8/11/2019 Sybex CCNA 640-802 Chapter 12
1/30
Sybex CCNA 640-802Chapter 12: SecurityInstructor& Todd Lammle
8/11/2019 Sybex CCNA 640-802 Chapter 12
2/30
Chapter 1 Objectives
The CCNA Topics Covered in this chapterinclude:
Introduction to Security
Types of attacks
Mitigating attacks Access-lists
Standard
Extended
Named Monitoring Access-lists
2
8/11/2019 Sybex CCNA 640-802 Chapter 12
3/30
Introduction to Security
8/11/2019 Sybex CCNA 640-802 Chapter 12
4/30
Attacks
APPLICATION-LAYER ATTACKS
AUTOROOTERS
BACKDOORS DENIAL OF SERVICE (DOS)
AND DISTRIBUTED DENIAL OF
SERVICE (DDOS) ATTACKS (MANY OTHERS)
8/11/2019 Sybex CCNA 640-802 Chapter 12
5/30
Mitigating Attacks
Appliances IDS
IPS
STATEFUL IOS FIREWALLINSPECTION ENGINE
FIREWALL VOICE TRAVERSAL
ICMPINSPECTION
AUTHENTICATIONPROXY
8/11/2019 Sybex CCNA 640-802 Chapter 12
6/30
Access Lists
Purpose:
Used to permit or deny packets
moving through the router
Permit or deny Telnet (VTY) access
to or from a router
Create dial-on demand (DDR)
interestingtraffic that triggers dialingto a remote location
8/11/2019 Sybex CCNA 640-802 Chapter 12
7/30
Important Rules
Packets are compared to each line ofthe assess list in sequentialorder
Packets are compared with lines of
the access list only until a match ismade Once a match is made & acted upon no
further comparisons take place
An implicit deny is at the end ofeach access list If no matches have been made, the
packet will be discarded
8/11/2019 Sybex CCNA 640-802 Chapter 12
8/30
Types of Access Lists
Standard Access List
Filter by source IP addresses only
Extended Access List
Filter by Source IP, Destination IP,Protocol Field, Port Number
Named Access List
Functionally the same as standard and
extended access lists.
8/11/2019 Sybex CCNA 640-802 Chapter 12
9/30
Application of Access Lists
Inbound Access Lists
Packets are processed before being
routed to the outbound interface
Outbound Access Lists Packets are routed to the outbound
interface & then processed through the
access list
8/11/2019 Sybex CCNA 640-802 Chapter 12
10/30
ACL Guidelines
One access list per interface, perprotocol, or perdirection
More specific tests at the top of the ACL
New lists are placed at the bottom of the ACL
Individual lines cannot be removed
End ACLs with apermit anycommand
Create ACLs & then apply them to an interface
ACLs do not filter traffic originated from the router
Put StandardACLs close to the destination
Put ExtendedACLs close the source
8/11/2019 Sybex CCNA 640-802 Chapter 12
11/30
Standard IP Access Lists
Router#config t
Enter configuration commands, one per line. End
with CNTL/Z.
Router(config)#access-list ?
IP standard access list
IP extended access list
IPX SAP access list
Extended 48-bit MAC address
access list
IPX summary address access list
Protocol type-code access list
DECnet access list
Appletalk access list
48-bit MAC address access list
IPX standard access list
IPX extended access list
8/11/2019 Sybex CCNA 640-802 Chapter 12
12/30
Standard IP Access Lists
Creating a standard IP access list:Router(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
Permit or deny?Router(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any any source host
host A single host address
Using the hostcommandRouter(config)#access-list 10 deny host172.16.30.2
8/11/2019 Sybex CCNA 640-802 Chapter 12
13/30
Wildcards
What are they???
Used with access lists to specify
a.
Host
Network
Part of a network
8/11/2019 Sybex CCNA 640-802 Chapter 12
14/30
Block Sizes
64 32 16 8 4
Rules:
When specifying a range of addresses, choose the
closestblock size
Each block size must start at 0 A 0 in a wildcard means that octet must match
exactly
A 255 in a wildcard means that octet can be any
value
The command anyis the same thing as writing outthe wildcard: 0.0.0.0 255.255.255.255
8/11/2019 Sybex CCNA 640-802 Chapter 12
15/30
Specifying a Range of Subnets
(Remember: specify a range of values in a blocksize)
Requirement: Block access in the range from
172.16.8.0 through 172.16.15.0 = block size 8
Network number = 172.16.8.0
Wildcard = 0.0.7.255
**The wildcard is always one number less than theblock size
8/11/2019 Sybex CCNA 640-802 Chapter 12
16/30
Standard ACL Example
8/11/2019 Sybex CCNA 640-802 Chapter 12
17/30
Standard ACL example 2
8/11/2019 Sybex CCNA 640-802 Chapter 12
18/30
Standard ACL Example 3
8/11/2019 Sybex CCNA 640-802 Chapter 12
19/30
Controlling VTY (Telnet)
Access
Why??
Without an ACL any user can Telnetinto the router via VTY and gain
access Controlling access
Create a standard IP access list Permitting only the host/hosts
authorized to Telnet into the router
Apply the ACL to the VTY line withthe
access-classcommand
8/11/2019 Sybex CCNA 640-802 Chapter 12
20/30
Example
Lab_A(config)#access-list 50 permit172.16.10.3
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in
(implied deny)
8/11/2019 Sybex CCNA 640-802 Chapter 12
21/30
Extended IP Access Lists
Allows you to choose... IP Source Address
IP Destination Address
Protocol Port number
8/11/2019 Sybex CCNA 640-802 Chapter 12
22/30
Extended IP ACLs
Router(config)#access-list ? IP standard access list IP extended access list IPX SAP access list Extended 48-bit MAC addressaccess list
IPX summary address access list Protocol type-code access list DECnet access list Appletalk access list 48-bit MAC address access list IPX standard access list IPX extended access list
Router(config)#access-list 110 ?deny Specify packets to rejectdynamic Specify a DYNAMIC list of PERMITs orDENYs
permit Specify packets to forward
8/11/2019 Sybex CCNA 640-802 Chapter 12
23/30
Extended IP ACLsRouter(config)#access-list 110 deny ?
An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocolip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
tcp Transmission Control Protocoludp User Datagram Protocol
Router(config)#access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
8/11/2019 Sybex CCNA 640-802 Chapter 12
24/30
Extended IP ACL Steps
#1: Select the access list:
RouterA(config)#access-list 110
#2: Decide on deny or permit:
RouterA(config)#access-list 110 deny
#3: Choose the protocol type:RouterA(config)#access-list 110 deny tcp
#4: Choose source IP address of the host or network:
RouterA(config)#access-list 110 deny tcp any
#5: Choose destination IP address
RouterA(config)#access-list 110 deny tcp anyhost 172.16.30.2
#6: Choose the type of service, port, & logging
RouterA(config)#access-list 110 deny tcp any host172.16.30.2 eq 23 log
8/11/2019 Sybex CCNA 640-802 Chapter 12
25/30
Steps (cont.)
RouterA(config)#access-list 110 deny tcp anyhost 172.16.30.2 eq 23 log
RouterA(config)#access-list 110 permit ip any0.0.0.0 255.255.255.255
RouterA(config)#ip access-group 110 in
or
RouterA(config)#ip access-group 110 out
8/11/2019 Sybex CCNA 640-802 Chapter 12
26/30
Named Access Lists
Another way to create standard and extended accesslists.
Allows the use of descriptive names to ease network
management.
Syntax changes:
Lab_A(config)#ip access-list standardBlockSales
Lab_A(config-std-nacl)#deny 172.16.40.0
0.0.0.255Lab_A(config-std-nacl)#permit any
8/11/2019 Sybex CCNA 640-802 Chapter 12
27/30
Turning Off and Configuring
Network Services
SNMP
Lab_B(config)#access-list 110 deny udp anyany eq snmp
EchoLab_B(config)#no service tcp-small-servers
Lab_B(config)#no service udp-small-servers
BootP and Auto-Config
Lab_B(config)#no ip boot server
Lab_B(config)#no service config
Examplesmore pages 632-635
8/11/2019 Sybex CCNA 640-802 Chapter 12
28/30
Ciscos Auto SecureR1#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of the router, but itwill not make it absolutely resistant to all security attacks ***
AutoSecure will modify the onfiguration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance
security and any possible side effects, please refer to Cisco.com
for Autosecure documentation.
At any prompt you may enter ? for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: [enter]
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.10.1 YES NVRAM up up
Serial0/0 1.1.1.1 YES NVRAM down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 unassigned YES NVRAM administratively down down
Enter the interface name that is facing the internet: serial0/0
Securing Management plane services...
8/11/2019 Sybex CCNA 640-802 Chapter 12
29/30
Monitoring IP Access Lists
Display all access lists & their parameters
show access-list
Show only the parameters for the access list 110
show access-list 110
Shows only the IP access lists configuredshow ip access-list
Shows which interfaces have access lists set
show ip interface
Shows the access lists & which interfaces have access
lists setshow running-config
8/11/2019 Sybex CCNA 640-802 Chapter 12
30/30
Written Labs and Review
Questions
Open your books and go through all the
written labs and the review questions.
Review the answers in class.
30
Top Related