Router Security to Protect the Network

All the topics discussed to this point in the chapter have covered the different steps that an administrator needs to take to protect the router itself. The next step you need to learn is how to configure the router to protect the network behind it. This can be done by using access lists or enhanced access lists, such as dynamic or time-based access lists. If a device is running a security image, those networks can also be protected by using Context-Based Access Control (CBAC).

Access Lists

On a router, access lists are used as packet filters to decide which packets can go across a certain interface. Packets that are allowed on an interface are called permitted packets and packets that are not allowed are called denied packets. Access lists can consist of one or more statements that determine what data is permitted and denied on an interface. The statements are known as Access Control Entries (ACE). It is important to use well-written access lists to restrict access because Cisco router security is highly dependent on them for filtering packets as they travel across the network.

A router can identify an access list by either a name or a number. Table 8-2 lists some of the commonly used access list numbers and their associated types.

Table 8-2. Access List Numbers

Access List Number	Type
199	IP standard access list
100199	IP extended access list
800899	IPX standard access list
10001099	IPX SAP access list
13001999	IP standard access list (expanded range)
20002699	IP extended access list (expanded range)

Starting with Cisco IOS version 11.2, access lists can be identified by a name rather than just by a number. By using named access lists, you can identify an access list more easily than if you are using numbered access lists alone. The command syntax for named access lists is also slightly different. As stated in Table 8-2, there are two types of IP access lists:

• Standard IP access lists This type can filter IP packets based on the source address only.

• Extended IP access lists This type can filter IP packets based on several attributes, including the following:

  - Source IP address

  - Destination IP address

  - Source TCP or UDP port

  - Destination TCP or UDP port

  - Protocol

The command syntax for a standard numbered access list is as follows:

access-list access-list-number {deny | permit} source [source-wildcard]

Table 8-3 describes the commands you can use when configuring a numbered access list.

Table 8-3. Numbered Access List Command

Command	Description
access-list-number	Serves dual purposes: It is the number of the access list. It specifies that this is a standard IP access list.
Deny	Drops all packets matching the specific source address.
Permit	Allows all packets matching the specific source address to flow through the interface.
Source	Specifies the IP address of a host or group of hosts (if a wildcard mask is specified).
source-wildcard	The wildcard mask is applied to the source group of hosts whose packets are to be examined.

Example 8-7 shows a standard numbered access list.

Example 8-7. Example Access List

Brussels(config)# access-list 1 permit 10.1.4.3
Brussels(config)# access-list 1 deny   10.1.0.0 0.0.255.255
Brussels(config)# access-list 1 permit 10.0.0.0 0.255.255.255

Network 10.0.0.0 is a class A address whose second octet specifies a subnet; the subnet mask is 255.255.0.0. The third and the fourth octets of the 10.0.0.0 address specify a particular host. The access list in Example 8-7 would accept one address from subnet 1 and reject all other addresses from that subnet. The last line indicates that this access list would accept addresses on all other 10.0.0.0 subnets.

In addition to the keywords described previously, standard numbered IP access lists support the keywords described in Table 8-4.

Table 8-4. Additional Access List Keywords

Keyword	Description
any	Specifies any host. This is the same as typing 0.0.0.0 255.255.255.255.
host	Specifies an exact host match. This is the same as using a mask of 0.0.0.0.
log	Enables the logging of packets that match the deny or permit statement.

The syntax for creating a standard named access list is as follows:

ip access-list standard access-list-name {deny | permit} source {source-wildcard}

Table 8-5 describes the commands you can use when configuring a named access list.

Table 8-5. Named Access List Commands

Command	Description
access-list-name	Name of the access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character.

All other keywords have the same behavior as in numbered access lists. The keywords any, host, and log work in the same way as with numbered access lists.

Extended access lists allow packet filtering on source and destination addresses, protocol type, source and destination port, as well as several protocol-dependent options. An extended numbered access list can be created by using the access list arguments and keywords with the following syntax:

[View full width]
access-list access-list-number {deny | permit} {protocol-number | protocol-keyword} {
 source source-wildcard | any | host} operator {source-port} {destination
 destination-wildcard | any | host} operator {destination-port} [established] [log | log-input]

Table 8-6 describes the commands that can be used when configuring extended numbered access lists.

Table 8-6. Numbered Extended Access List Commands

Command	Description
access-list-number	Represents the number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.
Deny	Denies access if the conditions are matched.
Permit	Permits access if the conditions are matched.
protocol-number	Specifies an integer in the range from 0 to 255 representing an Internet protocol number.
protocol-keyword	Represents the name of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp.
source	Represents the number of the network or host from which the packet is being sent.
source-wildcard	Represents the wildcard bits to be applied to source.
source-port	Specifies the port from which the packet originated.
destination	Represents the number of the network or host to which the packet is being sent.
destination-wildcard	Represents the wildcard bits to be applied to the destination.
destination-port	Specifies the port to which the packet is being sent.
operator	Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
established	Represents the TCP protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK, FIN, PSH, RST, or URG control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log	Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number; whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. By default, the message is generated for the first packet that matches and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
log-input	Includes the input interface and source MAC address or VC in the logging output.
any	Specifies any host. This is the same as using 0.0.0.0 255.255.255.255.
host	Specifies an exact host match. This is the same as a wildcard mask of 0.0.0.0.

Example 8-8 shows an extended numbered access list.

Example 8-8. Example of an Extended Numbered Access List

Brussels(config)# access-list 101 permit tcp any 134.34.0.0 0.0.255.255
Brussels(config)# access-list 101 permit tcp any host 134.35.1.1 eq smtp

In this example, all TCP packets with destination 134.34.0.0 are permitted. All SMTP packets going to 134.35.1.1, which is a mail server, are permitted by this access list.

A named extended access list has the same features as a numbered extended access list. It uses a different syntax:

[View full width]
ip access-list extended access-list-name {deny | permit} {protocol-number |
 protocol-keyword} { source source-wildcard | any | host} operator {source-port}
 {destination destination-wildcard | any | host} operator {destination-port} [established]
 [log | log-input]

All keywords have the same meaning as with the numbered extended access lists.

access-list 101 remark allow traffic to mail server

Access lists must be applied to a router interface to take effect. When an access list is applied to an interface, you also have to configure the direction of the data flow, as shown in Figure 8-1.

As you can see in Figure 8-1, there are two directions:

• Inbound The access list is applied to packets flowing toward the router interface.

• Outbound The access list is applied to packets flowing away from the router interface.

The interface command to apply an access list to an interface is as follows:

ip access-group {access-list-number | access-list-name} { in | out }

Table 8-7 describes the keywords you can use when assigning the access list to an interface.

Table 8-7. Access Group Keywords

Keyword	Description
access-list-number	Number of the IP standard or extended numbered access list
access-list-name	Name of the IP standard or extended named access list
In	Filters on inbound packets
Out	Filters on outbound packets

To display the access list you configured, you can use the command show access-lists followed by the access list name or number. There are many more show commands for access lists. This command shows all access lists configured on that device.

Enhanced Access Lists

Several types of enhanced access lists can be configured on a router. So far, only standard and extended access lists have been discussed in this chapter. Enhanced access lists were designed to secure routers and their networks better. They all have special features, and selection depends on your particular needs for security. The following types of access lists are available:

• Dynamic access lists

• Time-based access lists

• Reflexive access lists

Dynamic Access Lists

Dynamic access lists, also known as lock-and-key, create specific, temporary openings in response to user authentication. It is highly recommended to use a TACACS+ server for the authentication of the user. TACACS+ provides authentication, authorization, and accounting services and is discussed in more detail in Chapter 11. In the example illustrated in Figure 8-2, no TACACS+ server has been included for authentication for the sake of simplicity. Figure 8-2 shows a user connected to the Internet. The user is trying to connect to a device in the internal network.

Figure 8-2. Dynamic Access List

[View full size image]

To be able to connect to the device, the user needs a dynamic access list on Router A and a username for local authentication. Configure a username so that the user can access the device by using following command:

Tokyo(config)#username user password te5t

Because you should not count on the user to issue the access-enable command correctly, you need the line that follows under vty 0 4. The access-enable command is used to create a temporary access list entry in a dynamic access list.

Tokyo(config)#line vty 0 4
Tokyo(config-line)#login local
Tokyo(config-line)#autocommand access-enable host timeout 10

The autocommand used in this example is executed immediately when a user logs in via Telnet access.

You can define an extended access list that is applied when any user logs in to the router and the access-enable command is issued. The maximum absolute time for this hole in the filter is set to 15 minutes. After 15 minutes, the hole closes whether or not anyone is using it. The name dyntest is needed but is not significant.

Tokyo(config)#access-list 101 dynamic dyntest timeout 15 permit ip any any

After that, define the access list needed to block everything except the ability to use Telnet to access the router. Users must telnet into this router to authenticate themselves as a valid users. Therefore, the following line is needed for users to be able to telnet into this router:

Tokyo(config)#access-list 101 permit tcp any host 142.2.65.6 eq telnet

Now you only have to apply the access list to the interface on which users are coming.

Tokyo(config)#interface FastEthernet0/0
Tokyo(config-if)#ip access-group 101 in

When using the show access-lists command, the access list looks like this before any user has used Telnet to reach the router:

[View full width]
Tokyo#sh access-lists
Extended IP access list 101
    Dynamic dyntest permit ip any any
    permit tcp any host 142.2.65.6 eq telnet
Tokyo#
If users now access the router via Telnet, they must provide their usernames and passwords
 to open the hole:
C:\>telnet 142.2.65.5


User Access Verification
Username: user
Password:
No input access group defined for FastEthernet0/0.
[Connection to 142.2.65.6 closed by foreign host]
Brussels#telnet 142.2.65.6
Trying 142.2.65.6 ... Open


User Access Verification

Username: user
Password:
[Connection to 142.2.65.6 closed by foreign host]
Brussels#

If you now take a look at the access list again, it looks like the following code:

Tokyo#sh access-list
Extended IP access list 101
    Dynamic dyntest permit ip any any
      permit ip host 142.2.65.5 any (4 matches) (time left 586)
    permit tcp any host 142.2.65.6 eq telnet (40 matches)
Tokyo#

A hole has been created in the access list. The user should now be able to have complete IP access to any destination IP address from the source address (in the example, 142.2.65.5).

Time-Based Access Lists

In a time-based access list, the hole is created for a certain amount of time. The following commands are needed in order to configure a time-based access list:

Brussels(config)#int ethernet0/0
Brussels(config-if)#ip access-group time in
Brussels(config-if)#exit
Brussels(config)#ip access-list extended time
Brussels(config-ext-nacl)#permit tcp any any eq www time-range webaccess

Brussels(config-ext-nacl)#exit
Brussels(config)#time-range webaccess
Brussels(config-time-range)#periodic weekdays 8:00 to 18:00
Brussels(config-time-range)#end
Brussels#

This example allows users coming in on Ethernet 0/0 to have web access from 8:00 to 18:00 during all weekdays. Instead of weekdays, you can use several other keywords, such as the following:

Friday     Friday
Monday     Monday
Saturday   Saturday
Sunday     Sunday
Thursday   Thursday
Tuesday    Tuesday
Wednesday  Wednesday
daily      Every day of the week
weekdays   Monday thru Friday
weekend    Saturday and Sunday

Reflexive Access Lists

With reflexive access lists, you have the ability to filter network traffic at a router, based on IP upper-layer protocol session information. Reflexive access lists can be defined by extended named IP access lists only. You cannot define reflexive access lists with numbered or standard named access lists. Reflexive access lists have significant differences from other types of access lists. They contain only temporary entries. These entries are automatically created when a new IP session begins and are removed when the session ends. Reflexive access lists are not applied directly to the interface, but are nested within an extended named IP access list that is applied to that interface. The syntax to define a reflexive access list is as follows:

ip access-list extended name
permit protocol any any reflect reflection-name [timeout seconds]

Define the reflexive access list using the permit entry and the reflect option. Then you can apply the extended access list to an interface. After you define a reflexive access list in one IP extended access list, you must nest the reflexive access list within a different extended named IP access list with the evaluate command. Example 8-9 should make that procedure clear.

Example 8-9. Example of an Reflexive Access List

interface Serial0/0
ip access-group incoming in
ip access-group outgoing out
!
ip access-list extended outgoing
permit tcp any any reflect tcptraffic
!
ip access-list extended incoming
permit eigrp any any
deny icmp any any
evaluate tcptraffic

With this configuration, before any TCP session has been initiated, the show access-lists displays the following:

Tokyo#show access-lists
Extended IP access list incoming
    permit eigrp any any
    deny icmp any any (26 matches)
    evaluate tcptraffic
Extended IP access list outgoing
    permit tcp any any reflect tcptraffic
Reflexive IP access list tcptraffic

Notice that the reflexive access does not have anything showing up in this output. Before any TCP sessions have been initiated, no traffic has triggered the reflexive access list, and the list is empty. After a Telnet connection is initiated, the show access-lists look like this:

Tokyo#show access-lists
Extended IP access list incoming
    permit eigrp any any
    deny icmp any any (26 matches)
    evaluate tcptraffic
    permit ospf any any
Extended IP access list outgoing
    permit tcp any any reflect tcptraffic
Reflexive IP access list tcptraffic
    permit tcp host 142.2.65.6 eq 11001 host 142.2.65.5 eq telnet (25 matches) (time left 289)

Now a temporary entry is generated that stays there for another 289 seconds.