Introduction to ACLs

1
Introduction to ACLs

• TSM 352
• System Security

2
What is an 'Access List'

• An ordered set of statements
• Permits or Denies the flow of packets across an
  interface
• Decisions are based on matching criteria of
  access list parameters and information contained
  in packets.

3
Application of an Access List

• An access list must be both created and applied
  to an interface for it to be in effect.
• Since the flow of data across an interface is
  bi-directional, an access list can be applied to
  a specific direction on an interface, either
  inbound or outbound.
• Inbound refers to the flow of data toward a
  router
• Outbound refers to the flow of data in a
  direction away from a router

4
Types of Access Lists

• Standard and extended.
• A standard access list only allows filtering
  based upon source address.
• An extended access list enables the user to
  filter packets based upon both source and
  destination address, as well as upper-layer
  application data.

5
Standard IP Access Lists

• The format of a standard IP access list
• access-listlist number
• permitdeny
• source addresswildcard-mask
• log

6
Notation

• The vertical bar ( ) indicates a choice of
  items that could be used
• permitdeny
• You need to choose either permit or deny in
  this case

7
List Numbers

• 1 99 Standard ACLs for the IP Protocol
• 100 199 Extended ACLs for IP Protocol
• Cisco supports a number of different protocols in
  an access list (both by name and by number). A
  list of these protocols and their corresponding
  numbers can be found from a number of sources.
• Our primary focus in this course is on IP-related
  access lists which use list number ranges 1 to 99
  for standard lists and 100 to 199 for extended
  lists.

8
Specifying Addresses

• IP address of a host or group of hosts
• Specified using dotted decimal notation and a
  wildcard-mask.
• Wildcard-Mask The wildcard-mask supported by
  Cisco ACLs works in a reverse manner to a subnet
  mask.
• The access-list mask uses a binary 0 to represent
  a match and a binary 1 to represent a "don't
  care" condition.

9
Addressing Examples

• A single address
• 172.17.45.8 0.0.0.0
• A class-C subnet
• 216.249.144.0 0.0.0.255
• All addresses
• 0.0.0.0 255.255.255.255

10
Keywords

• Although most access-list keywords are only
  applicable to extended access lists, three are
  applicable to standard IP access lists and can
  come in very handy.
• Host mask of 0.0.0.0
• Any 0.0.0.0 255.255.255.255
• Log Log any traffic that matches this entry

11
Extended IP Access Lists

• Extends the ability to filter packets.
• Allows packet filtering based upon
• Source and Destination Address
• Protocol
• Source and Destination Port
• A variety of options that permit comparison of
  specific bits in certain packet fields.
• Format
• access-listlist number
• permitdeny
• protocolprotocol keyword
• source address source-wildcardsource port
• dest addressdest-wildcarddestination port
• logoptions

12
Protocol

• This entry defines the protocol to be filtered
• IP
• TCP
• UDP
• ICMP
• Place more specific entries ahead of less
  specific entries.
• Example
• Permit ip any any
• Deny tcp 216.249.153.157 any
• The second statement is never utilitized

13
Address Fields

• Treated exactly as the address field in the
  Standard ACL

14
Port Specifications

• The port number can be specified in several ways.
  
• Explicitly, either as a numeric or as a
  recognized mnemonic. For example, you could use
  either '80' or 'http' to specify the Web's
  hypertext transmission protocol.
• For TCP and UDP you can use the keyword operators
  'lt' (less than), 'gt' (greater than), 'eq'
  (equal), and 'ne' (not equal).
• Examples
• permit tcp any host 198.78.46.8 eq smtp
• permit tcp any host 198.78.46.3 eq www
• permit tcp any eq 53 any

15
Extended ACL Options
16
Creating and Editing ACLs

• ACLs can be created and applied directly through
  the command-line interface.
• Confusing and difficult for the programmer and
  has security risks
• Best to work with the ACL's offline, and then
  apply them via a file transfer.
• Our Technique for lab
• Create the ACL using Notepad
• Use the terminal program to 'send' the file from
  the Config Terminal mode.
• Will provide a record of what we have done, and a
  convenient way to make changes.

17
Applying ACLs

• Three items are required to apply an access list
  to an interface
• Access list
• An interface to apply the access list to
• Config int fa0/0
• Define the direction the access list is applied
  to on the interface.
• Config-int ip access-grouplist numberinout

18
Putting it all together

• interface fa0/0
• ip access-group 107 in
• access-list 107 ip any host 198.78.46.8
• access-list 107 tcp any host 198.78.46.12 eq 80
• access-list 107 deny ip any any

19
How Rule Sets are Processed

• Processed in the order they appear in the list
• When a packet comes to an interface where an ACL
  is active, the packet is checked against the
  rules in the list, starting at the top of the
  list.
• If the packet does not match the first rule, the
  router moves to the second rule and so on.
• If/when a match is found, the rule is applied
  (either Permit or Deny). At that point, no more
  rules are checked.

20
The implicit deny

• If a packet gets all the way through the list of
  rules and never finds a match, it is
  automatically dropped (discarded).
• This is what is meant by an implicit deny.
• In our lab, the access-list was finished with a
  deny all statement.
• It is unnecessary to explicitly include this
  statement, since any access-list will
  automatically end in an implicit deny all
  statement.
• However, it is fine to go ahead and place the
  deny all statement explicitly in your list this
  helps to remind you that the function is there.
• WARNING If an access list exists, but has no
  entries, there will not be an implicit deny. This
  often occurs if a list was started, and then
  later the lines in it were removed to a point
  where no lines are left.

21
Named Access Lists

• Why Named Lists?
• Might run out of numbers (unlikely)
• Easier to remember the lists function(s)
• Named access lists can be used for both standard
  and extended lists.
• The format for a named IP access list must
  include a keyword to indicate whether it is a
  standard list or an extended list.
• Format
• ip access-list standard extended name
• Note that we do not have to use the 'access-list'
  command to add permit/deny statements with this
  approach. All of the permit/deny statements which
  directly follow the named access list are
  considered to be added to that list.

22
Named ACL Example

• Creating the list
• ip access-list standard accounting
• permit 198.78.46.8 0.0.0.0
• permit 198.78.46.12 0.0.0.0
• permit 198.78.46.30 0.0.0.0
• Applying the list
• Interface fa0/0
• ip access-group name inout

23
Building and Maintaining ACLs

• Here is an example of how an access list might be
  created from the command line
• RouterA conf term
• RouterA (config) access-list 1 permit
  192.168.30.1
• RouterA (config) access-list 1 permit
  192.168.33.5
• This creates the following access list with two
  entries
• access-list 1 permit 192.168.30.1
• access-list i permit 192.168.33.5
• If we exit the router's configuration mode and
  then reenter and type the following access list
  entries
• RouterA conf term
• RouterA(config) access-list 1 permit
  192.168.30.2
• RouterA(config) access-list 1 deny 192.168.30.1
• we end up with the following access list
• access-list 1 permit 192.168.30.1
• access-list 1 permit 192.168.33.5
• access-list 1 permit 192.168.30.2
• access-list 1 deny 192.168.30.1

24
Building ACLs (cont)

• If you want to delete or change an individual
  access list entry, you have to delete the entire
  access list and reenter it with the changed or
  deleted access list entry.
• The deny entry does not "cancel" the permit
  entry it only makes the access list bigger.
  Moreover, it is never even evaluated.
• You should note that while access lists may be
  deleted, references to those access lists do not
  disappear. If an access list is deleted and then
  rebuilt, policy settings that refer to it will
  use it in the same way as before.
• How does a standard access list behave when it is
  applied to an interface but has no entries? -
  PERMIT EVERYTHING.

25
Our Approach to Building ACLs

• Use text editor (notepad) and then transfer them
  to the router via 'Send File'.
• Keep in mind that if we send a access-list
  command more than once, it will be duplicated in
  the access list. Therefore, we always start our
  lists by removing them first. The best way to
  explain this is with a simple example.
• !ACL example
• !first erase old access list
• no access-list 1
• !allow access from machine1
• access-list 1 permit 216.249.144.201
• !allow access from machine2
• access-list 1 permit 216.249.144.202
• !
• !apply to interface
• int fa0/0
• access-group 1 in

26
Risks Associated with ACL Updates

• If we refer to an access list and then that
  access list is deleted with a no access-list
  command, the default behavior is to allow
  everything.
• When reading in a configuration, there is a brief
  period between the time that the no access-list
  command is executed and the first access list
  entry is accepted.
• Once the first entry is accepted, the implicit
  deny takes effect and only specifically permitted
  entries are accepted into a policy set.
• Fortunately, the risk is small, and there are
  ways to mitigate this risk.
• Instead of using no access-list at the start of
  the configuration file, you can build an
  alternate list that is a deny all, and apply it
  first. Then install the new list, and switch to
  it when it is ready. Of course in the interim no
  packets will be allowed.

27
Displaying access lists

• Use the command show access-list, This command
  shows all of the access lists in the router, both
  simple and extended.
• If you follow the show access-list command with
  an access list number, you see only an individual
  access list.
• The output of show access-list has a different
  syntax from the formatused to create access list
  entries. The output is not legal syntax for
  entering access list entries, so cutting and
  pasting the entire output of the show access-list
  command into a file will not produce an
  immediately usable configuration.
• Also, show access-list does not show any comments
  you may have created in the configuration file.
  The router doesnt save comments in its
  configuration.

28
General Recommendations - 1

• Top-Down Processing
• Access-list entries are evaluated from the top
  down sequentially, commencing with the first
  entry in the list. This means you must carefully
  consider the order in which you place statements
  in an access list.
• Adding Entries
• New entries are added to the bottom of an access
  list, which means it may not be possible to
  change the functionality of an existing access
  list, requiring you to create a new list, delete
  the existing list, and apply the new list to an
  interface. This is one of the reasons we will use
  editors to first create our lists, then move them
  to the router. We will learn techniques to make
  this operation work smoothly.
• Standard List Filtering
• Standard IP access lists are limited to filtering
  on source address so you may need to use an
  extended IP access list to satisfy specific
  organizational requirements.

29
General Recommendations - 2

• Access-List Placement
• Consider placing extended access lists as close
  as possible to the source being filtered so that
  you can create filters that do not adversely
  affect the data flow on other interfaces. Also,
  consider placing standard access lists as close
  as possible to the destination. Since a standard
  access list only uses source addresses, placing
  the list too close to the source can block the
  flow of packets to other ports.
• Statement Placement
• Since IP includes ICMP, TCP, and UDP, you should
  place more specific entries in an access list
  before less specific entries to ensure that one
  statement ahead of another does not. negate the
  effect of a statement appearing later in the
  list.

30
General Recommendations - 3

• List Application
• Don't forget to Apply an access list via an
  access-group or access-class command. Remember,
  until the access list is applied to an interface,
  no filtering will occur.
• Filtering Direction
• The filtering direction defines whether inbound
  or outbound packets are examined. Always
  double-check the filtering direction because it
  defines which packets are examined.
• Router-Generated Packets
• Packets generated by a router, such as routing
  table updates, are not subject to being operated
  on by an outbound access list. Thus, you can only
  control router table updates and other
  router-generated packets via inbound access lists.