Which device will you configure an access control list on?

Understanding Access Control Lists

Access Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources.

Nội dung chính Show

Understanding Access Control Lists
Limitations
To Configure ACLs
Setting Up an IP ACL via CLI
Setting Up a MAC ACL via CLI
Setting Up ACLs via Web Interface
What Are The Components of An Access Control List?
What Is an Access Control List
Reasons to use an ACL:
Network Security Management
ACL Manager Overview
Frustration Strategies
Proxies that Aid the Attacker
Access Control List (ACL) in Networking

ACLs can also provide traffic flow control, restrict contents of routing updates, and decide which types of traffic are forwarded or blocked. Normally ACLs reside in a firewall router or in a router connecting two internal networks.

You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on Layer 2. IP ACLs operate on Layers 3 and 4.

Features

ACL support features include Flow-based Mirroring and ACL Logging.

Flow-based mirroring is the ability to mirror traffic that matches a permit rule to a specific physical port or LAG. Flow-based mirroring is similar to the redirect function, except that in flow-based mirroring a copy of the permitted traffic is delivered to the mirror interface while the packet itself is forwarded normally through the device. You cannot configure a given ACL rule with mirror and redirect attributes.
ACL Logging provides a means for counting the number of “hits” against an ACL rule. When you configure ACL Logging, you augment the ACL deny rule specification with a ‘log’ parameter that enables hardware hit count collection and reporting. FASTPATH uses a fixed five minute logging interval, at which time trap log entries are written for each ACL logging rule that accumulated a non-zero hit count during that interval. You cannot configure the logging interval.

Using ACLs to mirror traffic is called flow-based mirroring because the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated on another interface.

Limitations

The following limitations apply to ACLs. These limitations are platform dependent.

Maximum of 100 ACLs.
Maximum rules per ACL is 8-10.
The system supports ACLs set up for inbound traffic only.
You can configure mirror or redirect attributes for a given ACL rule, but not both.
The system does not support MAC ACLs and IP ACLs on the same interface.
A hardware platform may support a limited number of counter resources, so it may not be possible to log every ACL rule. You can define an ACL with any number of logging rules, but the number of rules that are actually logged cannot be determined until the ACL is applied to an interface. Furthermore, hardware counters that become available after an ACL is applied are not retroactively assigned to rules that were unable to be logged (the ACL must be un-applied then re-applied). Rules that are unable to be logged are still active in the ACL for purposes of permitting or denying a matching packet.
The order of the rules is important: when a packet matches multiple rules, the first rule takes precedence. Also, once you define an ACL for a given port, all traffic not specifically permitted by the ACL is denied access.

MAC ACLs

MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet (limited by platform):

Source MAC address
Source MAC mask
Destination MAC address
Destination MAC mask
VLAN ID
Class of Service (CoS) (802.1p)
Ethertype

L2 ACLs can apply to one or more interfaces.

Multiple access lists can be applied to a single interface - sequence number determines the order of execution.

You can assign packets to queues using the assign queue option.

IP ACLs

IP ACLs classify for Layers 3 and 4.

Each ACL is a set of up to ten rules applied to inbound traffic. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network, and may apply to one or more of the following fields within a packet:

Destination IP with wildcard mask
Destination L4 Port
Every Packet
IP DSCP
IP Precedence
IP TOS
Protocol
Source IP with wildcard mask
Source L4 port
Destination Layer 4 port

To Configure ACLs

1. Create a MAC ACL by specifying a name.

2. Create an IP ACL by specifying a number.

3. Add new rules to the ACL.

4. Configure the match criteria for the rules.

5. Apply the ACL to one or more interfaces.

Setting Up an IP ACL via CLI

The script in this section shows you how to set up an IP ACL with two rules, one applicable to TCP traffic and one to UDP traffic. The content of the two rules is the same. TCP and UDP packets will only be accepted by the Sun Netra CP3240 switch if the source and destination stations have IP addresses that fall within the defined sets.

FIGURE 22-1 IP ACL Example Network Diagram

Example 1: Create ACL 179 and Define an ACL Rule

After the mask has been applied, it permits packets carrying TCP traffic that matches the specified Source IP address, and sends these packets to the specified Destination IP address.

config access-list 179 permit tcp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.0

Example 2: Define the Second Rule for ACL 179

Define the rule to set similar conditions for UDP traffic as for TCP traffic.

access-list 179 permit udp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.255 exit

Example 3: Apply the rule to Inbound Traffic on Port 1/0/2

Only traffic matching the criteria will be accepted.

interface 0/2 ip access-group 179 in exit

Setting Up a MAC ACL via CLI

The following are examples of the commands used for the MAC ACLs feature.

Example 1: Set up a MAC Access List

CODE EXAMPLE 22-1 Set Up a MAC Access Label

(DTI SWITCH) (Config)#mac access-list ? extended Configure extended MAC Access List parameters. LVL7 FASTPATH Routing) (Config)#mac access-list extended ? Enter access-list name up to 31 characters in length.rename Rename MAC Access Control List. (DTI SWITCH) (Config)#mac access-list extended mac1 ? Press Enter to execute the command. (DTI SWITCH) (Config)#mac access-list extended mac1

Example 2: Specify MAC ACL Attributes

CODE EXAMPLE 22-2 Specify MAC ACL Attributes

(DTI SWITCH) (Config)#mac access-list extended mac1 (DTI SWITCH) (Config-mac-access-list)#deny ? Enter a MAC Address. any Configure a match condition for all the source MAC addresses in the Source MAC Address field. (DTI SWITCH) (Config-mac-access-list)#deny any ? Enter a MAC Address. any Configure a match condition for all the destination MAC addresses in the Destination MAC Address field. bpdu Match on any BPDU destination MAC Address. (DTI SWITCH) (Config-mac-access-list)#deny any 00:11:22:33:44:55 ? Enter a MAC Address bit mask. (DTI SWITCH) (Config-mac-access-list)#deny any 00:11:22:33:44:55 00 :00:00:00:FF:FF ? Enter one of the following keywords to specify an Ethertype (appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, novell, pppoe, rarp). <0x0600-0xffff> Enter a four-digit hexadecimal number in the range of 0x0600 to 0xffff to specify a custom Ethertype value. vlan Configure a match condition based on a VLAN ID. cos Configure a match condition based on a COS value. log Configure logging for this access list rule. assign-queue Configure the Queue Id assignment attribute. Press Enter to execute the command. (DTI SWITCH) (Config-mac-access-list)#deny any 00:11:22:33:44:55 00 :00:00:00:FF:FF log ? assign-queue Configure the Queue Id assignment attribute. Press Enter to execute the command. (DTI SWITCH) (Config-mac-access-list)#deny any 00:11:22:33:44:55 00:0 0:00:00:FF:FF log (DTI SWITCH) (Config-mac-access-list)#exit (DTI SWITCH) (Config)#exit (DTI SWITCH) #

Example 3: Configure MAC Access Group

CODE EXAMPLE 22-3 Configure MAC Access Group

(DTI SWITCH) (Config)#interface 0/5 (DTI SWITCH) (Interface 0/5)#mac ? access-group Attach MAC Access List to Interface. (DTI SWITCH) (Interface 0/5)#mac access-group ? Enter name of MAC Access Control List. (DTI SWITCH) (Interface 0/5)#mac access-group mac1 ? in Enter the direction . (DTI SWITCH) (Interface 0/5)#mac access-group mac1 in ? Press Enter to execute the command. <1-4294967295> Enter the sequence number (greater than 0) to rank direction. A lower sequence number has higher precedence. (DTI SWITCH) (Interface 0/5)#mac access-group mac1 in 6 ? Press Enter to execute the command. (DTI SWITCH) (Interface 0/5)#mac access-group mac1 in 6 (DTI SWITCH) (Interface 0/5)#exit (DTI SWITCH) (Config)#exit (DTI SWITCH) #

Example 4: Set up an ACL with Permit Action

CODE EXAMPLE 22-4 Set Up ACL with Permit Action

(DTI SWITCH) (Config)#mac access-list extended mac2 (DTI SWITCH) (Config-mac-access-list)#permit ? Enter a MAC Address. any Configure a match condition for all the source MAC addresses in the Source MAC Address field. (DTI SWITCH) (Config-mac-access-list)#permit any ? Enter a MAC Address. any Configure a match condition for all the destination MAC addresses in the Destination MAC Address field. bpdu Match on any BPDU destination MAC Address. (DTI SWITCH) (Config-mac-access-list)#permit any any ? Enter one of the following keywords to specify an Ethertype (appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, novell, pppoe, rarp). <0x0600-0xffff> Enter a four-digit hexadecimal number in the range of 0x0600 to 0xffff to specify a custom Ethertype value. vlan Configure a match condition based on a VLAN ID. cos Configure a match condition based on a COS value. log Configure logging for this access list rule. assign-queue Configure the Queue Id assignment attribute. Press Enter to execute the command. (DTI SWITCH) (Config-mac-access-list)#permit any any (DTI SWITCH) (Config-mac-access-list)#

Example 5: Show MAC Access Lists

CODE EXAMPLE 22-5 Show MAC Access Lists

(DTI SWITCH) #show mac access-lists Current number of all ACLs: 2 Maximum number of all ACLs: 100 MAC ACL Name Rules Direction Interface(s) ------------ ----- --------- ------------ mac1 1 inbound 0/5 mac2 1 (DTI SWITCH) #show mac access-lists mac1 MAC ACL Name: mac1 Rule Number: 1 Action......................................... deny Destination MAC Address........................ 00:11:22:33:44:55 Destination MAC Mask........................... 00:00:00:00:FF:FF Log............................................ TRUE (DTI SWITCH) #

Setting Up ACLs via Web Interface

The following web pages are used in the ACL feature.

FIGURE 22-2 MAC ACL Configuration Page - Create New MAC ACL

FIGURE 22-3 MAC ACL Configuration Page

FIGURE 22-4 MAC ACL Summary

FIGURE 22-5 MAC ACL Rule Configuration - Create New Rule

FIGURE 22-6 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask

FIGURE 22-7 MAC ACL Rule Configuration Page - View the Current Settings

FIGURE 22-8 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask

FIGURE 22-9 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask

FIGURE 22-10 ACL Interface Configuration

FIGURE 22-11 IP ACL Configuration Page - Create a New IP ACL

FIGURE 22-12 IP ACL Configuration Page - Create a Rule and Assign an ID

FIGURE 22-13 IP ACL Configure IP ACL Rule Properties

FIGURE 22-14 IP ACL Rule Configuration Page - Rule with Protocol and Source IP Configuration

FIGURE 22-15 Attach IP ACL to an Interface

FIGURE 22-16 IP ACL Summary

What Are The Components of An Access Control List?

The implementation for ACLs is pretty similar in most routing platforms, all of which have general guidelines for configuring them. Remember that an ACL is simply a set of rules or entries that with allow or deny traffic. You can have an Access Control List with single or multiple entries, where each one is supposed to do something, it can be to permit everything or block nothing.

When you define an ACL entry, you’ll need necessary information.

Sequence Number:
Identify an ACL entry using a number.
ACL Name:
Define an ACL entry using a name. Instead of using a sequence of numbers, some routers allow a combination of letters and numbers.
Remark:
Some Routers allow you to add comments into an ACL, which can help you to add detailed descriptions.
Statement:
Deny or permit a specific source based on address and wildcard mask. Some routing devices, such as Cisco, configure an implicit deny statement at the end of each ACL by default.
Network Protocol:
Specify whether deny/permit IP, IPX, ICMP, TCP, UDP, NetBIOS, and more.
Source or Destination:
Define the Source or Destination target as a Single IP, a Address Range (CIDR), or all Addresses.
Log:
Some devices are capable of keeping logs when ACL matches are found.
Other Criteria:
Advanced ACLs allow you to use control traffic through the Type of Service (ToS), IP precedence, and differentiated services codepoint (DSCP) priority.

What Is an Access Control List

An access control list (ACL) contains rules that grant or deny access to certain digital environments. There are two types of ACLs:

Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed.
Networking ACLs━filter access to the network. Networking ACLs tell routers and switches which type of traffic can access the network, and which activity is allowed.

Originally, ACLs were the only way to achieve firewall protection. Today, there are many types of firewalls and alternatives to ACLs. However, organizations continue to use ACLs in conjunction with technologies like virtual private networks (VPNs) that specify which traffic should be encrypted and transferred through a VPN tunnel.

Reasons to use an ACL:

Traffic flow control
Restricted network traffic for better network performance
A level of security for network access specifying which areas of the server/network/service can be accessed by a user and which cannot
Granular monitoring of the traffic exiting and entering the system

Network Security Management

Eric Knipp, ... Edgar DanielyanTechnical Editor, in Managing Cisco Network Security (Second Edition), 2002

ACL Manager Overview

ACLM is a component within the network management software system known as CiscoWorks2000. CiscoWorks2000 is a highly extensible application suite ideally suited for managing Cisco enterprise networks and devices. For convenience and appropriate application, CiscoWorks2000 has numerous sub-components that integrate under the CiscoWorks2000 software framework. Theses components provide management solutions for local area networks (LAN) and wide area networks (WAN) of the enterprise.

ACLM is included in the CiscoWorks2000 Routed WAN Management Solution set. In addition to ACLM, this set of applications includes the following components:

■

Cisco nGenius Real-Time Monitor

■

CiscoView

■

Resource Manager Essentials

■

Internetwork Performance Monitor

With these tools, administrators greatly increase configuration, administration, monitoring, and troubleshooting capabilities in large-scale network deployments. Furthermore, long-term performance insight and network traffic optimization are possible with the CiscoWorks2000 Routed WAN Management Solution. For additional information regarding the CiscoWorks2000 suite of productions and functionality, refer to the Cisco Web site.

As the name implies, ACLM is used to develop and maintain ACLs on Cisco devices. ACLM runs as an integrated component of Resource Manager Essentials and can manage most Cisco IOS routers, access servers, and hubs with an IOS of 10.3 through 12.1. ACLM can also manage Catalyst switches running Catalyst IOS version 5.3 through 5.5.

The Web-based Windows Explorer-like graphical interface provides powerful control of IP and IPX access lists and device access control from virtually any-where on the network. VLAN and SNMP access control list management is also possible via ACLM. The interface eliminates the complexity and syntactical accuracy required to implement lengthy ACLs via the CLI. Furthermore, ACLM saves time and resources through batch configuration of new filters and the consistent and accurate management of existing access lists in a large-scale network.

ACLM includes several modules used to perform specific actions within the manager functionality suite. These modules are as follows:

■

Template Manager The Template Manager module is used to construct and maintain ACL templates for the predictable and error-free security management of numerous Cisco devices. Using template manager, administrators can create appropriate templates for many devices instead of reinventing the wheel for each new network component.

■

Class Manager This module enables the creation of service and network groups or classes. With this module, administrators can save time by designating typical groupings of rules to be quickly implemented via ACLM.

■

Template Use Wizard Administrators use the Template Use Wizard to apply previously created packet and VLAN filtering ACLs, and line and SNMP ACLs across the network. In conjunction with Template Manager, the wizard module allows administrators to be more efficient when deploying or modifying numerous ACL configurations to devices on the network.

■

Optimizer For additional ACL efficiency of a Cisco device, the Optimizer module can be used to inspect ACL statement ordering and syntax. Optimizer removes redundant statements and consolidates entries. Moreover, the optimizer module can automatically reorder ACL statements against hit rate utilization statistics to provide the utmost in efficiency.

■

DiffViewer DiffViewer assists the administrator in discerning changes to ACLs of different versions. Using this module, alteration is easily identifiable making version control and version rollback simple.

■

ACL Downloader This modules enables the scheduled or manual download of ACLs from Cisco devices in the network.

ACL Manager Device and Software Support

ACLM version 1.3 supports most Cisco IOS routers, access servers, and hubs with an IOS of 10.3 through 12.1. ACLM can also manage Catalyst switches running Catalyst OS version 5.3 through 5.5. Using ACLM, administrators can view all ACLs, regardless of type. ACLM includes full support for the following access lists:

■

IP, IP_EXTENDED

■

IPX, IPX_EXTENDED

■

IPX_SAP, IPX_SUMMARY

■

RATE_LIMIT_MAC

■

RATE_LIMIT_PRECEDENCE

■

VACL_Catalyst 6000

View chapterPurchase book

Read full chapter

URL:https://www.sciencedirect.com/science/article/pii/B9781931836562500180

Frustration Strategies

Timothy J. Shimeall, Jonathan M. Spring, in Introduction to Information Security, 2014

Proxies that Aid the Attacker

The attacker can also use proxies external to the organization. In this respect, the attacker/defender roles are flipped, and the attacker is attempting to frustrate the defender. But before terminology gets too muddled, let’s just explain an example scenario.

The defender has an ACL rule to prevent internal connections to a particular malicious IP address. The attacker notices the disruption, however he or she is unable to alter the malicious resource’s IP address. In the same way an internal proxy service obscures the internal IP addresses using a service, so too would a proxy service external to the organization hide the attacker’s IP address. With a new IP address, the attacker will bypass the ACL rule. There are many free, open proxies available on the Internet that could be used for this purpose [45], and the TOR (derived from The Onion Router, although officially the name is no longer an acronym) network would also largely accomplish this goal [46]. Internal users frustrated by strict ACLs may also turn to external proxies to bypass security policies.

If the defender is implementing ACLs as black lists, or lists of resources to block access to, lists of active open-proxy IP addresses should be added to the block list. The most secure and restrictive option would be to only permit users to visit known-benign resources—that is, to use a white list—and to route those users through a web proxy and use firewall ACLs to prevent all other traffic on common web ports 80, 443, and 8080 [37]. This was the tactic in mind for the example in Figure 5.4.

View chapterPurchase book

Read full chapter

URL:https://www.sciencedirect.com/science/article/pii/B9781597499699000055

Access Control List (ACL) in Networking

In a network environment which consists of a large number of employees and network devices, there will be a lot of incoming and outgoing data traffic. This leads to bandwidth bottlenecks, which in turn affects the transmission of important data. In order to control this, you need to identify the network devices which consume a lot of bandwidth using a traffic monitoring tool. Once the devices are identified, you can apply the 'Access control list' (ACL) policies on the network devices to determine the priority of data during transmission. Network Configuration Manager serves this purpose since it allows you to apply ACL policies in multiple devices by bulk execution of configlets.

Now let us see certain guidelines to follow while configuring Acess Contol Lists: