© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Device Hardening Mitigating Threats and Attacks with Access Lists

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco ACLs

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Standard and Extended ACLs Cisco routers support two basic types of IP ACLs: Standard IP ACL: Filters IP packets based on the source address only Extended IP ACL: Filters IP packets based on several attributes, including: –Protocol type (IP, ICMP, UDP, TCP, or protocol number) –Source and destination IP addresses –Source and destination TCP and UDP ports access-list 10 permit access-list 101 permit tcp any eq 80

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Identifying ACLs Cisco routers can identify ACLs using two methods: ACL number: The number of the ACL determines which protocol it is filtering: –1 to 99 and 1300 to 1999: Standard IP ACLs –100 to 199 and 2000 to 2699: Extended IP ACLs ACL name: You provide the name of the ACL: –Names contain alphanumeric characters. –Names cannot contain spaces or punctuation and must begin with an alphabetic character.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Guidelines for Developing ACLs Base ACLs on the security policy. Write ACL out: –Write out what you want this ACL to accomplish. –This is the time to think about potential problems. Set up a development system: –This allows you to copy and paste statements easily. –It also allows you to develop a library of ACLs. –Store the files as ASCII text files. Apply ACL to a router and test: –If at all possible, run your ACLs in a test environment before placing them into production.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Applying ACLs to Router Interfaces

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Applying ACLs to Router Interfaces Inbound (in): Data flows toward router interface Outbound (out): Data flows away from router interface

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Using Traffic Filtering with ACLs

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Traffic Filtering Use ACLs to filter ingress and egress from routers and firewall appliances. Use ACLs to disable and limit services, ports, and protocols.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Filtering Network Traffic to Mitigate Threats

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IP Address Spoofing Mitigation: Inbound R2(config)#access-list 150 deny ip any log R2(config)#access-list 150 deny ip any log R2(config)#access-list 150 deny ip any log R2(config)#access-list 150 deny ip any log R2(config)#access-list 150 deny ip any log R2(config)#access-list 150 deny ip any log R2(config)#access-list 150 deny ip host any log R2(config)#access-list 150 permit ip any R2(config)#interface e0/0 R2(config-if)#ip access-group 150 in R2(config-if)#exit

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IP Address Spoofing Mitigation: Outbound Be a good citizen and prevent your network from being spoofed. R2(config)#access-list 105 permit ip any R2(config)#access-list 105 deny ip any any log R2(config)#interface e0/1 R2(config-if)#ip access-group 105 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v DoS TCP SYN Attack Mitigation: Blocking External Access R2(config)#access-list 109 permit tcp any established R2(config)#access-list 109 deny ip any any log R2(config)#interface e0/0 R2(config-if)#ip access-group 109 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v DoS TCP SYN Attack Mitigation: Using TCP Intercept R2(config)#ip tcp intercept list 110 R2(config)#access-list 110 permit tcp any R2(config)#access-list 110 deny ip any any R2(config)#interface e0/0 R2(config-if)#ip access-group 110 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v DoS Smurf Attack Mitigation R2(config)#access-list 111 deny ip any host log R2(config)#access-list 111 permit ip any log R2(config)#access-list 112 deny ip any host log R2(config)#access-list 112 permit ip any log R2(config)#interface e0/0 R2(config-if)#ip access-group 111 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 112 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Filtering Inbound ICMP Messages R2(config)#access-list 112 deny icmp any any echo log R2(config)#access-list 112 deny icmp any any redirect log R2(config)#access-list 112 deny icmp any any mask-request log R2(config)#access-list 112 permit icmp any R2(config)#interface e0/0 R2(config-if)#ip access-group 112 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Filtering Outbound ICMP Messages R2(config)#access-list 114 permit icmp any echo R2(config)#access-list 114 permit icmp any parameter- problem R2(config)#access-list 114 permit icmp any packet- too-big R2(config)#access-list 114 permit icmp any source- quench R2(config)#access-list 114 deny icmp any any log R2(config)#interface e0/1 R2(config-if)#ip access-group 114 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Filtering UDP Traceroute Messages R2(config)#access-list 120 deny udp any any range log R2(config)#access-list 120 permit ip any log R2(config)#interface e0/1 R2(config-if)#ip access-group 120 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Mitigating Distributed DoS with ACLs

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Basics of Distributed DoS Attacks Distributed DoS attacks exploit specific ports. ACLs can control access on a port-by-port basis.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Mitigate Distributed DoS Using Martian Filters RFC 3704 is update to RFC 2827

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Distributed DoS Attack Mitigation: TRIN00 R2(config)#access-list 190 deny tcp any any eq 1524 log R2(config)#access-list 190 deny tcp any any eq log R2(config)#access-list 190 deny udp any any eq log R2(config)#access-list 190 deny udp any any eq log R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Distributed DoS Attack Mitigation: Stacheldraht R2(config)#access-list 190 deny tcp any any eq log R2(config)#access-list 190 deny tcp any any eq log R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Distributed DoS Attack Mitigation: Trinity v3 R2(config)#access-list 190 deny tcp any any eq log R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Distributed DoS Attack Mitigation: SubSeven R2(config)#access-list 190 deny tcp any any eq 1243 log R2(config)#access-list 190 deny tcp any any eq 2773 log R2(config)#access-list 190 deny tcp any any range log R2(config)#access-list 190 deny tcp any any eq 6776 log R2(config)#access-list 190 deny tcp any any eq 7000 log R2(config)#access-list 190 deny tcp any any eq 7215 log R2(config)#access-list 190 deny tcp any any eq log R2(config)#access-list 190 deny tcp any any eq log R2(config)#access-list 190 deny tcp any any eq log R2(config)#interface e0/0 R2(config-if)#ip access-group 190 in R2(config-if)#end R2(config)#interface e0/1 R2(config-if)#ip access-group 190 in R2(config-if)#end

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Combining Access Functions

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Combining Access Functions

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Caveats

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v ACL Caveats StatementCaveat Implicit deny allYou may not see this statement but it does exist. Standard ACL limitation You may need to create extended ACLs to implement security policies. Statement evaluation order ACL statements are evaluated from top down, so always consider the order of the statements. Order of ACL statements Place more specific ACL statements higher in the ACL. Ensure that statements at the top of the ACL do not negate any statements found lower in the list. Directional filteringAlways double-check the direction (inbound or outbound) of data that your ACL is filtering.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v ACL Caveats (Cont.) StatementCaveat Modifying numbered ACLs Adding new statements may require a new ACL to be created. Special packetsIf filtering router-generated packets is part of the security policy, they must be acted upon by inbound ACLs on adjacent routers or through other router filter mechanisms using ACLs. Extended ACL placement Always consider placing extended ACLs on routers as close as possible to the source being filtered. Standard ACL placement Always place standard ACLs as close to the destination as possible.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary Standard, extended, enhanced, named, and numbered ACLs can be created. Simple rules should be followed when creating ACLs. ACLs must be applied based on the direction of the data flow. ACLs can be used to filter traffic to mitigate security threats. ACLs can be used to mitigate distributed DoS attacks. Packets with source IP address within /8, /8, /8, /12, /16, /4, or /4, should be denied on the ISP edge. Many ACL functions can be combined into two or three larger ACLs. Several caveats should be considered when creating ACLs.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v