intTypePromotion=1
zunia.vn Tuyển sinh 2024 dành cho Gen-Z zunia.vn zunia.vn
ADSENSE
 » 
 » 

Lecture CCNA Security - Chapter 4: Implementing Firewall Technologies

Chia sẻ: You Can | Ngày: | Loại File: PDF | Số trang:132

Thêm vào BST
Báo xấu
57
lượt xem 4
download
 
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Chapter 4 objectives: Describe numbered and named, standard and extended IP ACLs, configure IP ACLs with IOS CLI and CCP, describe TCP established ACL functionality, describe and configure reflexive ACLs, describe and configure dynamic ACLs,... Inviting you to refer.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Lecture CCNA Security - Chapter 4: Implementing Firewall Technologies

  1. Chapter 4 - Implementing Firewall Technologies CCNA Security
  2. Objectives • Describe numbered and named, standard and extended IP ACLs. • Configure IP ACLs with IOS CLI and CCP. • Describe TCP established ACL functionality. • Describe and configure reflexive ACLs. • Describe and configure dynamic ACLs. • Describe and configure time-based ACLs. • Describe attack mitigation with ACLs. • Describe the major types of firewalls. • Describe and configure CBAC (IOS Staful Packet Inspection) with CLI. • Describe and configure Zone-Based Policy Firewall with CLI and CCP Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  3. ACL Topology and Types Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  4. ACL Topology and Types • Refer to 4.1.1.1 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  5. Standard Numbered IP ACLs Router(config)# access-list {1-99} {permit | deny} source-addr [source-mask] • The first value specifies the ACL number • The second value specifies whether to permit or deny the configured source IP address traffic • The third value is the source IP address that must be matched • The fourth value is the wildcard mask to be applied to the previously configured IP address to indicate the range • All ACLs assume an implicit deny statement at the end of the ACL • At least one permit statement should be included or all traffic will be dropped once that ACL is applied to an interface Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  6. Extended Numbered IP ACLs Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [established] • The first value specifies the ACL number • The second value specifies whether to permit or deny accordingly • The third value indicates protocol type • The source IP address and wildcard mask determine where traffic originates. The destination IP address and wildcard mask are used to indicate the final destination of the network traffic • The command to apply the standard or extended numbered ACL: Router(config-if)# ip access-group number {in | out} Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  7. Extended Numbered IP ACLs Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask] [operator operand] destination-addr [destination-mask] [operator operand] [ established] ??? Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  8. Named IP ACLs Refer to 4.1.1.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  9. Named IP ACLs Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  10. Apply ACL to the virtual access • An ACL can also be used to permit or deny specific IP addresses from gaining virtual access. • Standard ACLs allow restrictions to be enforced on the originator source IP address or IP address range. • An extended ACL does the same but can also enforce the access protocol such as port 23 (Telnet) or port 22 (SSH). The access-class extended ACL only supports the any (???) keyword as the destination. • The access list must be applied to the vty port. • Router(config-line)# access-class {access-list-name | access-list-number} {in | out} • Or http line • Router(config)# ip http access-class {access-list-name | access-list-number}
  11. The log Parameter • R1(config) # access-list 101 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 22 log *May 1 22:12:13.243: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0- IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 1 packet *May 1 22:17:16.647: %SEC-6-IPACCESSLOGP: list ACL-IPv4-E0/0- IN permitted tcp 192.168.1.3(1024) -> 192.168.2.1(22), 9 packets There are several pieces of information logged: • The action—permit or deny • The protocol—TCP, UDP, or ICMP • The source and destination addresses • For TCP and UDP—the source and destination port numbers • For ICMP—the message types Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  12. ACL Configuration Guidelines 1. ACLs are created globally and then applied to interfaces 2. ACLs filter traffic going through the router, or traffic to and from the router, depending on how it is applied 3. Only one ACL per interface, per protocol, per direction 4. Standard or extended indicates the information that is used to filter packets 5. ACLs are process top-down. The most specific statements must go at the top of the list 6. All ACLs have an implicit “deny all” statement at the end, therefore every list must have at least one permit statement to allow any traffic to pass Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  13. Using Standard IP ACLs • Use a standard ACL to block all traffic from 172.16.4.0/24 network, but allow all other traffic. r1(config)# access-list 1 deny 172.16.4.0 0.0.0.255 r1(config)# access-list 1 permit any r1(config)# interface ethernet 0 r1(config-if)# ip access-group 1 out Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  14. Using Extended IP ACLs • Use an extended ACL to block all FTP traffic from 172.16.4.0/24 network, but allow all other traffic. access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21 access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20 access-list 101 permit ip any any Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  15. Other CLI Commands • To ensure that only traffic from a subnet is blocked and all other traffic is allowed: access-list 1 permit any • To place an ACL on the inbound E1 interface: interface ethernet 1 ip access-group 101 in • To check the intended effect of an ACL: show ip access-list Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  16. Other CLI Commands Refer to 4.1.2.3 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  17. Other CLI Commands Refer to 4.1.2.4 Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  18. Flow for Access Control Lists Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  19. Flow for Access Control Lists Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
  20. Standard ACL placement Refer to 4.1.3.2 Standard ACLs should be placed as close to the destination as possible. Standard ACLs filter packets based on the source address only. If placed too close to the source, it can deny all traffic, including valid traffic. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
ADSENSE

CÓ THỂ BẠN MUỐN DOWNLOAD

THÔNG TIN
TRỢ GIÚP
HỖ TRỢ KHÁCH HÀNG
Theo dõi chúng tôi

Chịu trách nhiệm nội dung:

Nguyễn Công Hà - Giám đốc Công ty TNHH TÀI LIỆU TRỰC TUYẾN VI NA

LIÊN HỆ

Địa chỉ: P402, 54A Nơ Trang Long, Phường 14, Q.Bình Thạnh, TP.HCM

Hotline: 093 303 0098

Email: support@tailieu.vn

Giấy phép Mạng Xã Hội số: 670/GP-BTTTT cấp ngày 30/11/2015 Copyright © 2022-2032 TaiLieu.VN. All rights reserved.

 

Đồng bộ tài khoản
2=>2