Добавил:
Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Network Security Little Black Book - Joe Harris.pdf
Скачиваний:
109
Добавлен:
24.05.2014
Размер:
3.17 Mб
Скачать

 

ahp

Authentication Header Protocol

 

 

 

 

 

 

eigrp

Cisco Systems Enhanced Interior Gateway Routing Protocol

 

 

 

 

 

 

esp

Encapsulated Security Payload

 

 

 

 

 

 

gre

Cisco Systems Generic Route Encapsulation Tunneling

 

 

 

 

 

 

icmp

Internet Control Message Protocol

 

 

 

 

 

 

igmp

Internet Gateway Message Protocol

 

 

 

 

 

 

igrp

Cisco Systems Interior Gateway Routing Protocol

 

 

 

 

 

 

ip

Any Internet Protocol

 

 

 

 

 

 

ipinip

IP in IP Tunneling

 

 

 

 

 

 

nos

KA9Q NOS Compatible IP over IP Tunneling

 

 

 

 

 

 

ospf

Open Shortest Path First Routing Protocol

 

 

 

 

 

 

pcp

Payload Compression Protocol

 

 

 

 

 

 

pim

Protocol Independent Multicast

 

 

 

 

 

 

tcp

Transmission Control Protocol

 

 

 

 

 

 

udp

User Datagram Protocol

 

 

 

 

 

Extended access lists should be placed as close to the source as possible, in part because of their capability to filter packets using a finer granularity of controls. This also prevents wasting unnecessary bandwidth and processing power on packets that are to be dropped anyway.

Reflexive Access Lists

For another form of security, you can use reflexive access lists. Based on session parameters, they permit IP packets for sessions that originate from within a network but deny packets that originate from outside your network.

Using reflexive access lists is commonly referred to as session filtering. Reflexive access lists are

235

most often configured on routers, which border between two different networks. They provide a certain level of security against spoofing and denial−of−service (DoS) attacks. You would typically implement reflexive access lists on a customer edge Internet router or firewall router.

Reflexive access lists share many of the features that normal access lists possess. Rules are created and evaluated in a sequential order until a match occurs, at which time no further entry evaluation takes place. There are also some differences between a reflexive access list and a normal access list. Reflexive access lists use a feature referred to as "nesting," meaning you can place them within another named extended access list. Reflexive access lists do not have an implicit deny any statement at the end of the list configuration, and the access list entries are created on a temporary basis.

Fundamentals of Reflexive Access Lists

Reflexive access lists are triggered when an IP packet is sent from within the inside secure network to an external destination network. If this packet is the first in the session, a temporary access list entry is created. This entry will permit or deny traffic to enter back into the network if the traffic received on the interface is deemed to be part of the original session created from within the inside network; it will deny all other traffic that is not part of the original session. Figure 7.2 details the operation of reflexive access lists.

Figure 7.2: Example of traffic initiated on an internal network with reflexive access lists configured. After the session has completed, the temporary access list entry is removed. If the session was opened with a TCP packet, two methods are used to tear it down. The first method will tear down the session 5 seconds after two set FIN bits are detected within the packet or the detection of a RST bit being set within the packet. The second method tears down the session if no packets for that session have been detected within a configurable timeout period. Because UDP is a connectionless−oriented protocol that does not maintain session services, if the session was opened with a UDP packet or other protocols with similar characteristics, the session is torn down when no packets for the session have been detected within a configurable timeout period. Reflexive access lists can be configured on internal interfaces or external interfaces.

Dynamic Access Lists

Dynamic access lists, commonly referred to as Lock and Key security, are a form of traffic filtering that can dynamically allow external users IP traffic that would normally be blocked by a router, to gain temporary access through the router such that it can reach its final destination. In order for this to happen, a user must first telnet to the router. The dynamic access list will then attempt to authenticate the user. If the credentials the user supplies during the authentication phase are

236

correct, the user will be disconnected from her Telnet session and the access list will dynamically reconfigure the existing access list on the interface such that the user is allowed temporary access through the router. After a specified timeout period—either an idle timeout period or an absolute timeout period—the access list reconfigures the interface such that it returns to its original state.

Note After the user passes the authentication phase, the dynamic access list creates a temporary opening in the router by reconfiguring the interface to allow access through the router. This can potentially allow a user to spoof the source address of the legitimate user and gain unauthorized access into the internal network. IPSec termination at the router performing Lock and Key security is recommended.

Typically, you would configure dynamic access lists when you want a specific remote host or a subset of remote hosts to be allowed access to a host or a subset of hosts within your network. This can take place via the Internet or through dedicated circuits between your network and the remote network. Dynamic access lists are also configured when you want a host or a subset of hosts within your network to gain access to a remote host or subset of remote hosts protected with a firewall.

As mentioned earlier, in order for the user to gain access through the router, she first must pass the authentication phase. Authentication can take many forms, but the most commonly used are maintaining a local user database within the router or performing authentication from a central security server such as a TACACS+ or RADIUS server. The central security server method of authentication is recommended. Dynamic access lists make use of the autocommand and the access−enable commands; these commands allow the creation of the temporary access list. There are some caveats to configuring dynamic access lists:

You can configure only one dynamic access list for each access list.

You cannot associate a dynamic access list to more than one access list.

An idle timeout or an absolute timeout must be configured. The idle timeout is defined within the autocommand command, and the absolute timeout is configured within the access−list command. If neither is configured, the temporary access entry will remain indefinitely and must be cleared manually. The idle timeout value must be less than the absolute timeout value.

Fundamentals of Lock and Key Security

Figure 7.3 details the steps involved when a host on an outside network would like to gain authorized access to a host behind a router configured with Lock and Key security. Host B would like to access Host A behind the perimeter router, Router A, but first must be authenticated using Lock and Key Security. The steps are as follows:

237

Figure 7.3: Example of Host B accessing Host A through Router A configured with dynamic access lists.

1.Host B opens a Telnet session to the virtual terminal port of Router A.

2.Router A receives the Telnet request and opens a Telnet session with Host B.

3.Depending on the authentication method Router A is configured to perform, Router A asks Host B to provide the proper authentication credentials (configured on a security access server or within the local authentication database).

4.After Host B passes the authentication phase, Router A logs Host B out of the Telnet session. At this time Router A creates a temporary access list entry within the dynamic access list.

5.Host B now has a dynamic access list entry within Router A, allowing access to Host A.

6.Finally, Router A will delete the temporary access entry after the configured idle timeout period or absolute timeout period is reached.

Additional Access List Features

Prior to Cisco IOS 11.2 code, IP access list configuration was somewhat limited. However, many enhancements have since been added within the IOS. Named access lists, time−based access lists, and access lists comments are just a few.

Named Access Lists

Typical numbered access lists have a finite number of lists that can be created. As of Cisco IOS 11.2 you can identify IP access lists with an alphanumeric string rather than a number. When you use named access lists, you can configure more IP access lists in a router than you could if you were to use numbered access lists. Another advantage to using a named access list is that descriptive names can make large numbers of access lists more manageable. If you identify your access list with a name rather than a number, the mode and command syntax is slightly different. Keep a few things in mind when configuring named access lists: Not all access lists that accept a number will accept a name, and a standard access list and an extended access list cannot have the same name.

Time−Based Access Lists

Cisco IOS 12.0(1) introduced timed−based access lists, which are implemented based on the time range specified within the list configuration. Prior to the introduction of this feature, access lists that were defined were in effect for an infinite period of time or until they were deleted by the administrator. With time−based access list configured, administrators can control traffic according to service provider rates (which might vary during certain times of the day) and have finer granularity of control when permitting or denying certain traffic within their network.

Note The time−based access list feature is dependant on a reliable clock source. It is therefore recommended that the router be configured to utilize the features of the Network Time Protocol (NTP).

Commented Access Lists

Commented access lists give security administrators the opportunity to configure a remark within the access list. This feature allows for ease of identification when defining an access list. The commented access list feature is configurable within both named and numbered access lists. Commented remarks within the access list are limited to 100 characters.

238