Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.
-
Upload
blake-conley -
Category
Documents
-
view
287 -
download
16
Transcript of Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.
![Page 1: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/1.jpg)
Sybex CCNA 640-802 Chapter 12: SecurityInstructor & Todd Lammle
![Page 2: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/2.jpg)
Chapter 1 Objectives
The CCNA Topics Covered in this chapter include:
• Introduction to Security– Types of attacks– Mitigating attacks
• Access-lists– Standard– Extended– Named– Monitoring Access-lists
2
![Page 3: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/3.jpg)
Introduction to Security
![Page 4: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/4.jpg)
Attacks
• APPLICATION-LAYER ATTACKS
• AUTOROOTERS
• BACKDOORS
• DENIAL OF SERVICE (DOS) AND DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS– (MANY OTHERS)
![Page 5: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/5.jpg)
Mitigating Attacks
• Appliances– IDS– IPS
• STATEFUL IOS FIREWALL INSPECTION ENGINE
• FIREWALL VOICE TRAVERSAL
• ICMP INSPECTION
• AUTHENTICATION PROXY
![Page 6: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/6.jpg)
Access Lists
• Purpose:– Used to permit or deny packets
moving through the router– Permit or deny Telnet (VTY) access
to or from a router– Create dial-on demand (DDR)
interesting traffic that triggers dialing to a remote location
![Page 7: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/7.jpg)
Important Rules
• Packets are compared to each line of the assess list in sequential order
• Packets are compared with lines of the access list only until a match is made– Once a match is made & acted upon no
further comparisons take place
• An implicit “deny” is at the end of each access list– If no matches have been made, the
packet will be discarded
![Page 8: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/8.jpg)
Types of Access Lists
• Standard Access List– Filter by source IP addresses only
• Extended Access List– Filter by Source IP, Destination IP,
Protocol Field, Port Number
• Named Access List– Functionally the same as standard and
extended access lists.
![Page 9: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/9.jpg)
Application of Access Lists
• Inbound Access Lists– Packets are processed before being
routed to the outbound interface
• Outbound Access Lists– Packets are routed to the outbound
interface & then processed through the access list
![Page 10: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/10.jpg)
ACL Guidelines
• One access list per interface, perprotocol, or per direction
• More specific tests at the top of the ACL• New lists are placed at the bottom of the ACL• Individual lines cannot be removed• End ACLs with a permit any command• Create ACLs & then apply them to an interface• ACLs do not filter traffic originated from the router• Put Standard ACLs close to the destination• Put Extended ACLs close the source
![Page 11: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/11.jpg)
Standard IP Access Lists
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
<200-299> Protocol type-code access list
<300-399> DECnet access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
![Page 12: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/12.jpg)
Standard IP Access Lists
• Creating a standard IP access list:Router(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
• Permit or deny?Router(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any any source host
host A single host address
• Using the host commandRouter(config)#access-list 10 deny host 172.16.30.2
![Page 13: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/13.jpg)
Wildcards
• What are they???– Used with access lists to specify
a….• Host• Network• Part of a network
![Page 14: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/14.jpg)
Block Sizes
64 32 16 84
• Rules:– When specifying a range of addresses, choose the
closest block size – Each block size must start at 0– A ‘0’ in a wildcard means that octet must match
exactly– A ‘255’ in a wildcard means that octet can be any
value– The command any is the same thing as writing out
the wildcard: 0.0.0.0 255.255.255.255
![Page 15: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/15.jpg)
Specifying a Range of Subnets
(Remember: specify a range of values in a block size)
Requirement: Block access in the range from 172.16.8.0 through 172.16.15.0 = block size 8
Network number = 172.16.8.0Wildcard = 0.0.7.255
**The wildcard is always one number less than the block size
![Page 16: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/16.jpg)
Standard ACL Example
![Page 17: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/17.jpg)
Standard ACL example 2
![Page 18: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/18.jpg)
Standard ACL Example 3
![Page 19: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/19.jpg)
Controlling VTY (Telnet) Access
• Why??– Without an ACL any user can Telnet
into the router via VTY and gain access
• Controlling access– Create a standard IP access list
• Permitting only the host/hosts authorized to Telnet into the router
– Apply the ACL to the VTY line with the
access-class command
![Page 20: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/20.jpg)
Example
Lab_A(config)#access-list 50 permit 172.16.10.3
Lab_A(config)#line vty 0 4
Lab_A(config-line)#access-class 50 in
(implied deny)
![Page 21: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/21.jpg)
Extended IP Access Lists
• Allows you to choose...• IP Source Address• IP Destination Address• Protocol• Port number
![Page 22: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/22.jpg)
Extended IP ACLs
Router(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access list <1000-1099> IPX SAP access list <1100-1199> Extended 48-bit MAC address
access list <1200-1299> IPX summary address access list <200-299> Protocol type-code access list <300-399> DECnet access list <600-699> Appletalk access list <700-799> 48-bit MAC address access list <800-899> IPX standard access list <900-999> IPX extended access list
Router(config)#access-list 110 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or
DENYs permit Specify packets to forward
![Page 23: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/23.jpg)
Extended IP ACLsRouter(config)#access-list 110 deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Router(config)#access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
![Page 24: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/24.jpg)
Extended IP ACL Steps
#1: Select the access list:
RouterA(config)#access-list 110
#2: Decide on deny or permit:
RouterA(config)#access-list 110 deny
#3: Choose the protocol type:
RouterA(config)#access-list 110 deny tcp
#4: Choose source IP address of the host or network:
RouterA(config)#access-list 110 deny tcp any
#5: Choose destination IP address
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2
#6: Choose the type of service, port, & logging
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
![Page 25: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/25.jpg)
Steps (cont.)
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255
RouterA(config)#ip access-group 110 in
or
RouterA(config)#ip access-group 110 out
![Page 26: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/26.jpg)
Named Access Lists
• Another way to create standard and extended access lists.
• Allows the use of descriptive names to ease network management.
• Syntax changes:
Lab_A(config)#ip access-list standard BlockSales
Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255
Lab_A(config-std-nacl)#permit any
![Page 27: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/27.jpg)
Turning Off and ConfiguringNetwork Services
SNMP
Lab_B(config)#access-list 110 deny udp any any eq snmp
Echo
Lab_B(config)#no service tcp-small-servers
Lab_B(config)#no service udp-small-servers
BootP and Auto-Config
Lab_B(config)#no ip boot server
Lab_B(config)#no service config
Examples – more pages 632-635
![Page 28: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/28.jpg)
Cisco’s Auto SecureR1#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks ***
AutoSecure will modify the onfiguration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance
security and any possible side effects, please refer to Cisco.com
for Autosecure documentation.
At any prompt you may enter ‘?’ for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: [enter]
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.10.1 YES NVRAM up up
Serial0/0 1.1.1.1 YES NVRAM down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 unassigned YES NVRAM administratively down down
Enter the interface name that is facing the internet: serial0/0
Securing Management plane services...
![Page 29: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/29.jpg)
Monitoring IP Access Lists
• Display all access lists & their parametersshow access-list
• Show only the parameters for the access list 110
show access-list 110
• Shows only the IP access lists configuredshow ip access-list
• Shows which interfaces have access lists setshow ip interface
• Shows the access lists & which interfaces have access lists set
show running-config
![Page 30: Sybex CCNA 640-802 Chapter 12: Security Instructor & Todd Lammle.](https://reader031.fdocuments.net/reader031/viewer/2022012406/56649ea15503460f94ba53e7/html5/thumbnails/30.jpg)
Written Labs and Review Questions
– Open your books and go through all the written labs and the review questions.
– Review the answers in class.
30