SlideShare a Scribd company logo

CIsco ACL- Network and host security

Download as DOCX, PDF
S
Shiv Koppad
1 of 11
Report for Cisco ACLs Studentname:Shivakumar Koppad List of all used interfaces:  Border Router:  FE0/0 : Connectedtothe Cloud(Internet) - (20.0.0.0/8 and 66.60.0.0/16)  FE0/1 : Connectedtothe PublicNetwork - (136.201.5.0/24; ConfiguredIP: 136.201.5.1)  S0/0/0 : Connectedtothe Internal Router –(S0/0/0)  Internal Router:  FE0/0 : Connectedtothe ServerNetwork(136.201.10.0/24; ConfiguredIP:136.201.10.1)  FE0/1 : Connectedtothe Workstations(136.201.100.0/24 ; ConfiguredIP:136.201.100.1)  S0/0/0 : Connectedtothe BorderRouter(S0/0/0) List of all commands for Border router:  Interface FE0/0 isconnected to Cloud(Internet). access-list100 denyip66.60.0.0 0.0.255.255 any access-list100 permittcp anygt 1023 host136.201.5.10 eq ftp access-list100 permittcp anygt 1023 host136.201.5.10 eq ftp-data access-list100 permittcp anygt 1023 host136.201.5.20 eq www access-list100 permittcp anygt 1023 host136.201.10.10 eq53 access-list100 permitudpany gt 1023 host136.201.10.10 eq53 access-list100 permittcp anygt 1023 host136.201.10.20 eq25 access-list100 permittcp 20.0.0.0 0.255.255.255 gt 1023 host 136.201.10.30 eq 1433 access-list100 denyicmpany anyecho access-list100 denyicmpany anyecho-reply access-list100 denyicmpany anyttl-exceeded access-list100 permiticmpany any access-list100 denyipany any  Interface FE0/1 is connected to Public Network.
access-list101 permittcp 136.201.5.10 eqftp anygt 1023 access-list101 permittcp 136.201.5.10 eq ftp-dataany gt 1023 access-list101 permittcp 136.201.5.20 gt 80 136.201.10.30 eq1433 established access-list101 permittcp anyhost 136.201.10.10 eq53 access-list101 permitudpany host136.201.10.10 eq53 access-list101 permittcp anyhost 136.201.10.20 eq25 access-list101 denyicmpany anyecho access-list101 denyicmpany anyecho-reply access-list101 denyicmpany anyttl-exceeded access-list101 permiticmpany any access-list101 denyipany any Reflexive ACL with the name: webreturntraffic Ip access-listextendedOUTboundfilter access-listOUTboundfilterpermittcpanyhost 136.201.5.20 eq www Ip access-listextendedINboundfilter Evaluate webreturntraffic  Applyingthe ACLs on the Interfaces: Border_Router(config)#interfacefastEthernet0/0 Border_Router(config-if)#ipaccess-group100in Border_Router(config-if)#shut Border_Router(config-if)#noshut Border_Router(config-if)#exit Border_Router(config)#interfacefastEthernet0/1
Border_Router(config-if)#ipaccess-group101in Internal_Router(config-if)#Ipaccess-groupOUTboundfilterout Internal_Router(config-if)#Ipaccess-groupINboundfilterin Border_Router(config-if)#shut Border_Router(config-if)#noshut Border_Router(config-if)#exit List of all commands for Internal router:  Interface FE0/0 isconnected to Server Network. Ip access-listextended102 access-list102 permittcp 136.201.10.10 eq 53 any access-list102 permitudp136.201.10.10 eq53 any access-list102 permittcp 136.201.10.20 eq 25 any access-list102 denyicmpany anyecho access-list102 denyicmpany anyecho-reply access-list102 denyicmpany anyttl-exceeded access-list102 permiticmpany any access-list102 denyipany any Reflexive ACL withthe name: returntraffic Ip access-listextended INboundfilter access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 hostany eq 80 reflectreturntraffic access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 hostany eq 8080 reflectreturntraffic access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 hostany eq 443 reflectreturntraffic access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 host136.201.10.30 eq 1433 reflect returntraffic access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 host136.201.10.10 eq 53 reflectreturntraffic access-listpermitudp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.10 eq53 reflectreturntraffic access-listpermitudp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.20 eq25 reflectreturntraffic access-listpermitudp136.201.100.0 0.0.0.255 gt 1023 host 20.0.0.0 0.255.255.255 eq 22 reflect returntraffic
access-listdenyicmpanyanyecho access-listdenyicmpanyanyecho-reply access-listdenyicmpanyanyttl-exceeded access-listpermiticmpanyany access-listdenyipanyany Ip access-listextendedOUTboundfilter Evaluate returntraffic  Applyingthe ACLs on the Interfaces: Internal_Router(config)#interface fastEthernet0/0 Internal_Router(config-if)#ipaccess-group102 in Internal_Router(config-if)#shut Internal_Router(config-if)#noshut Internal_Router(config-if)#exit Internal_Router(config)#interface fastEthernet0/1 Internal_Router(config-if)#Ipaccess-groupINboundfilterin Internal_Router(config-if)#Ipaccess-groupOUTboundfilterout Internal_Router(config-if)#shut Internal_Router(config-if)#noshut Internal_Router(config-if)#exit  Routing Protocol Used:
RIP isusedforthe routercommunication.Below are the commandsshowingthe implementation whichisappliedonbothrouters: Border_Router(config)#routerrip Border_Router(config-router)#network1.0.0.0 Border_Router(config-router)#network136.201.0.0 Border_Router(config-router)#exit Internal_Router(config)#routerrip Internal _Router(config-router)#network1.0.0.0 Internal_Router(config-router)#network136.201.0.0 Internal _Router(config-router)#exit  ICMP protocol policy: ICMP messagescanhelpattackersto exploitthe protocol throughnetworkscansetc.Many network mappingtoolsuse the ICMP as the protocol to trace the networkcomponents(eg:Traceroute, Cheops-ngetc) The bestdefense istoprepare the networkforsuchattack by blockingthe unwantedICMPpackets. Some of the defensivetechniquesare asbelow:  Coulddisable incomingICMPechorequest.  Drawback: Userscouldn'tpingina network.  Coulddisable the outgoingICMPreplypackets.  Coulddisable outgoingICMPTime Exceededmessages.  But userscouldn'ttraceroute all the wayto Internal Network. In thisassignment,Ihave definedthe ACLssuchasto blockICMP echo,echo-replyandttl exceed messagesonthe network Commands Used:
access-listdenyicmpanyanyecho access-listdenyicmpanyanyecho-reply access-listdenyicmpanyanyttl-exceeded access-listpermiticmpanyany Description of the Security policy implementation:  All the belowACL rules are implementedonthe border router and on interfaceFE0/0 whichis connected to the Cloud(internet).They are appliedon thisinterface in the directionIN. Ingress and Egress filtering  Has beenshownwhile applyingthe ACLs onto all the interfaces. All devices from EvilGroup are denied access to any machine in the corporate network.  access-list100 deny ip66.60.0.0 0.0.255.255 any Everybody else can use the FTP server 136.201.5.10 to upload/download files.  access-list100 permit tcp any gt 1023 host 136.201.5.10 eqftp  access-list100 permit tcp any gt 1023 host 136.201.5.10 eqftp-data Everybody else can access the Web server 136.201.5.20 at port 80 – make sure the client cannot use any server port (1-1023)  access-list100 permit tcp any gt 1023 host 136.201.5.20 eqwww Internal DNS server can be accessed by any machine on ports TCP/53 and UDP/53.  access-list100 permit tcp any gt 1023 host 136.201.10.10 eq 53  access-list100 permit udp any gt 1023 host 136.201.10.10 eq53 Any machine can access Mail Server via SMTP (on port TCP/25).  access-list100 permit tcp any gt 1023 host 136.201.10.20 eq 25
DataBase Server is accessed by business partner (20.0.0.0/8) for SQLqueries (TCP/1433).  access-list100 permit tcp 20.0.0.0 0.255.255.255 gt 1023 host 136.201.10.30 eq1433 Disable incoming ICMP echo request.  access-list100 deny icmpany any echo Disable the outgoing ICMP reply packets  access-list100 deny icmpany any echo-reply Disable outgoing ICMP Time Exceeded messages.  access-list100 deny icmpany any ttl-exceeded All other connections should be denied!  access-list100 deny ipany any  All the belowACL rules are implementedonthe border router and on interfaceFE0/1 whichis connected to the PublicNetwork. They are appliedon thisinterface in the directionIN. FTP server is allowed to make connections to any machine (to facilitate FTP).  access-list101 permit tcp 136.201.5.10 eq ftp any gt 1023  access-list101 permit tcp 136.201.5.10 eq ftp-data any gt 1023 Web server can only initiate connections to the DataBase Server (136.201.10.30:1433).  access-list101 permit tcp 136.201.5.20 gt 80 136.201.10.30 eq 1433 established
Internal DNS server can be accessed by any machine on ports TCP/53 and UDP/53.  access-list101 permit tcp any host 136.201.10.10 eq53  access-list101 permit udp any host 136.201.10.10 eq 53 Any machine can access Mail Server via SMTP (on port TCP/25).  access-list101 permit tcp any host 136.201.10.20 eq25 Disable incoming ICMP echo request.  access-list101 deny icmpany any echo Disable the outgoing ICMP reply packets  access-list101 deny icmpany any echo-reply Disable outgoing ICMP Time Exceeded messages.  access-list101 deny icmpany any ttl-exceeded All other connections should be denied!  access-list101 deny ipany any  The belowACL rules are implementedon the border router and oninterface FE0/1 whichis connected to the PublicNetwork. These rules are appliedon thisinterface inthe directions first OUT andthen IN.
All other trafficfrom the web server must be return traffic to previousrequests is achieved by usingthe reflexive ACL Reflexive ACL withthe name: webreturntraffic Ip access-listextendedOUTboundfilter  access-listOUTboundfilterpermittcpany host 136.201.5.20 eqwww Ip access-listextendedINboundfilter  Evaluate webreturntraffic  All the belowACL rules are implementedonthe Internal router andon interface FE0/0 whichis connected to the Server Network. They are appliedon thisinterface in the directionIN. Internal DNS server can access any machine for DNS queries (ports TCP/53 and UDP/53)  access-listpermittcp 136.201.10.10 eq53 any  access-listpermitudp 136.201.10.10 eq 53 any Mail server can access any machine via SMTP (port TCP/25)  access-listpermittcp 136.201.10.20 eq25 any Disable incoming ICMP echo request.  access-listdenyicmp any any echo Disable the outgoing ICMP reply packets  access-listdenyicmp any any echo-reply Disable outgoing ICMP Time Exceeded messages.  access-listdenyicmp any any ttl-exceeded
All other connections should be denied!  access-listdenyip any any  The belowACL rules are implementedon the Internal router and on interface FE0/1 which is connected to the Workstationssubnet.These rules are appliedon this interface in the directionsfirst INand then OUT. Reflexive ACLs are used to ensure the return traffic can reach to the workstation in response to the corresponding request from workstations. Reflexive ACL withthe name: returntraffic Workstations (136.201.100.0/24) can access any web server on ports TCP/80, TCP/8080 and TCP/443.  Ip access-listextendedINboundfilter  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host any eq 80 reflect returntraffic  access-listINboundfilterpermittcp 136.201.100.0 0.0.0.255 gt 1023 host any eq 8080 reflectreturntraffic  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host any eq 443 reflect returntraffic Workstations (136.201.100.0/24) can access DataBase server for SQL queries (TCP/1433).  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.30 eq 1433 reflectreturntraffic Workstations (136.201.100.0/24) can access Internal DNS server for DNS queries (TCP/53 and UDP/53)
 access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.10 eq 53 reflectreturntraffic  access-listINboundfilterpermitudp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.10 eq 53 reflectreturntraffic Workstations (136.201.100.0/24) can access Mail server for IMAP.  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.20 eq 25 reflectreturntraffic Workstations (136.201.100.0/24) can access SSH servers on any machine in the business partner’s network.  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 20.0.0.0 0.255.255.255 eq 22 reflectreturntraffic Disable incoming ICMP echo request.  access-listINboundfilterdenyicmpany any echo Disable the outgoing ICMP reply packets  access-listINboundfilterdenyicmpany any echo-reply Disable outgoing ICMP Time Exceeded messages.  access-listINboundfilterdenyicmpany any ttl-exceeded All other connections should be denied!  access-listINboundfilterdenyipany any  Ip access-listextendedOUTboundfilter  Evaluate returntraffic

Recommended

Acl cisco
Acl ciscoAcl cisco
Acl ciscoTapan Khilar
 
CCNA part 7 acl
CCNA part 7 aclCCNA part 7 acl
CCNA part 7 aclSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACLfaust0
 
Basic ip traffic management with access control lists
Basic ip traffic management with access control listsBasic ip traffic management with access control lists
Basic ip traffic management with access control listsSourabh Badve
 
Acl
AclAcl
AclRaghu Kiran
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
Access control list 2
Access control list 2Access control list 2
Access control list 2Kishore Kumar
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access ListsCCNAResources
 

Recommended

Acl cisco
Acl ciscoAcl cisco
Acl ciscoTapan Khilar
 
CCNA part 7 acl
CCNA part 7 aclCCNA part 7 acl
CCNA part 7 aclSandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Cisco ACL
Cisco ACLCisco ACL
Cisco ACLfaust0
 
Basic ip traffic management with access control lists
Basic ip traffic management with access control listsBasic ip traffic management with access control lists
Basic ip traffic management with access control listsSourabh Badve
 
Acl
AclAcl
AclRaghu Kiran
 
Access Control List & its Types
Access Control List & its TypesAccess Control List & its Types
Access Control List & its TypesNetwax Lab
 
Access control list 2
Access control list 2Access control list 2
Access control list 2Kishore Kumar
 
Ip Access Lists
Ip Access ListsIp Access Lists
Ip Access ListsCCNAResources
 
Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
Acl cisco
Acl ciscoAcl cisco
Acl ciscoTapan Khilar
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccnarobertoxe
 
List of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersList of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersHuanetwork
 
Configuracion EIGRP
Configuracion EIGRPConfiguracion EIGRP
Configuracion EIGRPalexis marck Huiza Canchanya
 
20 access lists[1]
20 access lists[1]20 access lists[1]
20 access lists[1]Gerard Vevele
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccnaLakshan Perera
 
CCNA ppt Day 7
CCNA ppt Day 7CCNA ppt Day 7
CCNA ppt Day 7VISHNU N
 
Vo ip avanzado pt
Vo ip avanzado ptVo ip avanzado pt
Vo ip avanzado ptAlberto López
 
Networking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP ConfigurationNetworking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP Configuration3Anetwork com
 
How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505IT Tech
 
Configuring the Device as a PPPoE Client on Huawei AR1200
Configuring the Device as a PPPoE Client on Huawei AR1200Configuring the Device as a PPPoE Client on Huawei AR1200
Configuring the Device as a PPPoE Client on Huawei AR1200Huanetwork
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Shu Shin
 
10 module
10 module10 module
10 moduleAsif
 
Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabMykhaylo Skrypka
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsEng. Emad Al-Atoum
 
8 subredesssss
8 subredesssss8 subredesssss
8 subredessssssovon123
 
Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructorSalem Trabelsi
 
Extended Access Lists
Extended Access Lists Extended Access Lists
Extended Access Lists NetProtocol Xpert
 

More Related Content

What's hot

Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1Kishore Kumar
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccnarobertoxe
 
List of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersList of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersHuanetwork
 
CCNA ppt Day 7
CCNA ppt Day 7CCNA ppt Day 7
CCNA ppt Day 7VISHNU N
 
Networking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP ConfigurationNetworking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP Configuration3Anetwork com
 
How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505IT Tech
 
Configuring the Device as a PPPoE Client on Huawei AR1200
Configuring the Device as a PPPoE Client on Huawei AR1200Configuring the Device as a PPPoE Client on Huawei AR1200
Configuring the Device as a PPPoE Client on Huawei AR1200Huanetwork
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examplesTeja Bheemanapally
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Shu Shin
 
10 module
10 module10 module
10 moduleAsif
 
Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabMykhaylo Skrypka
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]Summit Bisht
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsEng. Emad Al-Atoum
 
8 subredesssss
8 subredesssss8 subredesssss
8 subredessssssovon123
 

What's hot (19)

Access Control List 1
Access Control List 1Access Control List 1
Access Control List 1
 
Acl cisco
Acl ciscoAcl cisco
Acl cisco
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
List of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routersList of usernames and passwords for Huawei routers
List of usernames and passwords for Huawei routers
 
Configuracion EIGRP
Configuracion EIGRPConfiguracion EIGRP
Configuracion EIGRP
 
20 access lists[1]
20 access lists[1]20 access lists[1]
20 access lists[1]
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
CCNA ppt Day 7
CCNA ppt Day 7CCNA ppt Day 7
CCNA ppt Day 7
 
Vo ip avanzado pt
Vo ip avanzado ptVo ip avanzado pt
Vo ip avanzado pt
 
Networking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP ConfigurationNetworking Tutorial Goes to Basic PPP Configuration
Networking Tutorial Goes to Basic PPP Configuration
 
How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505
 
Configuring the Device as a PPPoE Client on Huawei AR1200
Configuring the Device as a PPPoE Client on Huawei AR1200Configuring the Device as a PPPoE Client on Huawei AR1200
Configuring the Device as a PPPoE Client on Huawei AR1200
 
25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples25 most frequently used linux ip tables rules examples
25 most frequently used linux ip tables rules examples
 
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_Uccn1003 -may09_-_lect09_-_access_control_list_acl_
Uccn1003 -may09_-_lect09_-_access_control_list_acl_
 
10 module
10 module10 module
10 module
 
Palo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration LabPalo Alto VM-100 Configuration Lab
Palo Alto VM-100 Configuration Lab
 
Access control list [1]
Access control list [1]Access control list [1]
Access control list [1]
 
CCNA - Routing & Switching Commands
CCNA - Routing & Switching CommandsCCNA - Routing & Switching Commands
CCNA - Routing & Switching Commands
 
8 subredesssss
8 subredesssss8 subredesssss
8 subredesssss
 

Similar to CIsco ACL- Network and host security

Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.igede tirtanata
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructorSalem Trabelsi
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docxdorishigh
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxemelyvalg9
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control listdiah risqiwati
 
Cisco asa active,active failover configuration
Cisco asa active,active failover configurationCisco asa active,active failover configuration
Cisco asa active,active failover configurationIT Tech
 
Tcp ack or syn+ack coming to fwsm running tp mode when session is not in the ...
Tcp ack or syn+ack coming to fwsm running tp mode when session is not in the ...Tcp ack or syn+ack coming to fwsm running tp mode when session is not in the ...
Tcp ack or syn+ack coming to fwsm running tp mode when session is not in the ...IT Tech
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2Kris Mofu
 
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfLab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfadityacommunication1
 
Howto ethereal-wireshark-trace en
Howto ethereal-wireshark-trace enHowto ethereal-wireshark-trace en
Howto ethereal-wireshark-trace enJORGE GOMEZ
 
Simple Misconfiguration Equals Network Vulnerability!
Simple Misconfiguration Equals Network Vulnerability!Simple Misconfiguration Equals Network Vulnerability!
Simple Misconfiguration Equals Network Vulnerability!shira koper
 
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...AlgoSec
 
VoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sampleVoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sampleFaisal Khan
 

Similar to CIsco ACL- Network and host security (20)

Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.Cisco discovery drs ent module 8 - v.4 in english.
Cisco discovery drs ent module 8 - v.4 in english.
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
 
Extended Access Lists
Extended Access Lists Extended Access Lists
Extended Access Lists
 
Solucion acl examenes
Solucion acl examenesSolucion acl examenes
Solucion acl examenes
 
1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx1 SEC450 ACL Tutorial This document highlights.docx
1 SEC450 ACL Tutorial This document highlights.docx
 
הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0הגדרת נתבי סיסקו 1.0
הגדרת נתבי סיסקו 1.0
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docx
 
CCIE Lab - IGP Routing
CCIE Lab - IGP Routing CCIE Lab - IGP Routing
CCIE Lab - IGP Routing
 
Modul 5 access control list
Modul 5 access control listModul 5 access control list
Modul 5 access control list
 
Cisco asa active,active failover configuration
Cisco asa active,active failover configurationCisco asa active,active failover configuration
Cisco asa active,active failover configuration
 
Tcp ack or syn+ack coming to fwsm running tp mode when session is not in the ...
Tcp ack or syn+ack coming to fwsm running tp mode when session is not in the ...Tcp ack or syn+ack coming to fwsm running tp mode when session is not in the ...
Tcp ack or syn+ack coming to fwsm running tp mode when session is not in the ...
 
Practice exam #2
Practice exam #2Practice exam #2
Practice exam #2
 
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdfLab8 Controlling traffic using Extended ACL Objectives Per.pdf
Lab8 Controlling traffic using Extended ACL Objectives Per.pdf
 
Howto ethereal-wireshark-trace en
Howto ethereal-wireshark-trace enHowto ethereal-wireshark-trace en
Howto ethereal-wireshark-trace en
 
Simple Misconfiguration Equals Network Vulnerability!
Simple Misconfiguration Equals Network Vulnerability!Simple Misconfiguration Equals Network Vulnerability!
Simple Misconfiguration Equals Network Vulnerability!
 
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
Cessation of Misconfigurations: Common Network Misconfiguration Risks & How t...
 
Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2Aruba mobility access switch useful commands v2
Aruba mobility access switch useful commands v2
 
Firewall
FirewallFirewall
Firewall
 
VoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sampleVoiceBootcamp Ccnp collaboration lab guide v1.0 sample
VoiceBootcamp Ccnp collaboration lab guide v1.0 sample
 

CIsco ACL- Network and host security

  • 1. Report for Cisco ACLs Studentname:Shivakumar Koppad List of all used interfaces:  Border Router:  FE0/0 : Connectedtothe Cloud(Internet) - (20.0.0.0/8 and 66.60.0.0/16)  FE0/1 : Connectedtothe PublicNetwork - (136.201.5.0/24; ConfiguredIP: 136.201.5.1)  S0/0/0 : Connectedtothe Internal Router –(S0/0/0)  Internal Router:  FE0/0 : Connectedtothe ServerNetwork(136.201.10.0/24; ConfiguredIP:136.201.10.1)  FE0/1 : Connectedtothe Workstations(136.201.100.0/24 ; ConfiguredIP:136.201.100.1)  S0/0/0 : Connectedtothe BorderRouter(S0/0/0) List of all commands for Border router:  Interface FE0/0 isconnected to Cloud(Internet). access-list100 denyip66.60.0.0 0.0.255.255 any access-list100 permittcp anygt 1023 host136.201.5.10 eq ftp access-list100 permittcp anygt 1023 host136.201.5.10 eq ftp-data access-list100 permittcp anygt 1023 host136.201.5.20 eq www access-list100 permittcp anygt 1023 host136.201.10.10 eq53 access-list100 permitudpany gt 1023 host136.201.10.10 eq53 access-list100 permittcp anygt 1023 host136.201.10.20 eq25 access-list100 permittcp 20.0.0.0 0.255.255.255 gt 1023 host 136.201.10.30 eq 1433 access-list100 denyicmpany anyecho access-list100 denyicmpany anyecho-reply access-list100 denyicmpany anyttl-exceeded access-list100 permiticmpany any access-list100 denyipany any  Interface FE0/1 is connected to Public Network.
  • 2. access-list101 permittcp 136.201.5.10 eqftp anygt 1023 access-list101 permittcp 136.201.5.10 eq ftp-dataany gt 1023 access-list101 permittcp 136.201.5.20 gt 80 136.201.10.30 eq1433 established access-list101 permittcp anyhost 136.201.10.10 eq53 access-list101 permitudpany host136.201.10.10 eq53 access-list101 permittcp anyhost 136.201.10.20 eq25 access-list101 denyicmpany anyecho access-list101 denyicmpany anyecho-reply access-list101 denyicmpany anyttl-exceeded access-list101 permiticmpany any access-list101 denyipany any Reflexive ACL with the name: webreturntraffic Ip access-listextendedOUTboundfilter access-listOUTboundfilterpermittcpanyhost 136.201.5.20 eq www Ip access-listextendedINboundfilter Evaluate webreturntraffic  Applyingthe ACLs on the Interfaces: Border_Router(config)#interfacefastEthernet0/0 Border_Router(config-if)#ipaccess-group100in Border_Router(config-if)#shut Border_Router(config-if)#noshut Border_Router(config-if)#exit Border_Router(config)#interfacefastEthernet0/1
  • 3. Border_Router(config-if)#ipaccess-group101in Internal_Router(config-if)#Ipaccess-groupOUTboundfilterout Internal_Router(config-if)#Ipaccess-groupINboundfilterin Border_Router(config-if)#shut Border_Router(config-if)#noshut Border_Router(config-if)#exit List of all commands for Internal router:  Interface FE0/0 isconnected to Server Network. Ip access-listextended102 access-list102 permittcp 136.201.10.10 eq 53 any access-list102 permitudp136.201.10.10 eq53 any access-list102 permittcp 136.201.10.20 eq 25 any access-list102 denyicmpany anyecho access-list102 denyicmpany anyecho-reply access-list102 denyicmpany anyttl-exceeded access-list102 permiticmpany any access-list102 denyipany any Reflexive ACL withthe name: returntraffic Ip access-listextended INboundfilter access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 hostany eq 80 reflectreturntraffic access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 hostany eq 8080 reflectreturntraffic access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 hostany eq 443 reflectreturntraffic access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 host136.201.10.30 eq 1433 reflect returntraffic access-listpermittcp136.201.100.0 0.0.0.255 gt 1023 host136.201.10.10 eq 53 reflectreturntraffic access-listpermitudp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.10 eq53 reflectreturntraffic access-listpermitudp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.20 eq25 reflectreturntraffic access-listpermitudp136.201.100.0 0.0.0.255 gt 1023 host 20.0.0.0 0.255.255.255 eq 22 reflect returntraffic
  • 4. access-listdenyicmpanyanyecho access-listdenyicmpanyanyecho-reply access-listdenyicmpanyanyttl-exceeded access-listpermiticmpanyany access-listdenyipanyany Ip access-listextendedOUTboundfilter Evaluate returntraffic  Applyingthe ACLs on the Interfaces: Internal_Router(config)#interface fastEthernet0/0 Internal_Router(config-if)#ipaccess-group102 in Internal_Router(config-if)#shut Internal_Router(config-if)#noshut Internal_Router(config-if)#exit Internal_Router(config)#interface fastEthernet0/1 Internal_Router(config-if)#Ipaccess-groupINboundfilterin Internal_Router(config-if)#Ipaccess-groupOUTboundfilterout Internal_Router(config-if)#shut Internal_Router(config-if)#noshut Internal_Router(config-if)#exit  Routing Protocol Used:
  • 5. RIP isusedforthe routercommunication.Below are the commandsshowingthe implementation whichisappliedonbothrouters: Border_Router(config)#routerrip Border_Router(config-router)#network1.0.0.0 Border_Router(config-router)#network136.201.0.0 Border_Router(config-router)#exit Internal_Router(config)#routerrip Internal _Router(config-router)#network1.0.0.0 Internal_Router(config-router)#network136.201.0.0 Internal _Router(config-router)#exit  ICMP protocol policy: ICMP messagescanhelpattackersto exploitthe protocol throughnetworkscansetc.Many network mappingtoolsuse the ICMP as the protocol to trace the networkcomponents(eg:Traceroute, Cheops-ngetc) The bestdefense istoprepare the networkforsuchattack by blockingthe unwantedICMPpackets. Some of the defensivetechniquesare asbelow:  Coulddisable incomingICMPechorequest.  Drawback: Userscouldn'tpingina network.  Coulddisable the outgoingICMPreplypackets.  Coulddisable outgoingICMPTime Exceededmessages.  But userscouldn'ttraceroute all the wayto Internal Network. In thisassignment,Ihave definedthe ACLssuchasto blockICMP echo,echo-replyandttl exceed messagesonthe network Commands Used:
  • 6. access-listdenyicmpanyanyecho access-listdenyicmpanyanyecho-reply access-listdenyicmpanyanyttl-exceeded access-listpermiticmpanyany Description of the Security policy implementation:  All the belowACL rules are implementedonthe border router and on interfaceFE0/0 whichis connected to the Cloud(internet).They are appliedon thisinterface in the directionIN. Ingress and Egress filtering  Has beenshownwhile applyingthe ACLs onto all the interfaces. All devices from EvilGroup are denied access to any machine in the corporate network.  access-list100 deny ip66.60.0.0 0.0.255.255 any Everybody else can use the FTP server 136.201.5.10 to upload/download files.  access-list100 permit tcp any gt 1023 host 136.201.5.10 eqftp  access-list100 permit tcp any gt 1023 host 136.201.5.10 eqftp-data Everybody else can access the Web server 136.201.5.20 at port 80 – make sure the client cannot use any server port (1-1023)  access-list100 permit tcp any gt 1023 host 136.201.5.20 eqwww Internal DNS server can be accessed by any machine on ports TCP/53 and UDP/53.  access-list100 permit tcp any gt 1023 host 136.201.10.10 eq 53  access-list100 permit udp any gt 1023 host 136.201.10.10 eq53 Any machine can access Mail Server via SMTP (on port TCP/25).  access-list100 permit tcp any gt 1023 host 136.201.10.20 eq 25
  • 7. DataBase Server is accessed by business partner (20.0.0.0/8) for SQLqueries (TCP/1433).  access-list100 permit tcp 20.0.0.0 0.255.255.255 gt 1023 host 136.201.10.30 eq1433 Disable incoming ICMP echo request.  access-list100 deny icmpany any echo Disable the outgoing ICMP reply packets  access-list100 deny icmpany any echo-reply Disable outgoing ICMP Time Exceeded messages.  access-list100 deny icmpany any ttl-exceeded All other connections should be denied!  access-list100 deny ipany any  All the belowACL rules are implementedonthe border router and on interfaceFE0/1 whichis connected to the PublicNetwork. They are appliedon thisinterface in the directionIN. FTP server is allowed to make connections to any machine (to facilitate FTP).  access-list101 permit tcp 136.201.5.10 eq ftp any gt 1023  access-list101 permit tcp 136.201.5.10 eq ftp-data any gt 1023 Web server can only initiate connections to the DataBase Server (136.201.10.30:1433).  access-list101 permit tcp 136.201.5.20 gt 80 136.201.10.30 eq 1433 established
  • 8. Internal DNS server can be accessed by any machine on ports TCP/53 and UDP/53.  access-list101 permit tcp any host 136.201.10.10 eq53  access-list101 permit udp any host 136.201.10.10 eq 53 Any machine can access Mail Server via SMTP (on port TCP/25).  access-list101 permit tcp any host 136.201.10.20 eq25 Disable incoming ICMP echo request.  access-list101 deny icmpany any echo Disable the outgoing ICMP reply packets  access-list101 deny icmpany any echo-reply Disable outgoing ICMP Time Exceeded messages.  access-list101 deny icmpany any ttl-exceeded All other connections should be denied!  access-list101 deny ipany any  The belowACL rules are implementedon the border router and oninterface FE0/1 whichis connected to the PublicNetwork. These rules are appliedon thisinterface inthe directions first OUT andthen IN.
  • 9. All other trafficfrom the web server must be return traffic to previousrequests is achieved by usingthe reflexive ACL Reflexive ACL withthe name: webreturntraffic Ip access-listextendedOUTboundfilter  access-listOUTboundfilterpermittcpany host 136.201.5.20 eqwww Ip access-listextendedINboundfilter  Evaluate webreturntraffic  All the belowACL rules are implementedonthe Internal router andon interface FE0/0 whichis connected to the Server Network. They are appliedon thisinterface in the directionIN. Internal DNS server can access any machine for DNS queries (ports TCP/53 and UDP/53)  access-listpermittcp 136.201.10.10 eq53 any  access-listpermitudp 136.201.10.10 eq 53 any Mail server can access any machine via SMTP (port TCP/25)  access-listpermittcp 136.201.10.20 eq25 any Disable incoming ICMP echo request.  access-listdenyicmp any any echo Disable the outgoing ICMP reply packets  access-listdenyicmp any any echo-reply Disable outgoing ICMP Time Exceeded messages.  access-listdenyicmp any any ttl-exceeded
  • 10. All other connections should be denied!  access-listdenyip any any  The belowACL rules are implementedon the Internal router and on interface FE0/1 which is connected to the Workstationssubnet.These rules are appliedon this interface in the directionsfirst INand then OUT. Reflexive ACLs are used to ensure the return traffic can reach to the workstation in response to the corresponding request from workstations. Reflexive ACL withthe name: returntraffic Workstations (136.201.100.0/24) can access any web server on ports TCP/80, TCP/8080 and TCP/443.  Ip access-listextendedINboundfilter  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host any eq 80 reflect returntraffic  access-listINboundfilterpermittcp 136.201.100.0 0.0.0.255 gt 1023 host any eq 8080 reflectreturntraffic  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host any eq 443 reflect returntraffic Workstations (136.201.100.0/24) can access DataBase server for SQL queries (TCP/1433).  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.30 eq 1433 reflectreturntraffic Workstations (136.201.100.0/24) can access Internal DNS server for DNS queries (TCP/53 and UDP/53)
  • 11.  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.10 eq 53 reflectreturntraffic  access-listINboundfilterpermitudp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.10 eq 53 reflectreturntraffic Workstations (136.201.100.0/24) can access Mail server for IMAP.  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 136.201.10.20 eq 25 reflectreturntraffic Workstations (136.201.100.0/24) can access SSH servers on any machine in the business partner’s network.  access-listINboundfilterpermittcp136.201.100.0 0.0.0.255 gt 1023 host 20.0.0.0 0.255.255.255 eq 22 reflectreturntraffic Disable incoming ICMP echo request.  access-listINboundfilterdenyicmpany any echo Disable the outgoing ICMP reply packets  access-listINboundfilterdenyicmpany any echo-reply Disable outgoing ICMP Time Exceeded messages.  access-listINboundfilterdenyicmpany any ttl-exceeded All other connections should be denied!  access-listINboundfilterdenyipany any  Ip access-listextendedOUTboundfilter  Evaluate returntraffic