SlideShare uma empresa Scribd logo

Uccn1003 -may10_-_lab_06_-_intro_to_acl_and_packet_filtering

Shu Shin
Shu Shin
1 de 7
Baixar para ler offline
UCCN1003 Data Communications and Networks Lab 06: Introduction to ACL and Packet Filtering Instructions: 1. Read the “Introduction” section for the background 2. Perform all the lab exercises, starting with exercise 1 3. Follow all the steps. 4. Record the results in all italic bold actions (by screen capture or copying). 5. Paste your screen captures on a Word Document and save it. 6. Answer all the questions in italic. 7. Write your answer in the same Word Document. 8. Please follow the sequence of the exercises, and don’t skip any step. 9. Please keep your word document. You will need it for your tests and exam. Introduction to ACL and Packet Filtering In networking, the routers on a network can be configured to act as rudimentary firewalls by using ACL. Although access lists won't turn your router into a full-fledged firewall, they can be a powerful means of controlling your IP network. The access list is a group of statements. Each statement defines a pattern that would be found in an IP packet. As each packet comes through an interface with an associated access list, the list is scanned from top to bottom--in the exact order that it was entered--for a pattern that matches the incoming packet. A permit or deny rule associated with the pattern determines that packet's fate. The pattern statement also can include a TCP or UDP port number. ACL is used in routers to perform packet filtering. Packet filtering is the selective passing or blocking of data packets as they pass through a network interface. Router uses ACL to control access to a network by analyzing the incoming and outgoing packets and letting them pass or halting them based on the IP addresses of the source and destination. Packet filtering is one technique, among many, for implementing network security. Exercise 1: Configuring IP Standard Access Lists The major feature of IP standard ACL is to perform packet filtering on the source IP addresses. Standard ACL is simple but limited. Standard ACL does not filter port number. 1. Set up the network according to the following figure. Make sure that PC0 can ping the default gateways and all other PCs. If the pings are not successful, troubleshoot the network until all the pings are successful.
2. Set Router1 hostname to R0, and copy the running-config to startup-config. Router(config)#hostname R0 R0(config)#end R0#copy run start 3. Now we make a security policy to prevent the communication between 192.168.1.0/24, and “PC5”. ACL is the implementation of this policy. 4. Create an access list that will prevent PC0 and PC1 from accessing PC5 (192.168.55.3). R0(config)#access-list 1 deny host 192.168.55.3 5. Use PC0 to ping PC5. Is the ping successful? (If the ping is not successful, please troubleshoot your network again.) Answer: Yes. 6. Remember that ACL has two steps: creating the ACL and placing the ACL. Now, place access list 1 at fa0/1 by typing the following commands. (Note: ‘1’ = the number of the access list that we have just created. “in” = direction of packet travel into the router.) R0(config)#int fa0/1 R0(config-if)#ip access-group 1 in 7. Now, use PC0 and PC1 to ping PC5 again. Were the pings successful? Answer: No. 8. Check the access list by typing the following command. R0#show access-list 9. Use PC0 to ping PC2, PC3, and PC4 too. Are the pings successful? If not, why?
10. There is a hidden “deny any” at the end of every access list. Add the following command to access list 1 to void the effect of this hidden “deny any”. R0#conf t R0(config)#access-list 1 permit any 11. Now, use PC0 and PC1 to ping all PC2, PC3, PC4, and PC5. This time the security policy that we have defined in Ex1.3 should be successfully implemented, where PC2, PC3, and PC4 should be successfully pinged, but not PC5 (192.168.55.3). 12. Check again the access list by typing the following command. R0#show access-list 13. Why do you think that “..permit any” statement is needed? Answer: If the “permit any” statement is not there, the access-list will drop any IP packets. 14. We would like to change security policy to deny an addition PC, which is PC2. Type another ACL statement to access list 1 that denies PC2 (192.168.55.1). R0#conf t R0(config)#access-list 1 deny host 192.168.55.1 15. Now, use PC0 to ping PC2, PC3, PC4, and PC5 again. Which pings are successful and which pings are not? Answer: PC2, PC3, PC4 are successful, but not PC5. It seems that the new access-list statement is not working. 16. Check again the access list by typing the “show access-list”. R0#show access-list Standard IP access list 1 deny host 192.168.55.4 permit any deny host 192.168.55.1 17. The statement “deny host 192.168.55.1” is not reached. Statement “permit any” passes all IP packets in the second statement without going to the third. 18. Remove access list 1 by typing the following commands. Note that though the access list has been removed but int fa0/1 is still bound to access list 1. R0#conf t R0(config)#no access-list 1
19. Now, type the following command. Is access-list 1 still bound to int fa0/1? R0#show run Answer: Yes. 20. Now, retype the following commands for access list 1: R0(config)#access-list 1 deny host 192.168.55.1 R0(config)#access-list 1 deny host 192.168.55.3 R0(config)#access-list 1 permit any 21. Now, use PC0 or PC1 to ping PC2, PC3, PC4, and PC5. You should be able to ping PC3 and PC4, but not PC2 and PC5. 22. We would like to have another security policy that denies PC0 from accessing PC2, PC3, PC4, and PC5, and only permit PC1 from going to the other subnet. 23. We create another access list 2 for the purpose. R0#conf t R0(config)#access-list 2 permit 192.168.1.2 24. We would like to place access list 2 to fa0/0. R0(config)#int fa0/0 R0(config-if)#ip access-group 2 in 25. Now, use PC0 and PC1 to ping all the PCs again. Which pings are successful and which pings are not? Answer: PC0 is not able to ping all other PCs in 192.168.55.0/24. PC1 can ping PC3 and PC4, but not PC1 and PC5. 26. Now, type the command “show access-list” and “show run” to check the access-lists and the interfaces. 27. Now, type the following command to unbind the access lists from the interfaces. R0(config)#int fa0/0 R0(config-if)#no ip access-group 2 in R0(config-if)#exit R0(config)#int fa0/1 R0(config-if)#no ip access-group 1 in 28. Type “show run” to make sure the access lists have been removed from the interfaces. 29. Now, create a new access list 3 to permit only PC2 and PC5 to enter 192.168.1.0/24. This time we use wildcard.
R0(config)#access-list 3 permit 192.168.55.1 0.0.0.6 R0(config)#int fa0/0 R0(config-if)#ip access-group 3 out 30. Now, use either PC0 or PC1 to ping PC2, PC3, PC4, and PC5. This time which PCs can be pinged? Exercise 2: Configuring IP Extended Access Lists Extended IP access list provides more flexibility than IP standard list. Extended IP access list can control source IP, destination IP, and port numbers. However, beware of the flexibility. It may bring you undesirable side-effects if you are careful. 1. Extend an addition subnet with 2 servers, as shown in the following network. Unbind all access lists from the interfaces. 2. Perform the following security policy with extended ACL: a. PC5 can’t ping other PCs and servers of other subnets. b. PC5 can access the services of Server1 and Server0 (e.g. Web and FTP). 3. There are many ways to implement Ex2.2. Normally, we have to implement it with smarter ways (least access lists and least placements in interfaces). 4. The following is one way to perform it.
R0(config)#access-list 100 deny icmp host 192.168.55.3 any R0(config)#access-list 100 permit ip any any R0(config)#int fa0/1 R0(config-if)#ip access-group 100 in 5. Use PC5 to ping PC0, PC1, Server0, and Server1. Use PC5’s browser and ftp to access to both Server0 and Server1. The results should follow the policy stated in Ex2.2. 6. Perform the following new security policy with extended ACL: a. PC5 can’t ping other PCs and servers of other subnets. b. PC5 can only access the web service of Server0. 7. The following is one way to implement it. To do this, please remember to unbind the access list from fa0/1 first. R0(config)#access-list 101 permit tcp host 192.168.55.3 host 192.168.173.1 eq www R0(config)#access-list 101 deny ip host 192.168.55.3 any R0(config)#access-list 101 permit ip any any R0(config)#int fa0/1 R0(config-if)#ip access-group 101 in 8. Use PC5 to ping PC0, PC1, Server0, and Server1. Use PC5’s browser and ftp to access to both Server0 and Server1. This time PC5 should only be able to access web service of Server0. 9. By now, you have accumulated a few access lists, type “show access-list” to display them. As long as you have not bound any access-list to an interface, these access-lists just take up memory space and do nothing. 10. Now, unbind all access-lists from all interfaces. 11. Now, design your own ACL based on the following security policy: (Assume that Server0 and Server1 only offers FTP, and Web services) a. PC4 can only ping PC0, but not Server0, Server1 and PC1 (of other subnets). b. PC4 can only access the FTP services of Server1. c. 192.168.1.0/24 can’t access web service of Server1 but web service of Server0. d. 192.168.55.1 and 192.168.55.3 can only access the FTP service of Server0.
Exercise 3: Configuring Named Access Lists 1. Before you continue, please remember to unbind all access list from all interfaces. 2. Perform the following security policy with Named ACL: a. Server0 can only accept FTP service request from PC0, PC3, and PC4. b. Server1 still accepts services from all PCs. 3. Please enter the following commands and study them. (Note: FTP_PC is just a name) R0(config-if)#ip access-list extended FTP_PC R0(config-ext-nacl)#permit tcp host 192.168.1.1 host 192.168.173.1 eq ftp R0(config-ext-nacl)#permit tcp host 192.168.55.2 host 192.168.173.1 eq ftp R0(config-ext-nacl)#permit tcp host 192.168.55.4 host 192.168.173.1 eq ftp R0(config-ext-nacl)#deny ip any host 192.168.173.1 R0(config-ext-nacl)#permit ip any any R0(config-ext-nacl)#exit R0(config)#int fa1/0 R0(config-if)#ip access-group FTP_PC out 4. Check the network and see whether the access list has done what has been stated in the security policy in Ex3.2.

Recomendados

Uccn1003 -may10_-_lect03b_-_intro_to_cisco_router
Uccn1003 -may10_-_lect03b_-_intro_to_cisco_routerUccn1003 -may10_-_lect03b_-_intro_to_cisco_router
Uccn1003 -may10_-_lect03b_-_intro_to_cisco_router
Shu Shin
 
Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2
Abdul Basit
 
02 Information System Security
02 Information System Security02 Information System Security
02 Information System Security
Shu Shin
 
Information System Security introduction
Information System Security introductionInformation System Security introduction
Information System Security introduction
Shu Shin
 
Chap12 part 1_
Chap12 part 1_Chap12 part 1_
Chap12 part 1_
Shu Shin
 
Chap11
Chap11Chap11
Chap11
Shu Shin
 
Chap10
Chap10Chap10
Chap10
Shu Shin
 
Chap9
Chap9Chap9
Chap9
Shu Shin
 

Recomendados

Uccn1003 -may10_-_lect03b_-_intro_to_cisco_router
Uccn1003 -may10_-_lect03b_-_intro_to_cisco_routerUccn1003 -may10_-_lect03b_-_intro_to_cisco_router
Uccn1003 -may10_-_lect03b_-_intro_to_cisco_router
Shu Shin
 
Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2Packet Tracer Tutorial # 2
Packet Tracer Tutorial # 2
Abdul Basit
 
02 Information System Security
02 Information System Security02 Information System Security
02 Information System Security
Shu Shin
 
Information System Security introduction
Information System Security introductionInformation System Security introduction
Information System Security introduction
Shu Shin
 
Chap12 part 1_
Chap12 part 1_Chap12 part 1_
Chap12 part 1_
Shu Shin
 
Chap11
Chap11Chap11
Chap11
Shu Shin
 
Chap10
Chap10Chap10
Chap10
Shu Shin
 
Chap9
Chap9Chap9
Chap9
Shu Shin
 
Chap8
Chap8Chap8
Chap8
Shu Shin
 
Chap7
Chap7Chap7
Chap7
Shu Shin
 
Chap6
Chap6Chap6
Chap6
Shu Shin
 
Chap5
Chap5Chap5
Chap5
Shu Shin
 
Chap4
Chap4Chap4
Chap4
Shu Shin
 
Chap3
Chap3Chap3
Chap3
Shu Shin
 
Chap2
Chap2Chap2
Chap2
Shu Shin
 
Chap1
Chap1Chap1
Chap1
Shu Shin
 
Chap13
Chap13Chap13
Chap13
Shu Shin
 
Chap13
Chap13Chap13
Chap13
Shu Shin
 
Chap11
Chap11Chap11
Chap11
Shu Shin
 
Chap10
Chap10Chap10
Chap10
Shu Shin
 
Chap9
Chap9Chap9
Chap9
Shu Shin
 
Chap7
Chap7Chap7
Chap7
Shu Shin
 
Chap6
Chap6Chap6
Chap6
Shu Shin
 
Chap5
Chap5Chap5
Chap5
Shu Shin
 
Chap4
Chap4Chap4
Chap4
Shu Shin
 
Chap3
Chap3Chap3
Chap3
Shu Shin
 
Chap2
Chap2Chap2
Chap2
Shu Shin
 
Chap1
Chap1Chap1
Chap1
Shu Shin
 

Mais conteúdo relacionado

Mais de Shu Shin

Mais de Shu Shin (20)

Chap8
Chap8Chap8
Chap8
 
Chap7
Chap7Chap7
Chap7
 
Chap6
Chap6Chap6
Chap6
 
Chap5
Chap5Chap5
Chap5
 
Chap4
Chap4Chap4
Chap4
 
Chap3
Chap3Chap3
Chap3
 
Chap2
Chap2Chap2
Chap2
 
Chap1
Chap1Chap1
Chap1
 
Chap13
Chap13Chap13
Chap13
 
Chap13
Chap13Chap13
Chap13
 
Chap11
Chap11Chap11
Chap11
 
Chap10
Chap10Chap10
Chap10
 
Chap9
Chap9Chap9
Chap9
 
Chap7
Chap7Chap7
Chap7
 
Chap6
Chap6Chap6
Chap6
 
Chap5
Chap5Chap5
Chap5
 
Chap4
Chap4Chap4
Chap4
 
Chap3
Chap3Chap3
Chap3
 
Chap2
Chap2Chap2
Chap2
 
Chap1
Chap1Chap1
Chap1
 

Uccn1003 -may10_-_lab_06_-_intro_to_acl_and_packet_filtering

  • 1. UCCN1003 Data Communications and Networks Lab 06: Introduction to ACL and Packet Filtering Instructions: 1. Read the “Introduction” section for the background 2. Perform all the lab exercises, starting with exercise 1 3. Follow all the steps. 4. Record the results in all italic bold actions (by screen capture or copying). 5. Paste your screen captures on a Word Document and save it. 6. Answer all the questions in italic. 7. Write your answer in the same Word Document. 8. Please follow the sequence of the exercises, and don’t skip any step. 9. Please keep your word document. You will need it for your tests and exam. Introduction to ACL and Packet Filtering In networking, the routers on a network can be configured to act as rudimentary firewalls by using ACL. Although access lists won't turn your router into a full-fledged firewall, they can be a powerful means of controlling your IP network. The access list is a group of statements. Each statement defines a pattern that would be found in an IP packet. As each packet comes through an interface with an associated access list, the list is scanned from top to bottom--in the exact order that it was entered--for a pattern that matches the incoming packet. A permit or deny rule associated with the pattern determines that packet's fate. The pattern statement also can include a TCP or UDP port number. ACL is used in routers to perform packet filtering. Packet filtering is the selective passing or blocking of data packets as they pass through a network interface. Router uses ACL to control access to a network by analyzing the incoming and outgoing packets and letting them pass or halting them based on the IP addresses of the source and destination. Packet filtering is one technique, among many, for implementing network security. Exercise 1: Configuring IP Standard Access Lists The major feature of IP standard ACL is to perform packet filtering on the source IP addresses. Standard ACL is simple but limited. Standard ACL does not filter port number. 1. Set up the network according to the following figure. Make sure that PC0 can ping the default gateways and all other PCs. If the pings are not successful, troubleshoot the network until all the pings are successful.
  • 2. 2. Set Router1 hostname to R0, and copy the running-config to startup-config. Router(config)#hostname R0 R0(config)#end R0#copy run start 3. Now we make a security policy to prevent the communication between 192.168.1.0/24, and “PC5”. ACL is the implementation of this policy. 4. Create an access list that will prevent PC0 and PC1 from accessing PC5 (192.168.55.3). R0(config)#access-list 1 deny host 192.168.55.3 5. Use PC0 to ping PC5. Is the ping successful? (If the ping is not successful, please troubleshoot your network again.) Answer: Yes. 6. Remember that ACL has two steps: creating the ACL and placing the ACL. Now, place access list 1 at fa0/1 by typing the following commands. (Note: ‘1’ = the number of the access list that we have just created. “in” = direction of packet travel into the router.) R0(config)#int fa0/1 R0(config-if)#ip access-group 1 in 7. Now, use PC0 and PC1 to ping PC5 again. Were the pings successful? Answer: No. 8. Check the access list by typing the following command. R0#show access-list 9. Use PC0 to ping PC2, PC3, and PC4 too. Are the pings successful? If not, why?
  • 3. 10. There is a hidden “deny any” at the end of every access list. Add the following command to access list 1 to void the effect of this hidden “deny any”. R0#conf t R0(config)#access-list 1 permit any 11. Now, use PC0 and PC1 to ping all PC2, PC3, PC4, and PC5. This time the security policy that we have defined in Ex1.3 should be successfully implemented, where PC2, PC3, and PC4 should be successfully pinged, but not PC5 (192.168.55.3). 12. Check again the access list by typing the following command. R0#show access-list 13. Why do you think that “..permit any” statement is needed? Answer: If the “permit any” statement is not there, the access-list will drop any IP packets. 14. We would like to change security policy to deny an addition PC, which is PC2. Type another ACL statement to access list 1 that denies PC2 (192.168.55.1). R0#conf t R0(config)#access-list 1 deny host 192.168.55.1 15. Now, use PC0 to ping PC2, PC3, PC4, and PC5 again. Which pings are successful and which pings are not? Answer: PC2, PC3, PC4 are successful, but not PC5. It seems that the new access-list statement is not working. 16. Check again the access list by typing the “show access-list”. R0#show access-list Standard IP access list 1 deny host 192.168.55.4 permit any deny host 192.168.55.1 17. The statement “deny host 192.168.55.1” is not reached. Statement “permit any” passes all IP packets in the second statement without going to the third. 18. Remove access list 1 by typing the following commands. Note that though the access list has been removed but int fa0/1 is still bound to access list 1. R0#conf t R0(config)#no access-list 1
  • 4. 19. Now, type the following command. Is access-list 1 still bound to int fa0/1? R0#show run Answer: Yes. 20. Now, retype the following commands for access list 1: R0(config)#access-list 1 deny host 192.168.55.1 R0(config)#access-list 1 deny host 192.168.55.3 R0(config)#access-list 1 permit any 21. Now, use PC0 or PC1 to ping PC2, PC3, PC4, and PC5. You should be able to ping PC3 and PC4, but not PC2 and PC5. 22. We would like to have another security policy that denies PC0 from accessing PC2, PC3, PC4, and PC5, and only permit PC1 from going to the other subnet. 23. We create another access list 2 for the purpose. R0#conf t R0(config)#access-list 2 permit 192.168.1.2 24. We would like to place access list 2 to fa0/0. R0(config)#int fa0/0 R0(config-if)#ip access-group 2 in 25. Now, use PC0 and PC1 to ping all the PCs again. Which pings are successful and which pings are not? Answer: PC0 is not able to ping all other PCs in 192.168.55.0/24. PC1 can ping PC3 and PC4, but not PC1 and PC5. 26. Now, type the command “show access-list” and “show run” to check the access-lists and the interfaces. 27. Now, type the following command to unbind the access lists from the interfaces. R0(config)#int fa0/0 R0(config-if)#no ip access-group 2 in R0(config-if)#exit R0(config)#int fa0/1 R0(config-if)#no ip access-group 1 in 28. Type “show run” to make sure the access lists have been removed from the interfaces. 29. Now, create a new access list 3 to permit only PC2 and PC5 to enter 192.168.1.0/24. This time we use wildcard.
  • 5. R0(config)#access-list 3 permit 192.168.55.1 0.0.0.6 R0(config)#int fa0/0 R0(config-if)#ip access-group 3 out 30. Now, use either PC0 or PC1 to ping PC2, PC3, PC4, and PC5. This time which PCs can be pinged? Exercise 2: Configuring IP Extended Access Lists Extended IP access list provides more flexibility than IP standard list. Extended IP access list can control source IP, destination IP, and port numbers. However, beware of the flexibility. It may bring you undesirable side-effects if you are careful. 1. Extend an addition subnet with 2 servers, as shown in the following network. Unbind all access lists from the interfaces. 2. Perform the following security policy with extended ACL: a. PC5 can’t ping other PCs and servers of other subnets. b. PC5 can access the services of Server1 and Server0 (e.g. Web and FTP). 3. There are many ways to implement Ex2.2. Normally, we have to implement it with smarter ways (least access lists and least placements in interfaces). 4. The following is one way to perform it.
  • 6. R0(config)#access-list 100 deny icmp host 192.168.55.3 any R0(config)#access-list 100 permit ip any any R0(config)#int fa0/1 R0(config-if)#ip access-group 100 in 5. Use PC5 to ping PC0, PC1, Server0, and Server1. Use PC5’s browser and ftp to access to both Server0 and Server1. The results should follow the policy stated in Ex2.2. 6. Perform the following new security policy with extended ACL: a. PC5 can’t ping other PCs and servers of other subnets. b. PC5 can only access the web service of Server0. 7. The following is one way to implement it. To do this, please remember to unbind the access list from fa0/1 first. R0(config)#access-list 101 permit tcp host 192.168.55.3 host 192.168.173.1 eq www R0(config)#access-list 101 deny ip host 192.168.55.3 any R0(config)#access-list 101 permit ip any any R0(config)#int fa0/1 R0(config-if)#ip access-group 101 in 8. Use PC5 to ping PC0, PC1, Server0, and Server1. Use PC5’s browser and ftp to access to both Server0 and Server1. This time PC5 should only be able to access web service of Server0. 9. By now, you have accumulated a few access lists, type “show access-list” to display them. As long as you have not bound any access-list to an interface, these access-lists just take up memory space and do nothing. 10. Now, unbind all access-lists from all interfaces. 11. Now, design your own ACL based on the following security policy: (Assume that Server0 and Server1 only offers FTP, and Web services) a. PC4 can only ping PC0, but not Server0, Server1 and PC1 (of other subnets). b. PC4 can only access the FTP services of Server1. c. 192.168.1.0/24 can’t access web service of Server1 but web service of Server0. d. 192.168.55.1 and 192.168.55.3 can only access the FTP service of Server0.
  • 7. Exercise 3: Configuring Named Access Lists 1. Before you continue, please remember to unbind all access list from all interfaces. 2. Perform the following security policy with Named ACL: a. Server0 can only accept FTP service request from PC0, PC3, and PC4. b. Server1 still accepts services from all PCs. 3. Please enter the following commands and study them. (Note: FTP_PC is just a name) R0(config-if)#ip access-list extended FTP_PC R0(config-ext-nacl)#permit tcp host 192.168.1.1 host 192.168.173.1 eq ftp R0(config-ext-nacl)#permit tcp host 192.168.55.2 host 192.168.173.1 eq ftp R0(config-ext-nacl)#permit tcp host 192.168.55.4 host 192.168.173.1 eq ftp R0(config-ext-nacl)#deny ip any host 192.168.173.1 R0(config-ext-nacl)#permit ip any any R0(config-ext-nacl)#exit R0(config)#int fa1/0 R0(config-if)#ip access-group FTP_PC out 4. Check the network and see whether the access list has done what has been stated in the security policy in Ex3.2.