Other Protocols in Software

Generating QR in Software Other Protocols

Obviously, many additional protocols have not been covered by the access list examples in this chapter; it's simply not possible for us to cover all the protocols that you may encounter in your own network This chapter's discussion, however, should provide a solid foundation that you can adapt to your own particular environment Applications will normally use one of the protocols presented and the examples in this chapter can be adapted to incorporate them

On a final note, a common problem encountered when attempting to create access list entries for protocols is the lack of information about the ports in use This problem can be alleviated through the creative use of access lists In the example below, we have created an access list that permits all protocols but logs information regarding the matches In this manner, the log entries can be examined to determine which ports the applications are using and then appropriate access list entries can be created: Interface serial 0 Ip access-group 101 in Ip access-group 102 out ! Logging buffered ! Access-list 101 permit tcp any any log Access-list 101 permit udp any any log Access-list 101 permit ip any any log ! Access-list 102 permit tcp any any log Access-list 102 permit udp any any log Access-list 102 permit ip any any log In practice, you will probably only want to log one protocol at a time to avoid consuming too many resources The command "show log" displays detailed information about each packet that matches the access list entries If possible, it is advisable to narrow the log entries to particular IP address

ranges In this section, we have seen how to create complex access lists using IP, TCP, UDP, and ICMP We have also seen examples of the limitations in using traditional access lists, including the inability to maintain information about the state of existing connections In the next chapter, we examine powerful access list features, including the capability to maintain information about the state of existing connections Next-generation IP access lists and additional IP security features will also be discussed in 8, "Advanced Cisco Router Security Features"

In this chapter, we will examine many of the more advanced security features available on Cisco routers Cisco has introduced many significant enhancements for traditional IP access lists, including the capability to maintain information about the state of existing connections In addition to access list enhancements, we will discuss other features that might be used to provide greater security on your network, such as TCP intercept and Network Address Translation

In this section, we examine several enhancements for traditional Cisco access lists We will first examine dynamic access lists, which provide the capacity to create dynamic openings in an access list through a user authentication process We will then look at time-based access lists, which enable you to configure different security policies based on factors such as the time of day or days of the week After examining time-based access lists, we will cover reflexive access lists, which will create dynamic openings in an access list on an as-needed basis as connections are opened through the router We will complete our coverage of next generation access lists by examining Context Based Access Control (CBAC), which is capable of creating dynamic openings in an access list such as reflexive access lists but supports a much greater variety of applications

Dynamic access lists are the first type of enhanced access list we will examine These access lists are also referred to as lock-and-key security Dynamic access lists permit dynamic entries to be inserted into traditional, standard, or extended IP access lists Dynamic entries in the access list are created by users through an authentication process Users open a Telnet session to the Cisco router to authenticate themselves Once the user is authenticated, the router closes the Telnet session and places a dynamic entry in the inbound access list, which permits packets originating from the IP address of the user's workstation This principle is illustrated in Figure 8 1

Figure 8 1: A user opens a Telnet session to the router and must authenticate Once the user is authenticated, a dynamic entry will be opened in an access list-enabling packets from the IP address of the users workstation

Entries are dynamically removed after either the idle-timeout or maximum-timeout period expires Users might be authenticated against a user database contained on the router itself or against a TACACS+ or Radius database An administrator might also specify a generic password to authenticate all users An example configuration using dynamic access lists is shown below Only relevant portions of the configuration are shown Username test password temp !

Interface serial 0 Ip address 1601211 2552552550 Encapsulation ppp Ip access-group 101 in ! The dynamic entry remains in effect until a configured timeout is access-list 101 permit tcp any host 1601211 eq telnet access-list 101 dynamic testlist timeout 10 permit ip any any ! line vty 0 4 login local autocommand access-enable host timeout 5 The code below shows what a user would see when the user initiates a Telnet session to the router telnet 1601211 Trying 1601211 Open

User Access Verification Username: test Password: [Connection to 1601211 closed by foreign host] Notice that the router closes the connection immediately after authentication A dynamic entry has been added to the access list The code NT1 NT below shows the output from "show access list" before and after user authentication Before: router#sh access-list Extended IP access list 101 permit tcp any host 1601211 eq telnet

Dynamic test Max 10 mins permit ip any any timeout 5 min After: router#sh access-list Extended IP access list 101 permit tcp any host 1601211 eq telnet (24 matches) Dynamic test Max 10 mins permit ip any any timeout 5 min permit ip host 17510011 any idle-time 5 min router# Notice that a dynamic access list entry has been created The entry is identical to the static access list entry in the router configuration, except for the fact that the source address has been changed from "any" to "17510011" The other properties of the dynamic entry have been inherited from the main access list entry Specifically, the protocol is IP, and the destination is any We could have specified other protocols, such as TCP, or more specific destination IP addresses if we wished Several points of interest exist in the configuration code Notice that the username "test," which is how we create a user database on the router, is defined Another option would have been to add a generic password to the virtual terminal lines that all users could use to authenticate themselves Using a generic password is not recommended While it might make administration easier, generic passwords also make it easier for an attacker to create openings on the router When both a user ID and a password are used, both must be guessed to gain access Next, notice the entries for access list 101 The first entry is necessary to enable users to telnet to the router for authentication The use of the "dynamic" keyword in the second entry signals the use of dynamic access lists The timeout defined in the access list statement is a maximum timeout period and is optional Notice that the permit statement allows all IP packets The dynamic entry created will provide IP packets from all authenticated hosts access to any IP addresses, as seen in the above code We could have modified this access list entry to permit only certain protocols, ports, and destinations, like any other extended access list entry only the source IP address would be replaced in the dynamic entry This situation means that all users would have the same access No method exists to create different access list entries based upon different users Finally, notice the use of the "autocommand" keyword beneath the vty line in the sample configuration using dynamic access lists This command enables the creation of dynamic entries in the access list after a user has authenticated via a Telnet session to the router The timeout parameter listed with the "autocommand" statement is an idle timeout and is also optional One of the timeout parameters should be used; otherwise, dynamic entries will never time out and will remain active until the next router reload Notice that by using this configuration, you prevent an administrator from managing the router remotely through a normal Telnet session All Telnet sessions opened to the router would be treated as if you were attempting to establish dynamic access list entries This feature creates a problem when an administrator needs to manage a router remotely To enable normal Telnet access to the router for management purposes, the following changes would need to be made to

the configuration: line vty 3 4 login local password cisco rotary 1 The use of the "rotary 1" command enables normal Telnet access to the router on port 3001 An administrator would need to specify the use of port 3001 when attempting to access the router via a Telnet session, as in the following example: telnet 1601211 3001 Next, we present some tips to follow when configuring dynamic access lists Do not assign the same name to a dynamic access list that used on another access list Define at least the idle timeout or the absolute timeout If both are defined, the idle timeout should be less than the absolute timeout If possible, limit the openings that are created by dynamic access list entries to particular protocols and particular destination IP addresses