Now we’re getting into the good stuff, using access-lists to control the flow of traffic across our network.
First let’s get a little test network set up so that we can really visualise what we are doing here.
So what I’ve got set up here is a single router with three networks running off it. In each network I have a single virtual machine configured in Virtualbox (which plays very nicely with GNS3, although this is equally possible with VMWare with just a little more configuration). The 192.168.21.0/24 network will simulate the internal network. The 172.16.31.0/24 network will simulate a DMZ network and the 45.45.45.0/24 network will simulate the Internet.
The first thing I’ll set up is basic routing so that all hosts can talk to each other with no access-lists and no address translation. The router will use the .1 address for each network and the host will use the .20 address.
R1#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 45.45.45.1 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 172.16.31.1 YES manual up up
FastEthernet1/1 unassigned YES unset administratively down down
GigabitEthernet2/0 192.168.21.1 YES manual up up
Now that we’ve got all the networks talking to each other, let’s look at some of the things we may want to block:
• IP address spoofing – we need to verify that all traffic entering an interface is not from a network attached to another network.
• TCP SYN-flood attacks – we can use features such as TCP intercept to stop this attack.
• Information gathering – controlling protocols such as ICMP will stop information about our internal network leaking out to attackers.
We also want to use the concept of least permission, which only grants access to exactly what is required and no more.
I’m not going to run over the ACL information that was covered in CCNA R & S so if you need a refresher the now’s the time to go have a read and understand the basics.
Let’s say now that the first thing we want to do is block any traffic from the Internet. The easiest way to do this is configure an access-list inbound on interface f0/0 block all traffic with source IP 45.45.45.0 0.0.0.255.
R1(config)#access-list 10 deny 45.45.45.0 0.0.0.255
R1(config)#int fa0/0
R1(config-if)#ip access-group 10 in
That’s it, we’ve configured a standard access list, which only looks at source IP addresses and applied it to int f0/0 inbound. Let’s give it a test:
We can see now for the PC on the ‘Internet’ that the packets are being filtered whereas earlier they were being allowed. However this is obviously a poor design, we have a DMZ because we want some services to be available to devices on the Internet. We’re going to do some more configuration here.
Instead what we can do is apply the same access-list outbound on g2/0. This will stop the Internet getting to the 192.168.21.0/24 network but allow it to the 172.16.31.0/24 network.
First we’ll remove it from the fa0/0 interface:
R1(config)#int fa0/0
R1(config-if)#no ip access-group 10 in
Now we’ll apply it outbound on g2/0:
R1(config)#int g2/0
R1(config-if)#ip access-group 10 out
Now let’s test this connection:
We can see now that access to the 172.16.31.0 network is working, but access to the 192.168.21.0 network is blocked. Of course this is still far from ideal, the internet now has full access to our DMZ, we really only want to allow exactly what is necessary and no more.
In order to achieve this we really need to bring in extended access-lists. Extended access-lists give us the ability to define source ad destination addresses as well as source and destination ports. I’m also going to introduce the idea of object groups, we can define several objects and put them in a group so we can reference them in a single line in an access-list.
R1(config)#int g2/0
R1(config-if)#no ip access-group 10 out
R1(config)#object-group network InternetServers
R1(config-network-group)#host 45.45.45.20
R1(config-network-group)#host 45.45.45.21
R1(config)#object network DMZ
R1(config-network-group)#172.16.31.0 255.255.255.0
R1(config)#object-group network Internal
R1(config-network-group)#192.168.21.0 255.255.255.0
We’ve defined two servers on the Internet, and also defined our DMZ and internal networks so we can reference them by name in access-lists.
Now let’s come up with a few scenarios that we would like to achieve:
• Everyone on the internal network can access the Internet for web browsing
• Everyone on the internal network can access the DMZ but only for management (SSH, HTTPS and RDP)
• Everyone on the internet can only access the web server (172.16.31.20) but only on HTTP and HTTPS
First let’s define some more object groups – we can define groups of services as well networks and hosts
R1(config)#object-group service MGMT
R1(config-service-group)#tcp 22
R1(config-service-group)#tcp 443
R1(config-service-group)#tcp 3389
R1(config)#object-group service WEB
R1(config-service-group)#tcp 80
R1(config-service-group)#tcp 443
Now let’s define our access-lists, for the three scenarios we are going to need three ACLs:
First we’ll define our access-list with a name. Now we want to allow management traffic to the DMZ, and block all other traffic to the DMZ, then allow web traffic to anywhere, but block anything else, and we’ll log everything.
R1(config)#ip access-list extended internal_out
R1(config-ext-nacl)#$ permit object-group MGMT object-group Internal object-group DMZ log
R1(config-ext-nacl)#deny ip object-group Internal object-group DMZ log
R1(config-ext-nacl)#permit object-group WEB object-group Internal any log
R1(config-ext-nacl)#deny ip any any log
That’s ticked off our first two requirements, we just need to lock down access to the web server.
R1(config)#ip access-list extended external_in
R1(config-ext-nacl)#permit object-group WEB any host 172.16.31.20 log
R1(config-ext-nacl)#deny ip any any log
Now all we need to do is apply these access-lists to the correct interfaces:
R1(config)#int fa0/0
R1(config-if)#ip access-group external_in in
R1(config)#int g2/0
R1(config-if)#ip access-group internal_out in
Now let’s try access the DMZ from the internet:
From our host 45.45.45.20, I initiated two requests on port 80, one to 172.16.31.21 and one to 172.16.31.20. We can see that the request to .21 is blocked, but the request to .20 is permitted.
*Nov 26 15:21:38.979: %SEC-6-IPACCESSLOGP: list external_in denied tcp 45.45.45.20(55631) -> 172.16.31.21(80), 1 packet
*Nov 26 15:22:58.619: %SEC-6-IPACCESSLOGP: list external_in permitted tcp 45.45.45.20(53428) -> 172.16.31.20(80), 1 packet
Let’s try something similar from the internal network:
*Nov 26 15:38:36.959: %SEC-6-IPACCESSLOGP: list internal_out permitted tcp 192.168.21.20(56324) -> 172.16.31.20(22), 1 packet
*Nov 26 15:39:14.643: %SEC-6-IPACCESSLOGP: list internal_out denied tcp 192.168.21.20(52198) -> 172.16.31.20(80), 1 packet
*Nov 26 15:40:10.435: %SEC-6-IPACCESSLOGP: list internal_out permitted tcp 192.168.21.20(45556) -> 45.45.45.20(80), 1 packet
*Nov 26 15:40:37.211: %SEC-6-IPACCESSLOGP: list internal_out denied tcp 192.168.21.20(39670) -> 45.45.45.20(23), 1 packet
The four lines above show us that the router is allowing traffic from the internal to the DMZ on port 22, but blocking port 80, however from the internal to the internet port 80 is allowed and port 23 is blocked.
We can also configure IPv6 access-lists, which differ slightly from IPv4 in configuration. I’ll just create a dummy list as I haven’t configured my VMs with IPv6.
R1(config)#ipv6 access-list V6ACL
R1(config-ipv6-acl)#deny 3ffe:1900:4545:3:200:f8ff:fe21:67cf/128 any
R1(config)#int f0/1
R1(config-if)#ipv6 traffic-filter V6ACL in
For the most part IPv6 access-lists behave the same as IPv4 with just a few keyword differences.
Next up we’ll move onto firewalls.
No comments:
Post a Comment