic in response to sessions that originate inside the router
-
8/13/2019 modul 4 Security
40/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Time-based ACLs: Allow for access controlbased on the time of day and week
-
8/13/2019 modul 4 Security
41/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 41
-
8/13/2019 modul 4 Security
42/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
An IP address is either local or global.
Local IPv4 addresses are seen in the inside network.
Global IPv4 addresses are seen in the outside network.
-
8/13/2019 modul 4 Security
43/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
-
8/13/2019 modul 4 Security
44/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
-
8/13/2019 modul 4 Security
45/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Establishes static translation between an inside local address and aninside global address
RouterX(config)# ip nat inside source static local- ipglobal- ip
Marks the interface as connected to the inside
RouterX(config-if)# ip nat inside
Marks the interface as connected to the outside
RouterX(config-if)# ip nat outside
Displays active translations
RouterX# show ip nat translations
-
8/13/2019 modul 4 Security
46/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
RouterX# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 192.168.1.2 10.1.1.2 --- ---
interface s0
ip address 192.168.1.1 255.255.255.0ip nat outside
!
interface e0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip nat inside source static 10.1.1.2 192.168.1.2
-
8/13/2019 modul 4 Security
47/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Establishes dynamic source translation, specifying the ACL that was
defined in the previous step
RouterX(config)# ip nat inside source listaccess- l is t-numberpool name
Defines a pool of global addresses to be allocated as needed
RouterX(config)# ip nat pool name start-ip end -ip
{netmask netmask| prefix-length prefix- length}
Defines a standard IP ACL permitting those inside local addressesthat are to be translated
RouterX(config)# access-list access- l is t-numberpermitsource[source-wi ldcard]
Displays active translations
RouterX# show ip nat translations
-
8/13/2019 modul 4 Security
48/54
-
8/13/2019 modul 4 Security
49/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
-
8/13/2019 modul 4 Security
50/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Establishes dynamic source translation, specifying the ACL that wasdefined in the previous step
RouterX(config)# ip nat inside source listaccess- l is t-numberinterface interfaceoverload
Defines a standard IP ACL that will permit the inside local addressesthat are to be translated
RouterX(config)# access-listaccess- l is t-number
permitsourcesource-wi ldcard
Displays active translations
RouterX# show ip nat translations
-
8/13/2019 modul 4 Security
51/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
RouterX# show ip nat translations
Pro Inside global Inside local Outside local Outside global
TCP 172.17.38.1:1050 192.168.3.7:1050 10.1.1.1:23 10.1.1.1:23
TCP 172.17.38.1:1776 192.168.4.12:1776 10.2.2.2:25 10.2.2.2:25
hostname RouterX
!
interface Ethernet0
ip address 192.168.3.1 255.255.255.0
ip nat inside
!
interface Ethernet1
ip address 192.168.4.1 255.255.255.0
ip nat inside
!
interface Serial0
description To ISP
ip address 172.17.38.1 255.255.255.0
ip nat outside
!
ip nat inside source list 1 interface Serial0 overload
!
ip route 0.0.0.0 0.0.0.0 Serial0
!access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
!
-
8/13/2019 modul 4 Security
52/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Clears a simple dynamic translation entry that contains an inside
translation or both an inside and outside translation
RouterX# clear ip nat translation inside global- iplocal- ip[outside loc al-ip glo bal- ip]
Clears all dynamic address translation entries
RouterX# clear ip nat translation *
Clears a simple dynamic translation entry that contains an outsidetranslation
RouterX# clear ip nat translation outsideloc al-ip global- ip
Clears an extended dynamic translation entry (PAT entry)
RouterX# clear ip nat translation protocol inside global- ipglob al-po rt loc al-ip local-po rt[outside local- iplocal-po rt glob al-ip glo bal-po rt]
-
8/13/2019 modul 4 Security
53/54
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
RouterX# show ip nat statisticsTotal active translations: 1 (1 static, 0 dynamic; 0 extended)Outside interfaces:Ethernet0, Serial2Inside interfaces:Ethernet1Hits: 5 Misses: 0
RouterX# debug ip nat
NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23312]NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]
-
8/13/2019 modul 4 Security
54/54
Thank you.