modul 4 Security

8/13/2019 modul 4 Security

1/54

2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 1

Module 4:Security


2/54


National Security Telecommunications and InformationSystems Security Committee (NSTISSC)

Network security is the protection of information and

systems and hardware that use, store, and transmit that

information.

Network security encompasses those steps that are taken

to ensure the confidentiality, integrity, and availability of

data or resources.


3/54


Network security initiatives and network securityspecialists can be found in private and public, large andsmall companies and organizations. The need for networksecurity and its growth are driven by many factors:

1. Internet connectivity is 24/7 and is worldwide2. Increase in cyber crime

3. Impact on business and individuals

4. Legislation & liabilities

5. Proliferation of threats6. Sophistication of threats


4/54


ConfidentialityPrevent the disclosure of sensitive information from unauthorized

people, resources, and processes

Integrity

The protection of system information or processes from intentionalor accidental modification

Availability

The assurance that systems and data are

accessible by authorized users when needed
http://www.youtube.com/watch?v=yFRc-wpQc9chttp://www.youtube.com/watch?v=yFRc-wpQc9c


5/54



6/54



8/54 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

Filtering: Manage IP traffic by filtering packets passing through a router

Classification: Identify traffic for special handling



Permit or deny packets moving through the router.

Permit or deny vty access to or from the router.

Without ACLs, all packets could be transmitted to all parts of your network.


10/54



Inbound ACL



If no ACL statement matches, discard the packet.


14/54



15/54


Standard ACL

Checks source address

Generally permits or denies entire protocol suite

Extended ACLChecks source and destination address

Generally permits or denies specific protocols and applications

Two methods used to identify standard andextended ACLs:

Numbered ACLs use a number for identification

Named ACLs use a descriptive name or number for identification


16/54



17/54


18/54


Standard or extended indicates what can be filtered. Only one ACL per interface, per protocol, and per direction is

allowed.

The order of ACL statements controls testing, therefore, the mostspecific statements go at the top of the list.

The last ACL test is always an implicit deny everything elsestatement, so every list needs at least one permit statement.

ACLs are created globally and then applied to interfaces for inboundor outbound traffic.

An ACL can filter traffic going through the router, or traffic to andfrom the router, depending on how it is applied.

When placing ACLs in the network:

Place extended ACLs close to the source

Place standard ACLs close to the destination


19/54



20/54


0 means to match the value of the corresponding address bit

1 means to ignore the value of the corresponding address bit


21/54


Match for IP subnets 172.30.16.0/24 to 172.30.31.0/24.

Address and wildcard mask:

172.30.16.0 0.0.15.255


22/54


172.30.16.29 0.0.0.0 matchesall of the address bits

Abbreviate this wildcard maskusing the IP address preceded

by the keyword host(host 172.30.16.29)

0.0.0.0 255.255.255.255ignores all address bits

Abbreviate expressionwith the keyword any


23/54



24/54


Activates the list on an interface.

Sets inbound or outbound testing.

no ip access-group access- l is t -number {in | out}removes the ACL from the interface.

ip access-group access-list-number {in | out}

Uses 1 to 99 for the access-list-number.

The first entry is assigned a sequence number of 10, and successive entriesare incremented by 10.

Default wildcard mask is 0.0.0.0 (only standard ACL). no access-list access- l is t -numberremoves the entire ACL.

remarklets you add a description to the ACL.

access-list access-list-number{permit | deny | remark} source [mask]

RouterX(config)#

RouterX(config-if)#


25/54


Permit my network only

RouterX(config)# access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny all - not visible in the list)

(access-list 1 deny 0.0.0.0 255.255.255.255)

RouterX(config)# interface ethernet 0RouterX(config-if)# ip access-group 1 out



26/54


Deny a specific host

RouterX(config)# access-list 1 deny 172.16.4.13 0.0.0.0RouterX(config)# access-list 1 permit 0.0.0.0 255.255.255.255

(implicit deny all)

(access-list 1 deny 0.0.0.0 255.255.255.255)



27/54


Deny a specific subnet

RouterX(config)# access-list 1 deny 172.16.4.0 0.0.0.255RouterX(config)# access-list 1 permit any(implicit deny all)

(access-list 1 deny 0.0.0.0 255.255.255.255)



28/54



29/54


ip access-group access-list-number {in | out}

Activates the extended list on an interface

Sets parameters for this list entry

access-list access-list-number{permit | deny}protocol source source-wildcard [operator port]destination destination-wildcard [operator port][established] [log]

RouterX(config)#

RouterX(config-if)#


30/54


RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20RouterX(config)# access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)


Deny FTP traffic from subnet 172.16.4.0 to subnet 172.16.3.0 out E0

Permit all other traffic


31/54


RouterX(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23RouterX(config)# access-list 101 permit ip any any(implicit deny all)

RouterX(config)# interface ethernet 0

RouterX(config-if)# ip access-group 101 out

Deny only Telnet traffic from subnet 172.16.4.0 out E0

Permit all other traffic


32/54


33/54


Deny a specific host

RouterX(config)#ip access-list standard troublemakerRouterX(config-std-nacl)#deny host 172.16.4.13RouterX(config-std-nacl)#permit 172.16.4.0 0.0.0.255

RouterX(config-std-nacl)#interface e0RouterX(config-if)#ip access-group troublemaker out


34/54


Deny Telnet from a specific subnet

RouterX(config)#ip access-list extended badgroupRouterX(config-ext-nacl)#deny tcp 172.16.4.0 0.0.0.255 any eq 23

RouterX(config-ext-nacl)#permit ip any anyRouterX(config-ext-nacl)#interface e0RouterX(config-if)#ip access-group badgroup out


35/54


access-list access-list-numberremark remark

ip access-list{standard|extended}name

Creates a named ACL comment

Creates a numbered ACL comment

RouterX(config {std- | ext-}nacl)#

RouterX(config)#

remark remark

RouterX(config)#

Creates a named ACL

Or


36/54


RouterX# show access-lists {access-list

number|name}

RouterX# show access-listsStandard IP access list SALES

10 deny 10.1.1.0, wildcard bits

0.0.0.25520 permit 10.3.3.130 permit 10.4.4.140 permit 10.5.5.1

Extended IP access list ENG10 permit tcp host 10.22.22.1 any eq

telnet (25 matches)20 permit tcp host 10.33.33.1 any eq ftp30 permit tcp host 10.44.44.1 any eq ftp-

data

Displays all access lists


37/54


RouterX# show ip interfaces e0Ethernet0 is up, line protocol is upInternet address is 10.1.1.11/24Broadcast address is 255.255.255.255Address determined by setup commandMTU is 1500 bytesHelper address is not setDirected broadcast forwarding is disabledOutgoing access list is not setInbound access list is 1Proxy ARP is enabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sent

ICMP mask replies are never sentIP fast switching is enabledIP fast switching on the same interface is disabledIP Feature Fast switching turbo vectorIP multicast fast switching is enabledIP multicast distributed fast switching is disabled


38/54


Dynamic ACLs (lock-and-key): Users that want to traverse the router

are blocked until they use Telnet to connect to the router and are

authenticated.


39/54


Reflexive ACLs: Used to allow outbound traffic and limit inboundtraffic in response to sessions that originate inside the router


40/54


Time-based ACLs: Allow for access controlbased on the time of day and week


42/54


An IP address is either local or global.

Local IPv4 addresses are seen in the inside network.

Global IPv4 addresses are seen in the outside network.


43/54



44/54



45/54


Establishes static translation between an inside local address and aninside global address

RouterX(config)# ip nat inside source static local- ipglobal- ip

Marks the interface as connected to the inside

RouterX(config-if)# ip nat inside

Marks the interface as connected to the outside

RouterX(config-if)# ip nat outside

Displays active translations

RouterX# show ip nat translations


46/54



Pro Inside global Inside local Outside local Outside global

--- 192.168.1.2 10.1.1.2 --- ---

interface s0

ip address 192.168.1.1 255.255.255.0ip nat outside

!

interface e0

ip address 10.1.1.1 255.255.255.0

ip nat inside

!

ip nat inside source static 10.1.1.2 192.168.1.2


47/54


Establishes dynamic source translation, specifying the ACL that was

defined in the previous step

RouterX(config)# ip nat inside source listaccess- l is t-numberpool name

Defines a pool of global addresses to be allocated as needed

RouterX(config)# ip nat pool name start-ip end -ip

{netmask netmask| prefix-length prefix- length}

Defines a standard IP ACL permitting those inside local addressesthat are to be translated

RouterX(config)# access-list access- l is t-numberpermitsource[source-wi ldcard]




48/54


49/54



50/54


Establishes dynamic source translation, specifying the ACL that wasdefined in the previous step

RouterX(config)# ip nat inside source listaccess- l is t-numberinterface interfaceoverload

Defines a standard IP ACL that will permit the inside local addressesthat are to be translated

RouterX(config)# access-listaccess- l is t-number

permitsourcesource-wi ldcard




51/54



Pro Inside global Inside local Outside local Outside global

TCP 172.17.38.1:1050 192.168.3.7:1050 10.1.1.1:23 10.1.1.1:23

TCP 172.17.38.1:1776 192.168.4.12:1776 10.2.2.2:25 10.2.2.2:25

hostname RouterX

!

interface Ethernet0

ip address 192.168.3.1 255.255.255.0

ip nat inside

!

interface Ethernet1

ip address 192.168.4.1 255.255.255.0

ip nat inside

!

interface Serial0

description To ISP

ip address 172.17.38.1 255.255.255.0

ip nat outside

!

ip nat inside source list 1 interface Serial0 overload

!

ip route 0.0.0.0 0.0.0.0 Serial0

!access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 permit 192.168.4.0 0.0.0.255

!


52/54


Clears a simple dynamic translation entry that contains an inside

translation or both an inside and outside translation

RouterX# clear ip nat translation inside global- iplocal- ip[outside loc al-ip glo bal- ip]

Clears all dynamic address translation entries

RouterX# clear ip nat translation *

Clears a simple dynamic translation entry that contains an outsidetranslation

RouterX# clear ip nat translation outsideloc al-ip global- ip

Clears an extended dynamic translation entry (PAT entry)

RouterX# clear ip nat translation protocol inside global- ipglob al-po rt loc al-ip local-po rt[outside local- iplocal-po rt glob al-ip glo bal-po rt]


53/54


RouterX# show ip nat statisticsTotal active translations: 1 (1 static, 0 dynamic; 0 extended)Outside interfaces:Ethernet0, Serial2Inside interfaces:Ethernet1Hits: 5 Misses: 0

RouterX# debug ip nat

NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]

NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23312]NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]


54/54

Thank you.

modul 4 Security

Documents

Transcript of modul 4 Security