Chapter 8: Access Control Lists for Threat Mitigation

Access Control Lists for Threat Mitigation• Lists the benefits of ACLs• Describes the building blocks and operational framework of ACLs• Describes summarizable address blocks in the context of CIDR and VLSM environments, demonstrating how ACL wildcard masks allow for threat mitigation in those environments• Lists design considerations when deploying ACLs• Demonstrates the use of Cisco Configuration Professional and the CLI to deploy and verify a threat containment strategy using ACLs• Demonstrates the use of Cisco Configuration Professional and the CLI to correlate ACL log and alarm information in order to monitor their impact and effectiveness• Demonstrates how to configure object groups to streamline the implementation of ACLs for threat control• Demonstrates how to configure ACLs in IPv6 environments, highlighting the operational differences with IPv4 ACLsOutlineACLs provide packet filtering for routers and firewalls to protect internal networks from the outside world. ACLs filter network traffic in both directions by controlling whether to forward or block packets at the router interfaces, based on the criteria that you specify within the ACLs. ACL criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other informationACL FundamentalsHost A to access the Human Resources network but prevents Host B from accessing the Human Resources network.Filtering Host B Traffic Ingress Using an ACL• IP address spoofing (inbound)• IP address spoofing (outbound)• DoS TCP SYN attacks (blocking external attacks)• DoS TCP SYN attacks (using TCP intercept)• DoS Smurf attacks• Filtering ICMP messages (inbound)• Filtering ICMP messages (outbound)• Filtering tracerouteUsing ACLs to mitigate many threatsACLs operate in two ways:• Inbound: Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. If the packet is permitted by the tests, it is then processed for routing.• Outbound: Packets arriving on the inside interface are routed to the outbound interface, and then they are processed through the outbound ACL.ACL OperationOutbound ACL OperationTop-Down Process of Tests: Deny or PermitCisco routers support two types of IP ACLs:• Standard ACLs: Standard IP ACLs check the source addresses of packets that can be routed. The result either permits or denies the output for an entire protocol suite, based on the source network, subnet, or host IP address.• Extended ACLs: Extended IP ACLs check both the source and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters, which allows administrators more flexibility and control.The two general methods you can use to create ACLs are as follows:• Numbered ACLs: Use a number for identification.• Named ACLs: Use an alphanumeric string for identification.Types of IP ACLs• Wildcard mask bit 0: Match the corresponding bit value in the address.• Wildcard mask bit 1: Do not check (ignore) the corresponding bit value in the address.ACL Wildcard BitsWildcard Bits to Match IP Subnets 172.30.16.0 to 172.30.31.0Router(config)# access-list 1 deny 172.30.16.0 0.0.15.255Example: Wildcard Masking Process for IP SubnetsWildcard Masking Process with a Single IP AddressRouter(config)# access-list 2 permit 172.30.16.29 0.0.0.0Router(config)# access-list 2 permit host 172.30.16.29With a Match Any IP AddressRouter(config)# access-list 2 permit 0.0.0.0 255.255.255.255Router(config)# access-list 2 permit anyExample: Wildcard Masking Process with a Single IP Address and with a Match Any IP AddressNumbered Standard ACL Configuration Procedurer1(config)# access-list 1 deny 172.16.4.0 0.0.0.255r1(config)# access-list 1 permit any( implicit deny all = access-list 1 deny 0.0.0.0 255.255.255.255 )r1(config)# interface ethernet 0r1(config-if)# ip access-group 1 outExample: Numbered Standard IPv4 ACL—Deny a Specific SubnetRouter(config-line)# access-class access-list-number {in | out}Example :R1(config)# access-list 12 permit 192.168.1.0 0.0.0.255!R1(config)# line vty 0 4R1(config-line)# access-class 12 inACL with vty AccessWell-Known Port Numbers and IP ProtocolsNumbered Extended IPv4 ACLRouter(config)# access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log]Router(config-if)# ip access-group access-list-number (in | out)Command for a Numbered Extended ACLr1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21r1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20r1(config)# access-list 101 permit ip any any(implicit deny all)(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)r1(config)# interface ethernet 0r1(config-if)# ip access-group 101 outNumbered Extended IPv4 ACL ExampleRouter(config)# access-list 102 permit tcp any host 200.1.1.2 establishedRouter(config)# access-list 102 permit tcp any host 200.1.1.2 eq smtpRouter(config)# interface serial 0Router(config-if)# ip access-group 102 inUsing the established KeywordThe benefits of using Object Groups for ACL include the following:• Increased performance when network traffic is heavy.• Reduced storage in NVRAM compared to conventional ACLs.• Separate ownership of the components of an ACE. For example, you can create an ACE where each department within an organization can control its group membership. You can also create an ACE to permit or deny the departments to contact each other.• Allows you to create an object group that contains other object groups. For example, you can create an ENG-ALL address group, which contains the ENG-EAST and ENG-WEST address groups.Enhancing ACLs with Object Groupsaccess-list 100 deny tcp host 10.6.252.65 host 171.8.2.12 eq wwwaccess-list 100 deny tcp host 10.6.252.65 host 171.8.2.12 eq ftpaccess-list 100 deny tcp host 10.6.252.65 host 171.8.2.13 eq wwwaccess-list 100 deny tcp host 10.6.252.65 host 171.8.2.13 eq ftpaccess-list 100 deny tcp host 10.6.252.66 host 171.8.2.12 eq wwwaccess-list 100 deny tcp host 10.6.252.66 host 171.8.2.12 eq ftpaccess-list 100 deny tcp host 10.6.252.66 host 171.8.2.13 eq wwwaccess-list 100 deny tcp host 10.6.252.66 host 171.8.2.13 eq ftpExample of an ACL Without Object Groupobject-group network SOURCES host 10.6.252.65 host 10.6.252.66object-group network DESTINATIONS host 171.8.2.12 host 171.8.2.13object-group service APPLICATIONS tcp www tcp ftpaccess-list 100 deny object-group APPLICATIONS object-group SOURCES object-group DESTINATIONSExample of an ACL Using Object GroupsThe following components can be modularized in network object groups:• Any IP address—includes a range from 0.0.0.0 to 255.255.255.255 (specified using the any command)• Host IP addresses• Hostnames• Other network object groups• Ranges of IP addresses• SubnetsNetwork object groupsThe following components can be modularized in service object groups:• Source and destination protocol ports (such as Telnet or Simple Network Management Protocol [SNMP])• ICMP types (such as echo, echo-reply, or host-unreachable)• Top-level protocols (such as TCP, UDP, or Encapsulating Security Payload [ESP])• Other service object groupsService object groupsBefore you start to develop any ACLs, consider the following basic rules:• Base your ACLs on your security policy• Write it out• Set up a development system• Access list comments• TestACL ConsiderationsYou should consider several caveats when working with ACLs:• ACLs by themselves are stateless• Only one ACL per interface, per protocol stack, per direction• Implicit deny all• Standard ACL limitation• Order of specific statements• Directional filtering• Modifying ACLs• Special packets• Extended ACL placement• Standard ACL placementACL Considerations Rules that can be created using CCP include the following:• ACLs• NAT rules• IPsec rules• Network Admission Control (NAC) rules• Firewall rules• Quality of service (QoS) rules• Unsupported rules• Externally defined rulesConfiguring ACLs for Threat Control Using Cisco Configuration ProfessionalCCP ACL SummaryWorking with ACLs in CCPThe configuration steps are as follows:Step 1. Configure the ACL.Step 2. Apply the ACL to interfaces.Step 3. Verify and monitor the ACL.ACL Configuration Scenario Using CCPACL EditorAdding RulesAdding an Extended RuleAssociating Rules with InterfacesEnabling Logging with CCPSelecting ACEs that Will Generate Log EntriesMonitoring ACLs with CCPLogged ACE Generated by the Firewall EntryConfiguring an Object Group with CCPYou can create two types of ACL object groups:• Network object groups: Can contain hostnames, host IP addresses, subnet masks, range of IP addresses, and other existing network object groups• Service object groups: Can contain top-level protocols, such as TCP, UDP, and TCP-UDP; ICMP types; source and destination protocol ports; and other existing service object groupsObject GroupConfiguring an Object Group Using CCPRouter# config tRouter(config)# object-group network INTERNAL-NETSRouter(config-network-group)# description Subnets inside the FirewallRouter(config-network-group)# 10.10.0.0 255.255.255.0Router(config-network-group)# 10.10.1.0 255.255.255.0Router(config-network-group)# 10.10.2.0 255.255.255.0Router(config-network-group)# 10.10.10.0 255.255.255.0Configuring an Object Group in the CLIAssigning Object Groups to ACLsUsing ACLs in IPv6 EnvironmentsIPv6 ACLs can help mitigate the following threats, among others:• Header extension threats; for instance, amplification attacks based on Routing Header (RH 0)• Threats based on misuse and abuse of IPv6 ICMP• Reconnaissance based on multicast IPv6 addresses• Threats that exploit tunneling solutions such as those used in IPv6 migration environmentsUsing ACLs in IPv6 EnvironmentsExamples of IPv6 Potential AttacksReflexive ACLs and time-based ACLs are also available in IPv6. An IPv6 ACL can match the following IPv6 headers:• routing: Matches any route header• mobility: Matches any mobility header• dest-option-type: Matches any destination option header• auth: Matches IPsec’s AH• undetermined-transport: Matches any packet whose Layer 4 protocol cannot be determined (fragmented or unknown extension header) (available only with the deny command)Advance IPv6 ACLipv6 access-list RFC4890permit icmp any any echo-reply permit icmp any any echo-request permit icmp any any 1 3permit icmp any any 1 4permit icmp any any packet-too-big permit icmp any any time-exceeded permit icmp any any parameter-problem permit icmp any any mld-querypermit icmp any any mld-reduction permit icmp any any mld-report permit icmp any any nd-napermit icmp any any nd-nspermit icmp any any router-solicitationRFC 4890 ICMP ACLIPv6 ACL Implicit Entriespermit icmp any any nd-napermit icmp any any nd-nadeny ipv6 any anyFor additional information, refer to these Cisco.com resources:“Identifying Incidents Using Firewall and Cisco IOS Router Syslog Events,” “IP Access List Entry Sequence Numbering,” “Understanding Access Control List Logging,”