You are on page 1of 22

Chapter 11: Using Access Control Lists for Threat

Mitigation
I. Access Control List Fundamentals and Benefits
1.
2.
3.
4.
5.
6.
7.
8.

Access Lists Aren't Just for Breakfast Anymore


Stopping Malicious Traffic with an Access List
What Can We Protect Against?
The Logic in a Packet-Filtering ACL
Standard and Extended Access Lists
Line Numbers Inside an Access List
Wildcard Masks
Object Groups

II. Implementing IPv4 ACLs as Packet Filters

1. Putting the Policy in Place


1.

Configure > Router > ACL > ACL Summary


a. This will show whether there are any ACLs in place

2. Click ACL Editor on the left and click Add


3. Input name or number and use the drop down to select standard or extended
4. Keep clicking the Add button to continue to add ACEs

5. Use the Move Up or Move Down buttons to change the order of the ACEs
6. Click OK to add the ACL to the router

7. The following shows how to implement in the CLI


8. f
!adding comments in the form of remarks is helpful in remembering
!what a specific portion of the access list was intended for
R1(config)# access-list 5 remark Block Server1's subnet from reaching Server 3
!using the log keyword at the end of the ACL entry (ACE) will create
!syslog messages regarding this line is being matched. The syslog messages
!could be viewed wherever they are being sent, such as from the buffer memory
!or at a syslog server.
R1(config)# access-list 5 deny 11.11.11.0 0.0.0.255 log
!This last line of the access list is critical, to permit any traffic
!that wasn't
!previously denied. Without this last line, all other traffic would be denied
!where this access list is applied ( based on the direction of the traffic and
!which direction the access list is studying the traffic
R1(config)# access-list 5 permit 0.0.0.0 255.255.255.255

9. Top portion shows where the ACL is applied (hasn't been applied yet)
10. Bottom portion shows details of each ACE

11. Apply the ACL during ACL editing, click the Associate button

12. Use CLI to associate ACL to interface


! Move to interface configuration mode
R1(config)# interface GigabitEthernet3/0
! apply the access list using the access group command, with the keyword out
R1(config-if)# ip access-group 5 out

13. Other option is to navigate to Configure > Interface Management > Interface and
Connections and edit the properties of the interface and select ACL

14. Let's now start in interface configuration to apply an ACL to the interface and create
it at the same time.
15. Configure > Interface Management > Interface and Connections click Edit
16. We are applying inbound, so select the Inbound button and create an ACL (This area
allows the deletion, creation, and choosing of an existing ACL

17. We should be creating an object group before creating the ACL


18. Configure > Router > ACL > Object Groups > Network Object Groups click
Create
19. Add the Server IP addresses 22.22.22.22 and 33.33.33.33, name the group and click
okay.
NOTE There are two main types of object groups: Network Object groups which
contain ip addresses and host names while Service Object groups contain ports and
protocols.

20. Using CLI


Example 11-3 Create a Network Object Group
!name the object group, and the type (in this case it's a network
!object group)
R1(config)# object-group network A_Couple_Servers
!add a description if desired
R1(config-network-group)# description Server2 and Server3's host addresses
!and the two hosts that will be identified by this object group
R1(config-network-group)# host 33.33.33.33
R1(config-network-group)# host 22.22.22.22

21. Configure the ACLs using Object Groups


Example 11-4 Using Object Groups as Part of the ACL
!create the named or numbered access list, as long as it is extended
!in this example we're using a named access list
R1(config)# ip access-list extended IINS_Extended_ACL_Example
!you can add comments using the remark command to your ACL's if desired
R1(config-ext-nacl)# remark This ACL uses object groups
!this entry permits TCP traffic from the 44.44.1.0/24 network if the
!traffic is destined for the two servers identified by the object group,
!and if the destination port is TCP 80 ( Web services)
!we could add logging with a login keyword at the end of each entry if
!desired
R1(config-ext-nacl)#permit tcp 44.44.1.0 0.0.0.255 object-group A_Couple_
Servers eq www
!next we deny all the other 44.44 networks including 44.44.1 from any further
!traffic to the servers. Because the access list is ordered from top to bottom,
!this next deny statement would be too late to stop the desired Web traffic
!from the previous line, which is the desired result.
R1(config-ext-nacl)# deny ip 44.44.0.0 0.0.255.255 object-group A_Couple_Servers
!now we have a permit for all other traffic that was not previously
!matched.
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# exit
!Applying this access list inbound on the correct interface is what puts
!the policy into action
R1(config)# interface GigabitEthernet1/0
R1(config-if)# ip access-group IINS_Extended_ACL_Example in

22. Visit the ACL Editor to see where your ACL is applied
23. Configure > Router > ACL > ACL Editor (You could also visit the ACL Summary
to see an overview)

24. f

Example 11-5 Monitoring ACLs from the CLI


!the command show access-list, or show ip access-list will show all of your
!ACLs that you have configured. If you have access control lists other than
!for IPv4, using the IP keyword with the show command will filter the output

!and only show the IP access lists for IP version 4


!at the end of each entry, if there have been matches for that entry they will
!show up inside parentheses
R1# show access-lists
Standard IP access list 5
!notice the sequence numbers starting with 10
10 deny
11.11.11.0, wildcard bits 0.0.0.255 log (3711 matches)
20 permit any (33 matches)
!the output is now showing us the next access listwhich is the named
!extended access list
Extended IP access list IINS_Extended_ACL_Example
10 permit tcp 44.44.1.0 0.0.0.255 object-group A_Couple_Servers eq www
log (7 matches)
20 deny ip 44.44.0.0 0.0.255.255 object-group A_Couple_Servers log (8
matches)
30 permit ip any any (4624 matches)
!to view the IP related information on an interface, use the following
!command
!in the output to indicate whether or not there is a filtering ACL
!applied, and if so which direction it is applied
R1# show ip int g3/0
GigabitEthernet3/0 is up, line protocol is up
Internet address is 13.0.0.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is 5
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: IPsec or interface ACL checked on pre-encrypted cleartext packets
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled

R1# show ip int g1/0


GigabitEthernet1/0 is up, line protocol is up
Internet address is 12.0.0.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is IINS_Extended_ACL_Example
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Access List, MCI Check
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
R1#

25. Useful when troubleshooting clear ip access-list counters


26. Counters increment whether you use the log option at the end of an ACL or not

2. To Log or Not to Log


1. When using the log option at the end of an ACL, a syslog message is generated the
first time a packet is matched based on that ACL, then another summary syslog

message is generated after a waiting period showing the total number of hits during
the waiting period. This can be changed to every packet if you want.
2. How to configure syslog destination:
a. Configure > Router > Logging Click Edit
b. Configure Logging levels and destination

c. Use show logging to view logs within router memory


d. Use the following to do the same within CCP

a.

Monitor > Router > Logging display Syslog tab and scroll through syslog
messages
b. Can search through the syslog messages and filter based on logging level as
well

c. Next tab over is the Firewall log tab. You can view details about denied
connections and also view Top Attack Ports or you can select top attackers
using the down arrow, both of which are viewed on the bottom part.

d.

III. Implementing IPv6 ACLs as Packet Filters


1. IPv6 packet-filtering highlights:
a. Can filter based on source and destination prefix
b. Can filter based on source and destination ports
c. Can filter based on the presence of a next header
d. There is an implicit deny at the end of the ACL, with the exception of neighbor
solicitation (NS) and neighbor advertisement (NA) packets. NS and NA packets
are implicitly allowed... (Note that if including an explicit deny you should
explicitly permit these (NS and NA), before your deny if IPv6 is to function
properly.)
e. If an empty access list (and access lists without any entries, which is really just a
name) is applied to an interface as a filtering access list, it will not deny any
traffic. This is the exact same behavior as IPv4 packet-filtering access lists. This
can happen if a valid access list is applied to an interface and then the access list
is deleted but the interface configuration still shows that it is applied. In this
scenario, that access list will not filter any traffic; instead, it behaves as if no
access list is in force at all.
f. Reflexive and time-based access lists are supported, just like on the IOS for
IPv4. A reflexive access list was an attempt at performing stateful inspection,
using ACLs that created dynamic entries based on the initial traffic and what the
expected return traffic would look like. The dynamic entries permit the reply

traffic in a similar way as stateful firewall do by default today. You learn more
about stateful packet inspection in the upcoming firewall chapters.
g. You can filter on IPv6 extension headers

IV. Do I Know This Already? Quiz


Table 11-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section
Questions
Access Control List Fundamentals Benefits

1-4

Implementing IPv4 ACLs as Packet Filters

5-8

Implementing IPv6 ACLs as Packet Filters

9-10

1. Which of the following are advantages of an extended access list over a standard
access list when used for packet filtering?
a. It can filter based on source address
b. It can filter based on destination address
c. It can filter based on application layer information
d. Logging can be performed
2. What method is used to indicate that a portion of an IP address in the source packet
does not need to be compared to an access list entry?
a. Subnet mask
b. Mask
c. Wildcard mask
d. Full IP address required
3. What technique enables you to match on a range of subnets using a single access list
entry, without using object groups?
a. Wildcard mask, so that matches are done only for the summary of those
networks
b. Reflexive ACLs
c. Time-based ACLs
d. Extended named ACLs
4. What happens when an access list has 100 lines and a match occurs on line 14?
a. Lines 15 through 100 are parsed as a group object
b. The ACL acts on the packet, and no further list processing is done for that packet
c. The ACL is processed all the way through line 100, to see whether there is a
more strict policy that should be applied
d. There cannot be a line 14 because the only lines permitted start with 10 and
increment by 10
5. Which of the following are valid options for creating and applying ACLs in CCP?
(Choose all that apply.)
a. Use the ACL Editor
b. Go to Interface Configuration
c. Use the ACL Wizard from the Tools menu
d. ACLs may be created in CCP, but they have to be applied using the CLI

6. What is the benefit of a network object group as it relates to access lists?


a. A single object group, that contains many hosts, can simplify the implementation
of an ACL
b. Object groups refer only to services such as TCP or UDP ports
c. Object groups can be used as an alternative to ACLs
d. Network object groups, when implemented, use less CPU and resources from the
router when implementing access controls that contain them
7. Which one of the following is probably the single most significant benefit of
managing existing ACLs using CCP rather than via the command line?
a. Applying access lists to interfaces
b. Creating brand-new access lists
c. Looking at hit counts on the access list entries
d. Rearranging the order of the access list entries
8. What does the log keyword do when added at the end of an access list entry?
a. It sends an SNMP message
b. It sends an SDEE message
c. It generates a syslog message
d. It causes hit counts to be displayed when viewing access lists
9. With IPv6, what is significantly different about applying a packet filter to an
interface compared to IPv4?
a. The syntax is the same at the interface
b. You do not use the keywords for in and out
c. You use the command ipv6 access-list rather than access-group
d. You use the command traffic-filter instead of access-group
10. If you accidentally implement an IPv6 filtering policy that explicitly denies all
inbound IPv6 traffic, which protocol in the IPv6 suite will most likely cause a failure
in the network first?
a. IPv6 ICMP
b. IPv6 UDP
c. IPv6 TCP
d. Impossible to implement a deny any any statement in IPv6 ACLs

V. Review All the Key Topics


Table 11-4 Key Topics
Key Topic
Description
Element

Page
Number

Text

What can we protect against?

240

Text

The logic in a packet-filtering ACL

241

Table 11-3

Standard ACLs versus extended ACLs

243

Text

Wildcard masks

244

Text

Object groups

244

Example 11-1

Using the CLI to implement an access list

248

Example 11-2

Using the CLI to apply the access list to an interface

249

Example 11-3

Using the CLI to create a network object group

253

Example 11-4

Using object groups as part of the ACL

253

Figure 11-11

Verifying the details of the ACLs

254

Example 11-6

Creating an IPv6 access list and applying it as a filter

261

VI. Complete the Tables and Lists from Memory


Table 11-4 Advantages and Disadvantages of Internal or External CAs
Application/Task
External CA
Internal CA
Certificate generation and
deployment

The responsibility of certificate


generation and deployment is
down to the external CA

The responsibility of certificate


generation and deployment is
down to the internal CA

Certificate trust

External certificate are


automatically trusted by
common Internet browsers and
generally trusted by
partners/guests

Internal certificates are generally


not accepted by partners or
guests to a company. Browser
trust depends on internal root CA
certificates being imported

Cost

A cost is usually involved per


certificate file generated unless
bulk deployment packages are
available

There is no cost involved with


certificate generation when using
an internal CA

Scalability/future growth

External CAs are usually


worldwide trusted authorities
with all necessary resources in
place to manage multiple or a
larger number of certificate
requests

Cost might be an issue when


expanding an internal CA
deployment because any future
servers might have to be
purchased. New root CA
certificates must be imported in
all client browsers

Available resources

External CAs are experts in their


field and employ key staff for the
purpose of certificate
generation/management

In-house staff might need to


undergo training, or new staff
might need to be employed
because of a rise in workload
(depending on the size of your
deployment)

Manageability/flexibility

We are limited to what we can or


cannot achieve or the speed of
deployment with external CAs
because they are a separate
company in their own right

We have the flexibility with


internal CA deployment to be
able to scale up or down to meet
our needs at our own pace in our
own timeframe

Integration

External CAs are usually only


used for certificate generation
and authentication and cannot be
integrated into other internal
applications or deployments

Internal CAs, depending on


your deployment, may be used
for other purposes or integration with third-party databases
or products (for example, Microsofts Active Directory).

Table 11-5 CA Server Configuration Fields and Values


Field
Value
Enable/Disable

Disabled by default. Must be in this state if you need to make


changes to any of the configuration values.

Passphrase

Mandatory field used to enter the password for the local CA keystore. The password must by 7 characters in length.

Issuer Name

Enter the hostname or IP address you want to be used for the issuer
value in any certificates generated. By default, this is the ASA IP
address or hostname (where configured).

CA Server Key Size

Enter the minimum key size the server will use (512, 768, 1024, or
2048 bits, default 1024).

Client Key Size

Enter the minimum key size used by clients (512, 768, 1024, or
2048 bits, default 1024).

CA Certificate Life-time

Enter the lifetime of the local CA root certificate file (default 3650
days).

Client Certificate Life-time

Enter the lifetime of issued client certificate files (default 365 days).

SMTP Server Name/IP


Address

Enter the name or IP address of the SMTP server used to send Enrollment invitations through.

From Address

Enter the email address you want to use to send enrollment invitations from (default admin@asa-domain-name).

Subject

Enter the subject for enrollment certificate emails (default Certificate Enrollment Invitation).

CRL Distribution Point URL Default http://ASA Hostname/+CSCOCA+/asa_ca.crl.


Publish-CRL Interface and
Port

Enter the interface and port to use for the CRL publishing.

CRL Lifetime

Enter the lifetime for the CRL (default 6 hours).

Database Storage Location

Enter the path and filename of the database stored on the ASA flash.

Default Subject Name

Enter the default subject name to be used in issued certificates and


appended to the user name.

Enrollment Period

Enter the time period for enrollment purposes (default 24 hours).

One Time Password


Expiration

Default 72 hours.

Certificate Expiration
Reminder

Enter the value in days used to mark the reminder value for emails sent
to certificate owners about expiration deadlines (default 14 days).

Table 11-3 Standard ACLs Versus Extended ACLs


Standard ACL

Extended ACL

Numeric range

1-99, 1300-1999

100199, 20002699

Option for using names for the


ACL instead of numbers

Yes

Yes

What they can match on

Source IP only of the packet


being compared to the list

Source or destination IP, plus


most Layer 4 protocols,
including items in the Layer 4
header of the packet being
compared

Where to place

Unfortunately, these need to be


placed relatively close to the
destination. Applying

Because the extended ACL has


the granularity of matching on
specific source and destination,
you can place these very close to
the source of the host who is
generating the packet, because it
will only deny the traffic to the
specific destination and will not
cause a loss of service to other
destinations that are still being
permitted

VII. Define Key Terms


1.
2.
3.
4.
5.

packet filtering spoofed address SYN-flood attack standard/extended ACL numbered/named ACL

VIII. Command Reference to Check Your Memory


Table 11-5 Command Reference
Command

Description

Ipv6 traffic-filter
BOGUS_SOURCE_FILTER in

Apply the named IPv6 ACL inbound in interface configuration


mode

Object-group network
A_Couple_Servers

Create a named network object group and move to object group


configuration mode

Permit tcp 44.44.1.0 0.0.0.255


Permit source traffic from any hosts whose IP address begins
object-group A_Couple_Servers eq with 44.44.1, and allow TCP access to any hosts that are
www
members of the object group, if the destination TCP port is 80
(www)
Ip access-group
IINS_Extended_ACL_Example in

Apply the named IPv4 access list inbound in interface


configuration mode