Chapter10ccna

1. Instructor & Todd Lammle Sybex CCNA 640-802 Chapter 10: Security

2. Chapter 10 Objectives <ul><li>The CCNA Topics Covered in this chapter include: </li></ul><ul><li>Introduction to Security </li></ul><ul><ul><li>Types of attacks </li></ul></ul><ul><ul><li>Mitigating attacks </li></ul></ul><ul><li>Access-lists </li></ul><ul><ul><li>Standard </li></ul></ul><ul><ul><li>Extended </li></ul></ul><ul><ul><li>Named </li></ul></ul><ul><ul><li>Monitoring Access-lists </li></ul></ul>

3. Introduction to Security

4. Attacks <ul><li>APPLICATION-LAYER ATTACKS </li></ul><ul><li>AUTOROOTERS </li></ul><ul><li>BACKDOORS </li></ul><ul><li>DENIAL OF SERVICE (DOS) AND DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS </li></ul><ul><ul><li>(MANY OTHERS) </li></ul></ul>

5. Mitigating Attacks <ul><li>Appliances </li></ul><ul><ul><li>IDS </li></ul></ul><ul><ul><li>IPS </li></ul></ul><ul><li>STATEFUL IOS FIREWALL INSPECTION ENGINE </li></ul><ul><li>FIREWALL VOICE TRAVERSAL </li></ul><ul><li>ICMP INSPECTION </li></ul><ul><li>AUTHENTICATION PROXY </li></ul>

6. Access Lists <ul><li>Purpose: </li></ul><ul><ul><li>Used to permit or deny packets moving through the router </li></ul></ul><ul><ul><li>Permit or deny Telnet (VTY) access to or from a router </li></ul></ul><ul><ul><li>Create dial-on demand (DDR) interesting traffic that triggers dialing to a remote location </li></ul></ul>

7. Important Rules <ul><li>Packets are compared to each line of the assess list in sequential order </li></ul><ul><li>Packets are compared with lines of the access list only until a match is made </li></ul><ul><ul><li>Once a match is made & acted upon no further comparisons take place </li></ul></ul><ul><li>An implicit “deny” is at the end of each access list </li></ul><ul><ul><li>If no matches have been made, the packet will be discarded </li></ul></ul>

8. Types of Access Lists <ul><li>Standard Access List </li></ul><ul><ul><li>Filter by source IP addresses only </li></ul></ul><ul><li>Extended Access List </li></ul><ul><ul><li>Filter by Source IP, Destination IP, Protocol Field, Port Number </li></ul></ul><ul><li>Named Access List </li></ul><ul><ul><li>Functionally the same as standard and extended access lists. </li></ul></ul>

9. Application of Access Lists <ul><li>Inbound Access Lists </li></ul><ul><ul><li>Packets are processed before being routed to the outbound interface </li></ul></ul><ul><li>Outbound Access Lists </li></ul><ul><ul><li>Packets are routed to the outbound interface & then processed through the access list </li></ul></ul>

10. ACL Guidelines <ul><li>One access list per interface, per protocol, or per direction </li></ul><ul><li>More specific tests at the top of the ACL </li></ul><ul><li>New lists are placed at the bottom of the ACL </li></ul><ul><li>Individual lines cannot be removed </li></ul><ul><li>End ACLs with a permit any command </li></ul><ul><li>Create ACLs & then apply them to an interface </li></ul><ul><li>ACLs do not filter traffic originated from the router </li></ul><ul><li>Put Standard ACLs close to the destination </li></ul><ul><li>Put Extended ACLs close the the source </li></ul>

11. Standard IP Access Lists <ul><ul><ul><li>Router# config t </li></ul></ul></ul><ul><ul><ul><li>Enter configuration commands, one per line. End with CNTL/Z. </li></ul></ul></ul><ul><ul><ul><li>Router(config)# access-list ? </li></ul></ul></ul><ul><ul><ul><li><1-99> IP standard access list </li></ul></ul></ul><ul><ul><ul><li><100-199> IP extended access list </li></ul></ul></ul><ul><ul><ul><li><1000-1099> IPX SAP access list </li></ul></ul></ul><ul><ul><ul><li><1100-1199> Extended 48-bit MAC address access list </li></ul></ul></ul><ul><ul><ul><li><1200-1299> IPX summary address access list </li></ul></ul></ul><ul><ul><ul><li><200-299> Protocol type-code access list </li></ul></ul></ul><ul><ul><ul><li><300-399> DECnet access list </li></ul></ul></ul><ul><ul><ul><li><600-699> Appletalk access list </li></ul></ul></ul><ul><ul><ul><li><700-799> 48-bit MAC address access list </li></ul></ul></ul><ul><ul><ul><li><800-899> IPX standard access list </li></ul></ul></ul><ul><ul><ul><li><900-999> IPX extended access list </li></ul></ul></ul>

12. Standard IP Access Lists <ul><li>Creating a standard IP access list: </li></ul><ul><ul><ul><li>Router(config)# access-list 10 ? </li></ul></ul></ul><ul><ul><ul><li>deny Specify packets to reject </li></ul></ul></ul><ul><ul><ul><li>permit Specify packets to forward </li></ul></ul></ul><ul><li>Permit or deny? </li></ul><ul><ul><ul><li>Router(config)# access-list 10 deny ? </li></ul></ul></ul><ul><ul><ul><li>Hostname or A.B.C.D Address to match </li></ul></ul></ul><ul><ul><ul><li>any any source host </li></ul></ul></ul><ul><ul><ul><li>host A single host address </li></ul></ul></ul><ul><li>Using the host command </li></ul><ul><ul><ul><li>Router(config)# access-list 10 deny host 172.16.30.2 </li></ul></ul></ul>

13. Standard ACL Example

14. Standard ACL example 2

15. Standard ACL Example 3

16. Wildcards <ul><li>What are they??? </li></ul><ul><ul><li>Used with access lists to specify a…. </li></ul></ul><ul><ul><ul><li>Host </li></ul></ul></ul><ul><ul><ul><li>Network </li></ul></ul></ul><ul><ul><ul><li>Part of a network </li></ul></ul></ul>

17. Block Sizes <ul><li>64 32 16 8 4 </li></ul><ul><li>Rules: </li></ul><ul><ul><li>When specifying a range of addresses, choose the closest block size </li></ul></ul><ul><ul><li>Each block size must start at 0 </li></ul></ul><ul><ul><li>A ‘0’ in a wildcard means that octet must match exactly </li></ul></ul><ul><ul><li>A ‘255’ in a wildcard means that octet can be any value </li></ul></ul><ul><ul><li>The command any is the same thing as writing out the wildcard: 0.0.0.0 255.255.255.255 </li></ul></ul>

18. Specifying a Range of Subnets <ul><li>(Remember: specify a range of values in a block size) </li></ul><ul><li>Requirement: Block access in the range from 172.16.8.0 through 172.16.15.0 = block size 8 </li></ul><ul><li>Network number = 172.16.8.0 </li></ul><ul><li>Wildcard = 0.0. 7 .255 </li></ul><ul><li>**The wildcard is always one number less than the block size </li></ul>

19. Controlling VTY (Telnet) Access <ul><li>Why?? </li></ul><ul><ul><li>Without an ACL any user can Telnet into the router via VTY and gain access </li></ul></ul><ul><li>Controlling access </li></ul><ul><ul><li>Create a standard IP access list </li></ul></ul><ul><ul><ul><li>Permitting only the host/hosts authorized to Telnet into the router </li></ul></ul></ul><ul><ul><li>Apply the ACL to the VTY line with the </li></ul></ul><ul><ul><ul><li>access-class command </li></ul></ul></ul>

20. Example <ul><li>Lab_A(config)#access-list 50 permit 172.16.10.3 </li></ul><ul><li> Lab_A(config)#line vty 0 4 </li></ul><ul><li> Lab_A(config-line)#access-class 50 in </li></ul><ul><li>(implied deny) </li></ul>

21. Extended IP Access Lists <ul><li>Allows you to choose... </li></ul><ul><ul><ul><li>IP Source Address </li></ul></ul></ul><ul><ul><ul><li>IP Destination Address </li></ul></ul></ul><ul><ul><ul><li>Protocol </li></ul></ul></ul><ul><ul><ul><li>Port number </li></ul></ul></ul>

22. Extended IP ACLs <ul><ul><ul><li>Router(config)#access-list ? </li></ul></ul></ul><ul><ul><ul><li><1-99> IP standard access list </li></ul></ul></ul><ul><ul><ul><li><100-199> IP extended access list </li></ul></ul></ul><ul><ul><ul><li><1000-1099> IPX SAP access list </li></ul></ul></ul><ul><ul><ul><li><1100-1199> Extended 48-bit MAC address access list </li></ul></ul></ul><ul><ul><ul><li><1200-1299> IPX summary address access list </li></ul></ul></ul><ul><ul><ul><li><200-299> Protocol type-code access list </li></ul></ul></ul><ul><ul><ul><li><300-399> DECnet access list </li></ul></ul></ul><ul><ul><ul><li><600-699> Appletalk access list </li></ul></ul></ul><ul><ul><ul><li><700-799> 48-bit MAC address access list </li></ul></ul></ul><ul><ul><ul><li><800-899> IPX standard access list </li></ul></ul></ul><ul><ul><ul><li><900-999> IPX extended access list </li></ul></ul></ul><ul><ul><ul><li>Router(config)#access-list 110 ? </li></ul></ul></ul><ul><ul><ul><li>deny Specify packets to reject </li></ul></ul></ul><ul><ul><ul><li>dynamic Specify a DYNAMIC list of PERMITs or DENYs </li></ul></ul></ul><ul><ul><ul><li>permit Specify packets to forward </li></ul></ul></ul>

23. Extended IP ACLs <ul><ul><ul><li>Router(config)# access-list 110 deny ? </li></ul></ul></ul><ul><ul><ul><li><0-255> An IP protocol number </li></ul></ul></ul><ul><ul><ul><li>ahp Authentication Header Protocol </li></ul></ul></ul><ul><ul><ul><li>eigrp Cisco's EIGRP routing protocol </li></ul></ul></ul><ul><ul><ul><li>esp Encapsulation Security Payload </li></ul></ul></ul><ul><ul><ul><li>gre Cisco's GRE tunneling </li></ul></ul></ul><ul><ul><ul><li>icmp Internet Control Message Protocol </li></ul></ul></ul><ul><ul><ul><li>igmp Internet Gateway Message Protocol </li></ul></ul></ul><ul><ul><ul><li>igrp Cisco's IGRP routing protocol </li></ul></ul></ul><ul><ul><ul><li>ip Any Internet Protocol </li></ul></ul></ul><ul><ul><ul><li>ipinip IP in IP tunneling </li></ul></ul></ul><ul><ul><ul><li>nos KA9Q NOS compatible IP over IP tunneling </li></ul></ul></ul><ul><ul><ul><li>ospf OSPF routing protocol </li></ul></ul></ul><ul><ul><ul><li>pcp Payload Compression Protocol </li></ul></ul></ul><ul><ul><ul><li>tcp Transmission Control Protocol </li></ul></ul></ul><ul><ul><ul><li>udp User Datagram Protocol </li></ul></ul></ul><ul><ul><ul><li>Router(config)# access-list 110 deny tcp ? </li></ul></ul></ul><ul><ul><ul><li>A.B.C.D Source address </li></ul></ul></ul><ul><ul><ul><li>any Any source host </li></ul></ul></ul><ul><ul><ul><li>host A single source host </li></ul></ul></ul>

24. Extended IP ACL Steps <ul><li>#1: Select the access list: </li></ul><ul><li>RouterA(config)#access-list 110 </li></ul><ul><li>#2: Decide on deny or permit: </li></ul><ul><li>RouterA(config)#access-list 110 deny </li></ul><ul><li>#3: Choose the protocol type: </li></ul><ul><li>RouterA(config)#access-list 110 deny tcp </li></ul><ul><li>#4: Choose source IP address of the host or network: </li></ul><ul><li>RouterA(config)#access-list 110 deny tcp any </li></ul><ul><li>#5: Choose destination IP address </li></ul><ul><li> RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 </li></ul><ul><li>#6: Choose the type of service, port, & logging </li></ul><ul><li>RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log </li></ul>

25. Steps (cont.) <ul><li>RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log </li></ul><ul><li>RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255 </li></ul><ul><li>RouterA(config)#ip access-group 110 in </li></ul><ul><li>or </li></ul><ul><li>RouterA(config)#ip access-group 110 out </li></ul>

26. Named Access Lists <ul><li>Another way to create standard and extended access lists. </li></ul><ul><li>Allows the use of descriptive names to ease network management. </li></ul><ul><li>Syntax changes: </li></ul><ul><ul><li>Lab_A(config)#ip access-list standard BlockSales </li></ul></ul><ul><ul><li>Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255 </li></ul></ul><ul><ul><li>Lab_A(config-std-nacl)#permit any </li></ul></ul>

27. Monitoring IP Access Lists <ul><li>Display all access lists & their parameters </li></ul><ul><ul><li>show access-list </li></ul></ul><ul><li>Show only the parameters for the access list 110 </li></ul><ul><li>show access-list 110 </li></ul><ul><li>Shows only the IP access lists configured </li></ul><ul><ul><li>show ip access-list </li></ul></ul><ul><li>Shows which interfaces have access lists set </li></ul><ul><ul><li>show ip interface </li></ul></ul><ul><li>Shows the access lists & which interfaces have access lists set </li></ul><ul><ul><li>show running-config </li></ul></ul>

28. Written Labs and Review Questions <ul><ul><li>Open your books and go through all the written labs and the review questions. </li></ul></ul><ul><ul><li>Review the answers in class. </li></ul></ul>

Chapter10ccna

Esté a ler uma amostra.

Confira estes a seguir

Chapter10ccna

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (9)

Semelhante a Chapter10ccna (20)

Mais de robertoxe (20)

Chapter10ccna

Chapter10ccna

Esté a ler uma amostra.

Chapter10ccna

Recomendadas

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (9)

Semelhante a Chapter10ccna (20)

Mais de robertoxe (20)

Chapter10ccna