Chapter10ccna
Upcoming SlideShare
Loading in...5
×
 

Chapter10ccna

on

  • 600 views

 

Statistics

Views

Total Views
600
Views on SlideShare
569
Embed Views
31

Actions

Likes
1
Downloads
44
Comments
0

2 Embeds 31

http://www.brijj.com 29
http://www.techgig.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Chapter10ccna Chapter10ccna Presentation Transcript

  • Instructor & Todd Lammle Sybex CCNA 640-802 Chapter 10: Security
  • Chapter 10 Objectives
    • The CCNA Topics Covered in this chapter include:
    • Introduction to Security
      • Types of attacks
      • Mitigating attacks
    • Access-lists
      • Standard
      • Extended
      • Named
      • Monitoring Access-lists
  • Introduction to Security
  • Attacks
    • APPLICATION-LAYER ATTACKS
    • AUTOROOTERS
    • BACKDOORS
    • DENIAL OF SERVICE (DOS) AND DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS
      • (MANY OTHERS)
  • Mitigating Attacks
    • Appliances
      • IDS
      • IPS
    • STATEFUL IOS FIREWALL INSPECTION ENGINE
    • FIREWALL VOICE TRAVERSAL
    • ICMP INSPECTION
    • AUTHENTICATION PROXY
  • Access Lists
    • Purpose:
      • Used to permit or deny packets moving through the router
      • Permit or deny Telnet (VTY) access to or from a router
      • Create dial-on demand (DDR) interesting traffic that triggers dialing to a remote location
  • Important Rules
    • Packets are compared to each line of the assess list in sequential order
    • Packets are compared with lines of the access list only until a match is made
      • Once a match is made & acted upon no further comparisons take place
    • An implicit “deny” is at the end of each access list
      • If no matches have been made, the packet will be discarded
  • Types of Access Lists
    • Standard Access List
      • Filter by source IP addresses only
    • Extended Access List
      • Filter by Source IP, Destination IP, Protocol Field, Port Number
    • Named Access List
      • Functionally the same as standard and extended access lists.
  • Application of Access Lists
    • Inbound Access Lists
      • Packets are processed before being routed to the outbound interface
    • Outbound Access Lists
      • Packets are routed to the outbound interface & then processed through the access list
  • ACL Guidelines
    • One access list per interface, per protocol, or per direction
    • More specific tests at the top of the ACL
    • New lists are placed at the bottom of the ACL
    • Individual lines cannot be removed
    • End ACLs with a permit any command
    • Create ACLs & then apply them to an interface
    • ACLs do not filter traffic originated from the router
    • Put Standard ACLs close to the destination
    • Put Extended ACLs close the the source
  • Standard IP Access Lists
        • Router# config t
        • Enter configuration commands, one per line. End with CNTL/Z.
        • Router(config)# access-list ?
        • <1-99> IP standard access list
        • <100-199> IP extended access list
        • <1000-1099> IPX SAP access list
        • <1100-1199> Extended 48-bit MAC address access list
        • <1200-1299> IPX summary address access list
        • <200-299> Protocol type-code access list
        • <300-399> DECnet access list
        • <600-699> Appletalk access list
        • <700-799> 48-bit MAC address access list
        • <800-899> IPX standard access list
        • <900-999> IPX extended access list
  • Standard IP Access Lists
    • Creating a standard IP access list:
        • Router(config)# access-list 10 ?
        • deny Specify packets to reject
        • permit Specify packets to forward
    • Permit or deny?
        • Router(config)# access-list 10 deny ?
        • Hostname or A.B.C.D Address to match
        • any any source host
        • host A single host address
    • Using the host command
        • Router(config)# access-list 10 deny host 172.16.30.2
  • Standard ACL Example
  • Standard ACL example 2
  • Standard ACL Example 3
  • Wildcards
    • What are they???
      • Used with access lists to specify a….
        • Host
        • Network
        • Part of a network
  • Block Sizes
    • 64 32 16 8 4
    • Rules:
      • When specifying a range of addresses, choose the closest block size
      • Each block size must start at 0
      • A ‘0’ in a wildcard means that octet must match exactly
      • A ‘255’ in a wildcard means that octet can be any value
      • The command any is the same thing as writing out the wildcard: 0.0.0.0 255.255.255.255
  • Specifying a Range of Subnets
    • (Remember: specify a range of values in a block size)
    • Requirement: Block access in the range from 172.16.8.0 through 172.16.15.0 = block size 8
    • Network number = 172.16.8.0
    • Wildcard = 0.0. 7 .255
    • **The wildcard is always one number less than the block size
  • Controlling VTY (Telnet) Access
    • Why??
      • Without an ACL any user can Telnet into the router via VTY and gain access
    • Controlling access
      • Create a standard IP access list
        • Permitting only the host/hosts authorized to Telnet into the router
      • Apply the ACL to the VTY line with the
        • access-class command
  • Example
    • Lab_A(config)#access-list 50 permit 172.16.10.3
    • Lab_A(config)#line vty 0 4
    • Lab_A(config-line)#access-class 50 in
    • (implied deny)
  • Extended IP Access Lists
    • Allows you to choose...
        • IP Source Address
        • IP Destination Address
        • Protocol
        • Port number
  • Extended IP ACLs
        • Router(config)#access-list ?
        • <1-99> IP standard access list
        • <100-199> IP extended access list
        • <1000-1099> IPX SAP access list
        • <1100-1199> Extended 48-bit MAC address access list
        • <1200-1299> IPX summary address access list
        • <200-299> Protocol type-code access list
        • <300-399> DECnet access list
        • <600-699> Appletalk access list
        • <700-799> 48-bit MAC address access list
        • <800-899> IPX standard access list
        • <900-999> IPX extended access list
        • Router(config)#access-list 110 ?
        • deny Specify packets to reject
        • dynamic Specify a DYNAMIC list of PERMITs or DENYs
        • permit Specify packets to forward
  • Extended IP ACLs
        • Router(config)# access-list 110 deny ?
        • <0-255> An IP protocol number
        • ahp Authentication Header Protocol
        • eigrp Cisco's EIGRP routing protocol
        • esp Encapsulation Security Payload
        • gre Cisco's GRE tunneling
        • icmp Internet Control Message Protocol
        • igmp Internet Gateway Message Protocol
        • igrp Cisco's IGRP routing protocol
        • ip Any Internet Protocol
        • ipinip IP in IP tunneling
        • nos KA9Q NOS compatible IP over IP tunneling
        • ospf OSPF routing protocol
        • pcp Payload Compression Protocol
        • tcp Transmission Control Protocol
        • udp User Datagram Protocol
        • Router(config)# access-list 110 deny tcp ?
        • A.B.C.D Source address
        • any Any source host
        • host A single source host
  • Extended IP ACL Steps
    • #1: Select the access list:
    • RouterA(config)#access-list 110
    • #2: Decide on deny or permit:
    • RouterA(config)#access-list 110 deny
    • #3: Choose the protocol type:
    • RouterA(config)#access-list 110 deny tcp
    • #4: Choose source IP address of the host or network:
    • RouterA(config)#access-list 110 deny tcp any
    • #5: Choose destination IP address
    • RouterA(config)#access-list 110 deny tcp any host 172.16.30.2
    • #6: Choose the type of service, port, & logging
    • RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
  • Steps (cont.)
    • RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log
    • RouterA(config)#access-list 110 permit ip any 0.0.0.0 255.255.255.255
    • RouterA(config)#ip access-group 110 in
    • or
    • RouterA(config)#ip access-group 110 out
  • Named Access Lists
    • Another way to create standard and extended access lists.
    • Allows the use of descriptive names to ease network management.
    • Syntax changes:
      • Lab_A(config)#ip access-list standard BlockSales
      • Lab_A(config-std-nacl)#deny 172.16.40.0 0.0.0.255
      • Lab_A(config-std-nacl)#permit any
  • Monitoring IP Access Lists
    • Display all access lists & their parameters
      • show access-list
    • Show only the parameters for the access list 110
    • show access-list 110
    • Shows only the IP access lists configured
      • show ip access-list
    • Shows which interfaces have access lists set
      • show ip interface
    • Shows the access lists & which interfaces have access lists set
      • show running-config
  • Written Labs and Review Questions
      • Open your books and go through all the written labs and the review questions.
      • Review the answers in class.