Threat Mitigation with ACLs
Date: Mar 20, 2012
In networks today one of the most important issues that we have to deal with is security. Specifically, we need to make certain that our devices are "hardened" against the threat of a cyber-attack. Cyber attacks can take many forms; however, the majority of the methods used to reduce our exposure to these threats relies on or utilizes a very basic networking tool. We are talking about Access Control Lists (ACLs). Whether they are applied directly to a router or switch interface, or used as part of a Zone Based Firewall configuration, they quickly become one of our first lines of defense against external and even internal threats. As CCNA Security candidates, we need to understand that our network security depends strongly on well-written, organized, and concise ACLs to restrict access to network services. We are going to take a critical look at the different types of ACLs; specifically how they can be identified and applied.
What are the basic types of ACLs in IOS?
In IOS ACLs are divided into two basic types: Standard IP and Extended IP Access-lists. Here we will cover the very basics associated with each of these types as they relate to IPv4 and TCP.
- Standard IP ACLs are used to filter IP packets based on the source of the address only.
- Extended IP ACLs are used to filter packets based on several criteria, including but not limited to the following:
- Source IP Address
- Destination IP Address
- Source TCP/UDP ports
- Destination TCP/UDP ports
Shortly we will take a closer look at ACL types individually, but what we need to understand now is that Extended ACLs as their name implies, offer us much more flexibility than do Standard ACLs. We will see, however, that IOS is about using the best tool for the job and the differences between these types of ACLs will be reflected in how they are used and applied.
How do we identify the different types of Access Control Lists?
Either a number or a name can identify an ACL and the protocols they filter. We will discuss named access lists later. With regard to numbered ACLs, the number of the ACL determines what protocol is being filtered. We mentioned earlier that we are focusing purely on ACLs used with the IP/TCP protocols, so that means that we will be looking at the range of numbers used by these protocols. It is important to observe, however, those ACLs can filter other protocols than IP/TCP.
When we create a numbered ACL we assign it a numeric value that actually has a dual purpose. First, it specifies the protocol we will be filtering and second it makes the ACL locally unique. We can have up to 99 Standard IP Access Lists ranging in number from 1 to 99; the Extended IP Access List's number range is assigned from 100 to 199.
After a short period of time, it was decided that many environments needed more than the initially allotted number of Standard and Extended ACLs, so Cisco added expanded ranges for each type. Now we can use numbers ranging from 1300 to 1999 for additional Standard ACLs and 2000 to 2699 for added Extended ACLs.
Now that we know how to identify ACLs we need to take a closer look at each type:
What do Standard ACLs look like on a router?
A Standard Access List only allows you to permit or deny traffic from specific IP addresses. The destination of the packet and the ports involved do not matter.
Here is an example:
access-list 10 permit 192.168.1.0 0.0.0.255
This list allows traffic from all addresses in the range 192.168.1.0 to 192.168.1.255
You can see how the last entry looks similar to a subnet mask, but Cisco ACLs use an inverse mask instead. Another very important rule about access-lists is that there is always an “implicit DENY” at the end of each ACL. What this means is that every Standard access-list has an invisible statement at the end of it. In our example, this would be
access-list 99 deny any
So if your traffic is not being explicitly permitted by a statement in the Standard ACL, then your traffic is DENIED. If you manually type the “deny any” statement, it will appear; but remember, even if you don’t type it, it is still there.
What do Extended ACLs look like on the router?
Extended ACLs allow us to permit or deny traffic from specific IP address and port to a specific destination IP address and port. They can also be used to specify different types of traffic such as ICMP, TCP, UDP, etc. This makes Extended ACLs very granular and allows us to be very specific about what we want to filter. As an example:
access-list 103 permit tcp any 192.168.0.0 0.0.255.255 eq 80 access-list 103 permit tcp any host 192.168.1.3 eq 23
In this example the extended ACL 103 will permit traffic from any source destined to any address ranging from 192.168.0.0 to 192.168.255.255 that matches port 80. The second sequence number will match any telnet traffic destined to 192.168.1.3. What happens if telnet (port 23) traffic arrives destined to IP Address 192.168.1.1?
Remember the implicit deny. This traffic would be blocked by the ACL. This leads us to one additional thing we should look at regarding how ACLs operate.
Top Down Processing
The lines of an ACL are processed in a top down sequence in the order that they are configured. When a packet being processed through an ACL matches a given statement in the listall processing for that packet is stopped. As an example:
access-list 1 deny 10.10.10.10 access-list 1 deny 11.11.11.11 access-list 1 permit 10.10.10.10
In the instance where this ACL is being used to filter traffic in-bound on an interface and an IP packet arrives with a source address of 10.10.10.10, will the traffic be permitted or denied? In order to determine that we need to look at the ACL itself, because the access list will be processed from the top down the traffic will be denied. This happens even though it is permitted later down the list. The important thing for us to keep in mind is that the order of the permit and deny statements are crucial.
The three rules of ACLs and traffic filtering
The golden rule when it comes to ACLs is that you can only have one ACL per protocol, per direction, per interface. This means that you can use one access-list for each protocol (IP, TCP, Telnet, etc). You can only have a single ACL for each direction- IN, or OUT. You can apply an ACL on each interface typeFastEthernet or Serial. In its simplest terms, you are not allowed to have two inbound IP ACLs on the same interface. In situations where this may be a requirement, it will be necessary to combine them into a single ACL. Again, keep in mind that the order used to construct this combined ACL is critical.
Where do we apply ACLs?
Since Standard ACLs only match the source address of a packet, it is more effective to apply them as close to the destination of the packet as possible. If you don’t apply it close to the destination and choose instead to apply it near the source, the ACL might accidently filter traffic that we do not want filtered.
As a general rule, Extended ACLs can be placed anywhere since they match both the source and the destination of the packet. However, it is recommended to apply them as close to the source as possible. Applying these ACL's near the source will save resources like CPU cycles and bandwidth. If a packet has to be denied, then it does not make sense to let it be forwarded to the destination and thus waste resources; it should be denied near the source to prevent wasted bandwidth.
How do we apply ACLs?
ACLs must be applied to a router interface in order for them to have any effect. It is important to note that ACLs are applied to an interface based on the direction of the data flow we are interested in filtering:
- Inbound (in) means that the ACL will filter packets entering the router interface.
- Outbound (out) means that the ACL will be applied to packets exiting the router interface.
Before you apply an ACL to an interface, it is necessary to know what direction it will be filtering. Once this has been determined we will us the 'ip access-group' command under the interface configuration mode. On the router, it will look something like this:
R1(config)# interface Fa0/0 R1(config-if)# ip access-group 2 in R1(config)# interface Fa0/1 R1(config-if)# ip access-group 3 out R1(config-if)# exit
In this example we can see that we have applied ACL 2 and ACL 3 to two different interfaces.
A very common security practice in the real world is to create an ACL matching all of our internal networks, and then apply that ACL inbound on all external facing interfaces. This process will prevent a cyber attacker from using the well-known "IP spoofing" attack against the network. In an IP spoofing attack, unauthorized access to network hosts and services is gained by an intruder that is sending messages to an internal host with an IP address pretending to be a message from an internal trusted host. Applying an ACL that denies all traffic sourced from any subnet that we are using on our network will immediately prevent this type of attack.
Conclusion
Understanding the proper use of Cisco IOS ACLs is an essential requirement for any aspiring network engineer. In this blog we have looked at the essentials of Access-List that everyone should know to include how to create and apply them. We have analyzed how access-lists can be used to filter traffic that is flowing through the network, but there are so many more options and uses than what we were able to explore here. To learn more, go to your router and type access-list ?, or consult the Cisco documentation on Access-lists.