ACL Access Lists

Access Lists allow traffic in and out of the network. Packet filtering is done at Layer 3 (or 4) using ACLs. An Access List (ACL) is a router configuration script on an interface that controls whether a router permits or denies packets to pass based on criteria found in the packet header. They are also used for selecting types of traffic to be analyzed, forwarded or processed in other ways. It checks from top to bottom looking for the pattern matching the incoming packet. ACL can classify traffic to enable priority processing down the line. ACLs can be configured to control access to a network or subnet. By default, a router does not have any ACLs configured and therefore does not filter traffic. One ACL can be configured per protocol, per direction and per interface. ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers How ACLs Work ACLs act on control packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself. ACLs are configured either to apply to inbound traffic (saves the overhead of routing lookups) or to apply to outbound traffic. ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time. When the statement is matched, the rest of the statements in the list are skipped. ! At the end of every access list is an implied "deny all traffic" ! so an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic. It is the default behavior of ACLs and cannot be changed but permit all can be added in front of it. The router first checks Layer 2 address and then ACLs. For inbound ACLs, incoming packets are processed before they are routed to an outbound interface. For outbound ACLs, incoming packets are processed after. ACLs are created in global configuration mode and can be numbered or named. If packets are permitted, they are routed through the router to an output interface. If packets are not permitted, they are dropped at the incoming interface. 1

Types of ACLs: Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination doesnt matter. They should be placed as close to the destination as possible because they dont specify destination address. Extended ACLs filter IP packets based on several attributes (protocol type (TCP,UDP,IP,ICMP), source and destination IP address, source or destination TCP or UDP ports). They should be placed as close as possible to source so the packets dont burden the infrastructure. The extended ACL first filters on the source address, then on the port and protocol of the source. It then filters on the destination address, then on the port and protocol of the destination, and makes a final permit-deny decision. Dynamic ACLs (lock-and-key) users that want to traverse the router are blocked until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. o o o Use dynamic ACLs dependent on Telnet connectivity, authentication and extended ACLSs. Are available only for IP. Used when it is needed for a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet and when it is needed for subset hosts on local network to access the host on a remote network that is protected by firewall. Benefits: Use of a challenge mechanism to authenticate individual users Simplified management in large internetworks In many cases, reduction of the amount of router processing that is required for ACLs Reduction of the opportunity for network break-ins by network hackers Creation of dynamic user access through a firewall, without compromising other configured security restrictions

Reflexive ACLs allows outbound traffic and limits inbound traffic in response to sessions that originate inside router. o Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. These ACLs allow the router to manage session traffic dynamically. The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in. The entries are automatically removed when the session ends. Work also with UDP and ICMP The permit established statement only checks ACK and RST bits-not source and destination address. Reflexive ACLs are not applied directly to an interface but are "nested" within an extended named IP ACL that is applied to the interface. They can be defined only with extended named IP ACLs Reflexive ACLs have the following benefits: Help secure your network against network hackers and can be included in a firewall defense. Provide a level of security against spoofing and certain DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked. Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.

o o

o o o

Time-based ACLs allow access control based on the time of the day or week. o o o Similar to extended ACLs in function, but they allow for access control based on time range defined The time restrictions are imposed on the function itself. Time-based ACLs have many benefits, such as: Offers the network administrator more permitting or denying access to resources. control over

Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not 3

constantly. Therefore, administrators can simply deny access without analyzing the many logs that are generated during peak hours.

Configuring ACLs To configure numbered ACLs on a Cisco router, you must first create the ACL and then activate the ACL on an interface. Removing the ACL is done by adding no in front of access-list 10 command. Remarks can also be added with access-list 10 remark write something. Standard ACL is configured using following commands: R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255 Or R(config)#ip access-list standard NO_ACCESS R(config-std-nacl)# permit host 192.168.10.0 Extended ACL is configured by: R1(config)# access-list 110 permit tcp 192.168.20.1 0.0.0.255 any eq 23/telnet or R1(config)#access-list extended SURFING R1(config-ext-nacl)# permit tcp 192.168.20.1 0.0.0.255 any eq 23/telnet Reflexive ACLs: If we want to permit only the traffic that is returned for what we asked for: R1(config)# established access-list 110 permit 4 tcp any 192.168.20.1 0.0.0.255

A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at. It determines how much of an IP source or destination address to apply to the address match. It is, as IP address, 32 bits long and use binary 1s and 0s. They allow permitting or denying a single or several IP addresses. Binary 0 signifies a match, and that binary 1 signifies ignore. The host option substitutes for the 0.0.0.0 mask. The any option substitutes for the IP address and 255.255.255.255 mask. Applying ACL to interface After an ACL is configured, it is linked to an interface using the command: Router(config-if)#ip access-group {access-list-number | access-list-name} {in | out} Router(config-if)#ip access-group 1 [in/out] To remove an ACL from an interface, first enter the no ip access-group command on the interface, and then enter the global no access-list command to remove the entire ACL. To apply ACLs on VTY connection (Telnet and SSH) following syntax is used: R(config)#line vty 0 4 R(config-line)#login R(config-line)#password secret R(config-line)#access-class 21 [in/out] Only numbered access lists can be applied to VTYs and identical restrictions should be set on all the VTYs, because a user can attempt to connect to any of them. Editing ACLs There are two ways of ACL editing: Copying the existing one in notepad, correct it, than erasing the old one and copy/paste the new one from notepad. Adding an extra line (15 between 10 and 20)