Data-Plane Security Topic Notes

Access Lists

• Used to control the flow of data-plane traffic
• Different types of Access Lists include:
  • Standard ACLs
    • Numbered 1-99
    • Based on Source IP only
    • Commands:
      • (config)#access-list <1-99> [permit | deny] <source address> <source wildcard> [log]
      • (config)#ip access-list standard [<1-99> | <acl-name>]
      • (config-std-nacl)#[permit | deny] <source address> <source wildcard> [log]
  • Extended ACLs
    • Numbered 100-199
    • Based on any or all of the following
      • Source Address
      • Destination Address
      • Protocol
      • Port Number
      • QoS marking
      • ICMP type code
      • State established
    • Command:
      • (config)#access-list <100-199> [permit | deny] <protocol> <source address> <source wildcard> <destination address> <destination wildcard> [options] [time-range <time-range-name>]
      • (config)#ip access-list extended [<100-199> | <acl-name>]
      • (config-ext-nacl)#[permit | deny] <protocol> <source address> <source wildcard> <destination address> <destination wildcard> [options] [time-range <time-range-name>]
  • Time-Based ACLs
    • ACL activated on time value
    • Useful for time-based QoS or traffic filtering
    • Time value can be
      • Periodic
        • Set value between a specific time period including
          • minutes
          • hours
          • Day of the week
          • Daily, Weekday, Weekend
        • Commands:
          • (config)#time-range <time-range-name>
          • (config-time-range)#periodic [day of the week | daily | weekdays | weekend] <start hh:mm> to <end hh:mm>
      • Absolute
        • Based on start or end time
        • Specific date and time
        • Commands:
          • (config)#time-range <time-range-name>
          • (config-time-range)#absolute [start | end]  <hh:mm> <day of month> <month> <year> [end <hh:mm> <day of month> <month> <year>]

IPv4 ACLs

• Can be used for
  • Traffic Filtering
    • Applied through access-group command
    • Doesn't effect locally generated packets
    • Command:
      • (config-if)#access-group <acl> <in | out>
  • Traffic Classification
    • For Class Maps
    • Applied through match access-group command
    • Command:
      • (config-cmap)#match access-group <acl>
  • Route Filtering
    • Filters specific routes
    • Applied through distribute lists or route-maps
  • VTY line
    • Filters management access from remote clients
    • Applied through access-class in/out command
    • Command:
      • (config-line)#access-class <acl> <in | out>
    • Can change the listening port numbers using the rotary command

[_/su_spoiler]

Wildcard Masks

• Used in ACLs to match traffic to permit or deny
• Easy method to work out wildcard mask is take the subnet mask away from 255
  • Example:
    • Work out the wildcard mask for an ACL to match the following subnet: 192.168.0.0 255.255.248.0
    • Calculation:
      • 255.255.255.255 - Subnet mask
      • 255.255.255.255 - 255.255.248.0 = 0.0.7.255
      • Wildcard mask - 0.0.7.255
• Fundamentally you are working out what bit will change.
• More advanced calculations:
  • Example:
    • Work out the shortest wildcard mask to capture the following subnets: 192.168.2.0/24, 192.168.4.0/24, 192.168.6.0/24
    • Calculation:
      • 3rd octet changes, so that's the octet that's going to be worked on.
      • Using the basic formula above the wildcard mask so far would be 0.0.X.255 - Where X needs to be calculated
      • Find the bits that change and the bits that don't:
        • 2 = 00000010
        • 4 = 00000100
        • 6 = 00000110
      • First 5 higher order bits don't change. Only the 3 lower order bits change.
      • The wildcard mask for the first 5 higher order bits is set to 0.
      • The next 2 bits change therefore they need to be set to 1.
      • The last bit stays at 0 for all 3 IP addresses therefore is set to 0.
      • The wildcard mask for the 3rd octet ends up looking like this:
      • 00000110 = 6
      • Total wildcard mask:
        • 00000000.00000000.00000110.11111111
        • = 0.0.6.255

[_/su_spoiler]

IPv6 ACLs

• Can be used for:
  • Traffic Filtering
    • Same functionality as IPv4
    • Applied through ipv6 traffic-filter command
    • Need to enable ICMP for neighbor discovery otherwise IPv6 will not function
    • Command:
      • (config)#ipv6 access-list <acl name>
      • (config-if)#ipv6 traffic-filter <acl> <in | out>
  • VTY Line
    • Same functionality as IPv4
    • Applied through ipv6 access-class command
    • Command:
      • (config-line)#ipv6 access-class <ipv6 filter name> <in | out>

[_/su_spoiler]

Log Filtering and Limiting

• Logs can be created on access-list matching
• Logs to syslog are generated at Informational or level 5
• Packets are process switched if log command added to end of ACL

• Set the logging interval time between generated messaged
  • Command:
    • (config)#ip access-list logging interval <milliseconds>
• Set the logging update interval for number of ACL hits before a message is generated
  • Command:
    • (config)#ip access-list log-update threshold <number of ACL hits>
• Set overall logging rate limiting
  • Command
    • (config)#logging rate-limit <limit>
• Syslog correlation tag
  • Command:
    • (config)#ip access-list logging hash-generation

[_/su_spoiler]

Catalyst Port ACLs (PACLs)

• Applied on L2 ports
• Only supported on ingress traffic
• Filter transit traffic on interface or VLAN
• MAC or IP based
  • MAC only affects non-IP traffic

• Commands:
  • (config)#mac access-list extended <name>
  • (config-ext-macl)#<permit | deny> <any | src mac-address> <any | dst mac-address> <layer 2 options>

VLAN ACLs (VACLs)

• Also known as VLAN maps
• Configuration similar to route-maps
• Need to work in opposite of ACLs
  • Explicit deny of specific traffic
  • Explicit permit everything else
• Applied to VLAN or SVI
• Effective for all ports in VLAN
  • Access and Trunk
• Controls IP and non-IP traffic
• Matches based on MAC ACL
• Configuration:
  • Permit IP based traffic with ACL
  • Apply ACL to vlan map
  • Set action of traffic

• Commands:
  • (config)#ip access-list [standard | extended] <ACL name>
  • (config-ext-nacl)#permit | deny <protocol> <source> <destination> [eq <port number>]
  • (config)#vlan access-map <name> <sequence number>
  • (config-access-map)#match ip address <ACL name>
  • (config-access-map)#action [drop | forward]

Unicast Reverse Path Forwarding (uRPF)

• Applied on interface
• Ingress traffic has source checked against CEF table
• Packets not matching are dropped
• Modes:
  • Strict
    • Reverse route must be via same interface packet arrived on
  • Loose
    • Reverse route can be via any interface
• Simplified bogon/martian filters
  • e.g. traffic shouldn’t be source from multicast address, broadcast address, network address, RFC 1918 addresses etc.
• Command:
  • (config-if)#ip verify source unicast source reachable via [any | rx]
• Can be used for Remotely Triggered Black Hole Filtering (RTBHF)
  • Applied on edge routers

Flexible Packet Matching (FPM)

• Uses Network-Based Application Recognition to discover packet types
• Use to match protocol information in the data plane
  • e.g. HTTP packet and URL matching or different HTTP mime types
• Can create custom NBAR matches based on certain criteria
  • eg match traffic with TEST in the first packet from the TCP source port of 1111
  • Commands:
    • (config)#ip nbar custom app_test1 <sequence> ascii TEST source port 1111
    • (config-cmap)#match protocol app_test1
• Traffic can be selectively dropped
  • Unconditional discard
  • Policer with conform and transmit drop actions