Extended ACLs


Testing Packets with Extended ACLs:
For more precise traffic-filtering control, you can use extended ACLs numbered 100 to 199 and 2000 to 2699 providing a total of 799 possible extended ACLs. Extended ACLs can also be named.
Extended ACLs are used more often than standard ACLs because they provide a greater range of control and, therefore, add to your security solution. Like standard ACLs, extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL. For example, an extended ACL can simultaneously allow e-mail traffic from a network to a specific destination while denying file transfers and web browsing.
An extended ACL built to filter on source and destination addresses, and protocol and port numbers. In this example, the ACL first filters on the source address, then on the port and protocol of the source. It then filters on the destination address, then on the port and protocol of the destination, and makes a final permit-deny decision.
Recall that entries in ACLs are processed one after the other, so a 'No' decision does not necessarily equal a 'Deny'. As you go through the logical decision path, note that a 'No' means go to the next entry until all the entries have been tested. Only when all the entries have been processed is the 'Permit' or 'Deny' decision finalized.

Testing for Ports and Services:
The ability to filter on protocol and port number allows you to build very specific extended ACLs. Using the appropriate port number, you can specify an application by configuring either the port number or the name of a well-known port.
An administrator specifies a TCP or UDP port number by placing it at the end of the extended ACL statement. Logical operations can be used, such as equal (eq), not equal (neq), greater than (gt), and less than (lt).
To generate a list of port numbers and keywords you can use while building an ACL using the R1(config)#access-list 101 permit tcp any eq ? command.

Configuring Extended ACLs:
The procedural steps for configuring extended ACLs are the same as for standard ACLs-you first create the extended ACL and then activate it on an interface. However, the command syntax and parameters are more complex to support the additional features provided by extended ACLs.
Suppose the network administrator needs to restrict Internet access to allow only website browsing. ACL 103 applies to traffic leaving the 192.168.10.0 network, and ACL 104 to traffic coming into the network.
ACL 103 accomplishes the first part of the requirement. It allows traffic coming from any address on the 192.168.10.0 network to go to any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only.
The nature of HTTP requires that traffic flow back into the network, but the network administrator wants to restrict that traffic to HTTP exchanges from requested websites. The security solution must deny any other traffic coming into the network. ACL 104 does that by blocking all incoming traffic, except for the established connections. HTTP establishes connections starting with the original request and then through the exchange of ACK, FIN, and SYN messages.
This parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to return inbound on the s0/0/0. A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. Without the established parameter in the ACL statement, clients could send traffic to a web server, but would not receive traffic from the web server.

Applying Extended ACLs To Interface:
Let us learn how to configure an extended access list by building on the previous example. Recall that we want to allow users to browse both insecure and secure websites. First consider whether the traffic you want to filter is going in or out. Trying to access websites on the Internet is traffic going out. Receiving e-mails from the Internet is traffic coming into the business. However, when considering how to apply an ACL to an interface, in and out take on different meanings depending on the point of view.
Suppose Router R1 has two interfaces. It has a serial port, S0/0/0, and a Fast Ethernet port, Fa0/0. The Internet traffic coming in is going in the S0/0/0 interface, but is going out the Fa0/0 interface to reach PC1. The example applies the ACL to the serial interface in both directions.
This is an example of denying FTP traffic from subnet 192.168.11.0 going to subnet 192.168.10.0, but permitting all other traffic. Note the use of wildcard masks and the explicit deny all. Remember that FTP requires ports 20 and 21, therefore you need to specify both eq 20 and eq 21 to deny FTP.
With extended ACLs, you can choose to use port numbers as in the example, or to call out a well-known port by name. In an earlier example of an extended ACL, the statements were written as follows:
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp
access-list 114 permit tcp 192.168.20.0 0.0.0.255 any eq ftp-data
Note that for FTP, both ftp and ftp-data need to be mentioned.
This example denies Telnet traffic from 192.168.11.0 going out interface Fa0/0, but allows all other IP traffic from any other source to any destination out Fa0/0. Note the use of the any keywords, meaning from anywhere going to anywhere.

Creating Named Extended ACLs:
You can create named extended ACLs in essentially the same way you created named standard ACLs. The commands to create a named ACL are different for standard and extended ACLs.
Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names.
Step 1. Starting in the global configuration mode, use the ip access-list extendedname command to define a named extended ACL.
Step 2. In named ACL configuration mode, specify the conditions you want to allow or deny.
Step 3. Return to privileged EXEC mode and verify your ACL with the show access-lists [number | name] command.
Step 4. As an option and recommended step, save your entries in the configuration file with the copy running-config startup-config command.
To remove a named extended ACL, use the no ip access-list extended name global configuration command.
Extended ACLs are router configuration scripts that control whether a router permits or denies packets based on their source or destination address as well as protocols or ports. Extended ACLs provide more flexibility and granularity than standard ACLs. This activity focuses on defining filtering criteria, configuring extended ACLs, applying ACLs to router interfaces, and verifying and testing the ACL implementation.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog