A "versatile" network tool - Access Control List (ACL)

Peripheral routers, firewalls, and internal routers

In large and medium-sized enterprise networks, peripheral routers, internal routers, and firewalls are usually configured to implement various security policies.

Internal routers filter data traffic to protected portions of the corporate network to further enhance security through the use of access control lists. Figure 12-1 illustrates where these devices are located.

[[342137]]

I will frequently use the terms trusted network and untrusted network, so it is important to know where they are located in a typical secure network. The demilitarized zone (DMZ) may be global Internet addresses or private addresses, depending on how the firewall is configured. The DMZ typically contains HTTP, DNS, email, and other Internet-related corporate servers.

We know that within a trusted network, a router can be used instead of a virtual local area network (VLAN) and a switch. Multilayer switches have built-in security features and can replace internal routers to provide higher performance in a VLAN architecture.

Here are some ways to use access control lists to protect your internetwork.

Introduction to Access Control Lists

Essentially, an access control list is a set of conditions that classify packets, which is useful when you need to control network data flow. In these cases, access control lists can be used as a decision-making tool. One of the most common and easiest to understand uses of access control lists is to filter out harmful packets to implement security policies. For example, access control lists can be used to make very specific data flow control decisions, allowing only certain hosts to access Web resources on the Internet. By combining multiple access control lists correctly, network administrators can implement almost any security policy they can think of.

Creating an access control list is equivalent to writing a series of if-then statements: if the given conditions are met, take the given measures; if not, do not take any measures and continue to evaluate the next statement. Access control list statements are equivalent to packet filters, which are used to compare and classify packets and take appropriate measures. After creating an access control list, it can be applied to inbound or outbound data flows on any interface. After the access control list is applied to an interface, the router will analyze each packet that traverses the interface in the specified direction and take appropriate measures.

There are some important rules to follow when comparing packets to access control lists.

• The packet is always compared with each line of the access control list in order, that is, it is always compared with the first line of the access control list first, then the second line, the third line, and so on.
• The comparison is continued until the conditions are met. When the conditions that a group meets are found in the access control list, the corresponding measures are taken for the group without further comparison.
• There is an implicit deny statement at the end of each access control list, which means that the packet will be discarded if the conditions of any line in the access control list are not met.

When using access control lists to filter IP packets, each of the above rules will have far-reaching effects; to create an effective access control list, you must practice for a period of time.

Access control lists are divided into two categories:

• Standard access control lists only use the source IP address of the packet as a test condition, and all decisions are made based on the source IP address. This means that standard access control lists either allow or deny the entire protocol family, and they do not distinguish between IP data flow types (such as Web.Telnet, UDP, etc.).
• Extended access control lists can check many other fields in the layer 3 and layer 4 headers of IP packets. They can check the source IP address, the destination IP address, the protocol field of the network layer header, and the port number in the transport layer header. This allows extended access lists to make more detailed data flow control decisions.
• Wait a minute about named access control lists! Didn't we say there are only two types? Why are there three types listed here? Technically, there are only two types, because named access control lists are either standard or extended, not a new type. It is listed here specifically because the way this type of access control list is created and referenced is different from standard and extended access control lists, but the functions are the same.

After you create an access control list, it does not do anything unless you apply it to an interface. The access control list is indeed included in the router configuration, but it is inactive unless you tell the router what to do with it.

To use an access control list as a packet filter, you need to apply it to the router interface where you want to filter traffic. You must also specify which direction of traffic you want to filter with the access control list, and there is a good reason for this requirement: you may want to apply different controls to traffic going from your corporate network to the Internet than to traffic going from the Internet into your corporate network. By specifying the direction of traffic, you can (and often want to) use different access control lists for inbound and outbound traffic on the same interface.

• Inbound Access Control List When an access control list is applied to inbound packets, they are processed according to the access control list before being routed to the outbound interface. Denied packets are not routed because they are discarded before the routing process is invoked.
• Outbound Access Control List When an access control list is applied to an outbound packet, the packet is first routed to the outbound interface and then processed according to the access control list before being queued.

When creating and implementing access control lists on a router, follow some general guidelines:

• There can be only one access control list per protocol in a specific direction of an interface. This means that when applying IP access control lists, there can be only one inbound access control list and one outbound access control list on each interface.

Note: Given the impact of the implicit deny statement at the end of each access control list, it makes sense not to allow multiple access control lists to be applied to a specific protocol in a specific direction on an interface. Since packets that do not meet any of the conditions in the first access control list will be denied, there will be no packets that need to be compared to the second access control list.

• In the access control list, put the specific test conditions first.
• The newly added statement will be placed at the end of the access control list. It is strongly recommended to use a text editor to edit the access control list.
• You cannot delete just one line in an access control list. If you attempt to do so, the entire access control list will be deleted. To edit an access control list, it is best to copy it into a text editor first. The only exception is when using named access control lists.

NOTE: For named access control lists, specific lines can be edited, added, or deleted, as will be demonstrated later.

• Unless the access control list ends with the permit any command, packets that do not meet any conditions will be discarded. The access control list should contain at least one permit statement, otherwise it will deny all data flows.
• After creating an access control list, you should apply it to an interface. If an access control list does not contain any test conditions, it will not filter data traffic even if it is applied to an interface.
• Access control lists are used to filter data traffic that traverses a router; they do not filter data traffic that originates from the current router.
• The IP standard access control list should be placed as close to the destination as possible, which is why we do not want to use standard access control lists in the network. You cannot place a standard access control list very close to the source host or source network because it can only filter based on the source address, which will affect all destinations.
• Place the IP extended access control list as close to the source as possible. Extended access control lists can filter based on very specific addresses and protocols. We don't want data flows to traverse the entire network and be rejected in the end. Placing this access control list as close to the source as possible can filter out data flows at the beginning to prevent them from taking up valuable bandwidth.

Before describing how to configure standard and extended access control lists, let's first discuss how to use ACLs to mitigate the security threats discussed earlier.

Use ACL to mitigate security threats:

• IP address spoofing (human station);
• IP address spoofing (outbound);
• Denial of Service (DoS) TCP SYN attack (blocking external attacks);
• DoSTCPSYN attack (using TCP interception);
• DoS smurf attack;
• Reject/filter ICMP messages (human stations);
• Deny/filter ICMP messages (outbound);
• Deny/filter traceroute.

Standard Access Control List

Standard IP access lists filter network traffic by looking at the source IP address of the packet. When creating a standard IP access list, use access list numbers 1 to 99 or 1300 to 1999 (extended range). Numbers are often used to distinguish between types of access lists. Based on the numbers used when creating an access list, the router knows what syntax to use when entering it. Numbers 1 to 99 or 1300 to 1999 tell the router to create a standard IP access list, and the router requires that only the source IP address be used as a test condition.

The following is a list of the many access control list number ranges that can be used to filter network traffic (the protocols for which you can specify access control lists depend on the version of IOS you are using):

Let's look at the syntax for creating a standard access control list:

As mentioned earlier, using access control list numbers 1 to 99 or 1300 to 1999 is equivalent to telling the router that you want to create a standard IP access control list.

After specifying the access control list number, you need to decide whether to create a permit statement or a deny statement. In this example, we create a deny statement:

The next step requires a little more explanation. There are three options to choose from. You can use the parameter any to allow or deny any source host (network), you can use an IP address to specify a single host or a range of hosts, and you can use the command host to specify a specific host. The command any is self-explanatory, it refers to any source address that matches the statement, so every packet matches the statement. The command host is relatively simple, here is an example of using it:

This statement denies any packets from 172.16.30.2. The default parameter is host. In other words, if you enter access-1ist 10 deny 172.16.30.2, the router will think you entered access-1ist 10 deny host 172.16.30.2 and display it as such in the running configuration. But there is another way to specify a specific host or a specific range of hosts - using a wildcard mask. In fact, to specify any range of hosts, you must use a wildcard mask in the access control list. What is a wildcard mask? I will introduce it later!

Wildcard Mask

In an access control list, you can use wildcards to specify a specific host, a specific network, or a portion of a network. To understand wildcards, you must understand block sizes, which are used to specify address ranges. Block sizes include 64, 32, 16, 8, and 4.

When you need to specify an address range, use the smallest block size that meets your needs. For example, if you need to specify 34 networks, you need to use a block size of 64; if you need to specify 18 hosts, you need to use a block size of 32; if you only need to specify 2 networks, you can use a block size of 4.

By combining wildcards with host (network) addresses, you tell the router the address range to filter. To specify a host, you can use a combination similar to the following:

 172.16.30.5 0.0.0.0

The four 0s represent 1B respectively. 0 means that the corresponding byte in the address must be the same as the specified address. To specify that a byte can have any value, use 255. For example, the following example shows how to use a wildcard mask to specify a /24 subnet:

 172.16.30.0 0.0.0.255

This tells the router that the first 3 bytes must be identical, but the 4th byte can be any value.

That's easy enough. But what if you want to specify a smaller range of subnets? That's where the block size comes in handy. The range you specify must be the same as one of the block sizes, in other words, you can't specify 20 networks, you can only specify a range that's the same as the block size, which is either 16 or 32, but not 20.

Suppose you want to prevent a portion of the network (i.e., 172.16.8.0 to 172.16.15.0) from accessing your network. The block size corresponding to this range is 8, so in the access control list, you should specify the network number 172.16.8.0 and the wildcard mask 0.0.7.255. What does this mean? The router determines the block size based on 7.255. The above network number and wildcard mask combination tells the router to start at 172.16.8.0 and count up 8 (block size) networks until you reach network 172.16.15.0.

This is easier than it looks. I could have explained this in binary, but I don't need to. In fact, just remember that the wildcard mask is always 1 less than the block size. For this example, the wildcard mask is 7 because the block size is 8. If you used a block size of 16, the wildcard mask would be 15. Easy, isn't it?

Here are some examples to help you understand this. The following example tells the router that the first 3 bytes must be exactly the same, but the 4th byte can be any value:

 Corp(config)#access-1ist 10 deny 172.16.0.0 0.0.255.255

The following example tells the router that the first 2 bits must be exactly the same, but the last 2 bits can be any value:

 Corp(config)#access-1ist 10 deny 172.16.0.0 0.0.255.255

Please try to configure the following line:

 Corp(config)#access-list 10 deny 172.16.16.0 0.0.3.255

This configuration tells the router to start at network 172.16.16.0 and use a block size of 4. Therefore, the range is 172.16.16.0 to 172.16.19.255 (CCNA exam questions are similar to this).

Let's continue practicing. What does the following configuration mean?

 Corp(config)#access-1ist 10 deny 172.16.16.0 0.0.7.255

This statement says, starting from network 172.16.16.0, count up 8 (block size) networks, ending at 172.16.23.255. To master this knowledge, you need to do more practice. What range does the following statement specify?

 Corp(config)#access-1ist 10 deny 172.16.32.0 0.0.15 .255

This statement says, starting at network 172.16.32.0, count up 16 (the block size) networks, ending at 172.16.47.255.

Let's do a few more exercises and then configure some ACLs.

 Corp(config)#access-1ist 10 deny 172.16.64.0 0.0.63.255

This statement states, starting at network 172.16.64.0, count up 64 (the block size) networks, ending at 172.16.127.255.

Let’s look at one final example:

 Corp(config)#access-1ist 10 deny 192.168.160.0 0.0.31.255

This statement states, starting from network 192.168.160.0, count up 32 (the block size) networks, ending at 192.168.191.255.

There are two more things to keep in mind when determining block sizes and wildcard masks:

• The starting position must be 0 or an integer multiple of the block size. For example, when the block size is 8, the starting position cannot be 12. The range must be 0~7, 8~15, 16~23, etc. When the block size is 32, the range must be 0~31, 32~63, 64~95, etc.
• The any command is equivalent to 0.0.0.0 255.255.255.255.

Note: Wildcard mask is very important for creating IP access control list and must be mastered. Its usage is exactly the same in standard IP access control list and extended IP access control list.

Standard Access Control List Example

In Figure 12-2, the router has three LAN connections and one WAN connection to the Internet. Users on the Sales LAN should not be allowed to access the Finance LAN, but they should be allowed to access the Internet and the Marketing department's files. Users in the Marketing department need to be able to access the Finance LAN to use its application services.

On the router in the figure, configure the following standard IP access control list:

The command any is equivalent to 0.0.0.0 255.255.255.255, as shown below:

 Lab_ A(config)#access-1ist 10 permit 0.0.0.0 255.255 .255.255

This wildcard mask indicates that no bytes are to be considered, so all addresses satisfy this test condition. This is equivalent to using the keyword any.

Currently, this access control list prohibits any packets from the Sales LAN from entering the Finance LAN, but allows all other packets in. Remember, an access control list will not have any effect unless it is applied to a specific direction on an interface.

Where should the access control list be placed? If it is applied as a human station access control list to interface fa0/0, it is better to

Why not shut down this Fast Ethernet interface? This will prevent all devices in the Sales Department LAN from accessing any network connected to this router. The best option is to apply this as an outbound access control list to interface fa0/1:

 Lab_ A(config)#int fa0/1
 Lab_ A(config-if)#ip access-group 10 out

This completely prohibits data traffic from 172.16.40.0 from being transmitted out of interface fa0/1. It does not affect hosts on the Sales LAN accessing the Marketing LAN and the Internet, because data traffic to these destinations does not pass through interface fa0/1. Any packet trying to go out of interface fa0/1 will first pass through this access control list. If an inbound access control list is applied to interface fa0/0, any packet trying to enter the interface will first pass through this access control list before being routed to the outbound interface.

Let's look at another standard access control list example. In the internetwork shown in Figure 12-3, there are two routers, three LANs, and one serial WAN connection.

You want to prevent users in the Finance Department from accessing the HR server connected to router Lab_B, but allow other users to access the LAN by using a standard ACL. What kind of standard access control list should you create? Where should you place it?

The correct answer is that you should create an extended access control list and place it as close to the source of the information, but here you are asked to use a standard access control list. As a rule of thumb, the standard access control list should be placed as close to the destination as possible, which is interface E0 of router Lab_B. Here is the access control list that should be configured on router Lab_B:

To answer this question, you must understand subnetting, wildcard masks, and how to configure and implement ACLs. I think you need to do more practice in this area.

Therefore, before we introduce how to restrict Telnet access to a router, let's look at a standard access control list example that requires you to think more deeply. In Figure 12-4, a router has four LAN connections and one WAN connection to the Internet.

Write an access control list to prevent the four LANs shown in the figure from accessing the Internet. For each LAN in the figure, list the IP address of one of the hosts, and use this to determine the subnet address and wildcard mask that should be used when specifying each LAN in the access control list.

The answer should be similar to the following (again specifying the subnet to which E0~E3 are connected):

Of course, you can also just use the following line:

 Router(config)#access-1ist 1 deny 172.16.0.0 0.0.255 .255

But what’s the point of doing this?

What is the purpose of creating this access control list? If this access control list is applied on the router, it is equivalent to completely prohibiting access to the Internet. Then what is the point of Internet connection? This example is provided here to let you practice using block size in access control lists, which is crucial for your preparation for CCNA.

Controlling VTY (Telnet/SSH) access

For large routers, it may be difficult to prohibit users from accessing it via Telnet or SSH because every active interface allows VTY access. You can create an extended IP access control list to prohibit access to each address of the router. But if you really do this, you must apply it to the human-station direction of each interface. For large routers with dozens or even hundreds of interfaces, this solution is too low to scale. In addition, if each router checks each packet to prevent it from accessing the VTY line, the resulting network delay will be very large.

A much better solution is to use standard IP access control lists to control access to the VTY lines.

Why does this solution work? Because when you apply access control lists to VTY lines, you don't need to specify a protocol—accessing a VTY means accessing a terminal via Telnet or SSH. You also don't need to specify a destination address, because you don't care which interface the user uses as the destination for their Telnet session. You only need to control where the user is coming from—their source IP address. To implement this feature, follow these steps:

• Create a standard IP access control list that allows only the hosts you want to remotely log into the router.
• Run the access-class in command to apply the access control list to the VTY line.

The following example allows only the host 172.16.10.3 to remotely log in to the router:

 Lab_ A(config)#access-1ist 50 permit host 172.16.10.3
 Lab_ A(config)#line vty 0 4
 Lab_ A(config-line)#access-class 50 in

Because there is an implicit deny any statement at the end of the access control list, no host other than 172.16.10.3 can telnet to the router, regardless of which IP address of the router it uses as the destination. You might want to specify the source address as the subnet to which the administrator belongs, rather than as a single host; but the following example shows how to secure the VTY lines without adding latency to the router.

Real-world example: Should a router's VTY lines be protected?

While monitoring the network with the command show users, you discover that someone has remotely logged into your core router. You disconnect him from the router with the command disconnect, but discover that he is connected to the router again a few minutes later. Therefore, you want to put an access list on the interfaces of the router, but you don't want to add too much latency to each interface because the router is already processing a lot of packets. You want to apply an access list to the VTY lines themselves, but you have not done this before and wonder if this solution will achieve the same effect as applying an access list to each interface. Is applying an access list to the VTY lines a good idea for this network?

It is definitely a good idea to use the access-class command introduced earlier in this chapter. Why? Because this avoids the need to check every packet entering and leaving the interface with access control lists, which would increase the overhead of routing packets. When the access-class in command is configured on the VTY lines, only Telnet packets entering the router are checked and compared. This provides a perfect and easy to configure security solution.

Note: Cisco recommends using Secure Shell (SSH) rather than Telnet to access the router's VTY lines.