Verify that it has complete connectivity before starting. Use pings to
check this.
Design ACLs according to the following policy.
1. Stop PC0 from accessing the webserver in Chatham but allow it
to access the other servers on the same machine.
2. Give PC2 access to all hosts on the Chatham LAN. (Does this
need an ACL?) Would it be better if this policy was written slightly
differently? Give PC2 access to all hosts on the Chatham LAN only.
3. Stop PC3 from accessing the whole of the London LAN.
4. Ensure
that PC2 has access to the webserver on the London LAN but cannot
access any of the other London hosts.
To accomplish this you
will
need to think about two separate things:
1. How to identify the traffic proposed for the security policy.
2. The placing of the ACLs themselves.
It is important that you do this on paper before
commiting yourself.
Identifying the traffic stream
Look for the IP addresses that would be involved in traffic movements
specified in the policy.
You need to decide if the addrresses are one single address or a range.
If it is a single address, we need to check all of the bits in the IP
address. The bits of the IP address can be checked or ignored as
specified by the wildcard mask.
Remember that a wildcard mask is a 32-bit number and forces a router to
either check or ignore one of the bits in the IP address.
This can be useful if we want to specify a complete LAN.
You can use the port number or the protocol name to specify the traffic
if only a certain type of traffic needs to be identified.
Wildcard Mask
For this level of study we will look at the use of a wildcard mask in
two cases only, host and network.
For a host, we would want to specify just this one addrerss. This means
trhat it is necessary to check all the 32 bits of the IP address.
We put a 0 in the respective place to check an individual bit and a 1
to ingore that bit.
For all the bits of a host's IP address we need a wildcard mask as
follows:
00000000.00000000.00000000.00000000 in binary
= 0.0.0.0 in dotted decimal
For a LAN, let us assume /24. Here we want to check all IP addresses in
the LAN so we need to test the first 24 bits of the IP address.
We need a wildcard mask as follows:
00000000.00000000.00000000.11111111 in
binary
= 0.0.0.255 in dotted decimal
Building a table of
information
Construct a table like the one below
to hold information about the traffic we wish to identify. I have given one line as an example.
The Protocol may have one of several values:
ahp Authentication Header Protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol
Service
Port is when we want to stop (or allow) a certain service e.g www
traffic. Here we would need to know the port that a web server listens
to. In the case of www traffic, it is port 80.
There is no need to specify a Service Port if you are permitting or denying all IP traffic. Just use IP as the protocol.
Protocol
Source IP address
Source Wildcard Mask
Destination IP address
Destination Wildcard Mask
Service Port
IP
192.168.1.12
0.0.0.0
200.1.2.0
0.0.0.255
1. The example above identifies traffic. Use the table to explain the
traffic it is identifying.
2. Construct your own tables to show the information that is contained
in the policy above
3. Use this to help you build access control lists for the 4 cases
given above.
4. Write your proposed ACLs before applying them to your network. Placing and Applying ACLs
ACLS are applied to interfaces. Generally
with an extended ACL we use the interface on the router that is closest
to the source of the traffic we wish to block, although this is not a
hard and fast rule.
Imagine that you are standing inside the router. You need to decide
whether traffic is to be allowed in or out of an interface. Use the
command words in
or out
when in interface configuration mode to apply an accrees control list. Examples of setting up access lists
For FTP, you need to specify TCP as the protocol suite before the
source and destination addresses (and wildcard masks) and then the port
(service) you want to block. Use the ? function in the IOS to help you
design the lists.
chatham(config-ext-nacl)#permit
?
icmp Internet Control Message Protocol
ip Any Internet Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Add the source and destination IP addresses then specify the service.
chatham(config-ext-nacl)#permit
tcp
192.168.1.0 0.0.0.255 212.23.23.24 0.0.0.0 ?
eq Match
only packets on a given port number
established established
gt Match
only packets with a greater port number
lt Match
only packets with a lower port number
neq Match only
packets not on a given port number
range Match only packets in
the range of port numbers
<cr> chatham(config-ext-nacl)#permit
tcp
192.168.1.0 0.0.0.255 212.23.23.24 0.0.0.0 eq ftp