Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett

Mitigating Security Issues with ACLs

Download 11,7 Mb.

Pdf ko'rish

bet	389/792
Sana	31.03.2022
Hajmi	11,7 Mb.
	#521163

1 ... 385 386 387 388 389 390 391 392 ... 792

Bog'liq
CCNA Routing and Switching Complete Study Guide Exam 100-105, Exam 200-105, Exam 200-125 ( PDFDrive )

Standard Access Lists

Mitigating Security Issues with ACLs
The most common attack is a denial of service (DoS) attack. Although ACLs can help with a DoS, you really need an
intrusion detection system (IDS) and intrusion prevention system (IPS) to help prevent these common attacks.
Cisco sells the Adaptive Security Appliance (ASA), which has IDS/IPS modules, but lots of other companies sell IDS/
IPS products too.
Here’s a list of the many security threats you can mitigate with ACLs:
1. IP address spoofing, inbound
2. IP address spoofing, outbound
3. Denial of service (DoS) TCP SYN attacks, blocking external attacks
4. DoS TCP SYN attacks, using TCP Intercept
5. DoS smurf attacks
6. Denying/filtering ICMP messages, inbound
7. Denying/filtering ICMP messages, outbound
8. Denying/filtering Traceroute
This is not an “introduction to security” book, so you may have to research some of the preceding
terms if you don’t understand them.
It’s generally a bad idea to allow into a private network any external IP packets that contain the source address of
any internal hosts or networks—just don’t do it!
Here’s a list of rules to live by when configuring ACLs from the Internet to your production network to mitigate
security problems:
1. Deny any source addresses from your internal networks.
2. Deny any local host addresses (127.0.0.0/8).
3. Deny any reserved private addresses (RFC 1918).
4. Deny any addresses in the IP multicast address range (224.0.0.0/4).
None of these source addresses should be ever be allowed to enter your internetwork. Now finally, let’s get our
hands dirty and configure some basic and advanced access lists!
Standard Access Lists
Standard IP access lists filter netwo rk traffic by examining the source IP address in a packet. You create a
standard IP access list by using the access-list numbers 1–99 or numbers in the expanded range of 1300–1999
because the type of ACL is generally differentiated using a number. Based on the number used when the access list
is created, the router knows which type of syntax to expect as the list is entered. By using numbers 1–99 or 1300–
1999, you’re telling the router that you want to create a standard IP access list, so the router will expect syntax
specifying only the source IP address in the test lines.
The following output displays a good example of the many access-list number ranges that you can use to filter
traffic on your network. The IOS version delimits the protocols you can specify access for:
Corp(config)#
access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
370

<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<2700-2799> MPLS access list
<300-399> DECnet access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
Wow—there certainly are lot of old protocols listed in that output! IPX and DECnet would no longer be used in any
of today’s networks. Let’s take a look at the syntax used when creating a standard IP access list:
Corp(config)#

Download 11,7 Mb.

Do'stlaringiz bilan baham:

1 ... 385 386 387 388 389 390 391 392 ... 792