Debugging Cartage Application ACLs

Debugging Cartage Application ACLs 78

ACLs can be acclimated to alter cartage on a router. Active debugs on a router is ability arresting and could

potentially use about all arrangement resources, such as anamnesis and processing power. Excessive debugging under

high amount altitude may account abrupt interruptions or in some cases account the accessory to crash. Therefore,

debugging commands charge to be acclimated with acute caution. Afore enabling debugging, audit the CPU load

by application the appearance processes cpu command and verify that acceptable CPU is accessible afore active the

debugs.

One way of abbreviation the appulse of the alter command on a accessory is to use an ACL to selectively ascertain the

traffic belief that needs to be examined. This abstraction does not do any packet filtering; it is acclimated alone for

controlled monitoring. Example 2-9 shows a agreement that enables debugging alone for packets amid the

hosts 10.1.1.1 and 192.168.1.1 application the alter ip packet [detail] command.

Example 2-9. Debugging Cartage Application ACL Example

Router(config)# access-list 101 admittance ip host 10.1.1.1 host 192.168.1.1

Router(config)# access-list 101 admittance ip host 192.168.1.1 host 10.1.1.1

Router(config)# end

Router# alter ip packet detail 101

IP packet debugging is on (detailed) for admission account 101

Caution

On the router console, back debugs are running, usually the router alert is not apparent because debugs

tend to annal actual fast on the animate screen, abnormally back the alter is intensive. However, use the

no alter all or undebug all commands to stop the debugs (Type this command as blind-folded.) For

more advice on cautiously application debugs, visit

http://www.cisco.com/en/US/tech/tk801/tk379/technologies_tech_note09186a008017874c.shtml

Summary

ACLs are the best accepted and bargain adjustment accessible for clarification cartage beyond the network. This

chapter primarily focused on the use of ACLs for cartage filtering. An overview of IP addressing, subnets, and

masks was additionally presented to advice you bigger accept the accomplishing of ACL. A above allotment of this

chapter was adherent to several types of ACLs and their applications. All Cisco IOS software versions are capable

of acknowledging ACLs.

References

http://www.iana.org/ipaddress/ip-addresses.htm

http://www.freesoft.org/CIE/Topics/26.htm

http://www.isoc.org/briefings/021/

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00800ca7c0.html

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml

http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a008030c799.html#http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a0080080374.html

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080431056.html

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Classification ACLs

Classification ACLs

Another accepted blazon of ACL is the classification, additionally frequently accepted as assuming ACL. It is initially

composed with all admittance statements for the assorted protocols, ports, flags, and so on that could be beatific to any

of these three destinations: an basement device, a accessible server in the adequate zone, or any added device

in the network. In some cases, a allocation ACL can additionally accept any antecedent and the destination IP address

using the keyword any in the ACL. This blazon of ACL is advantageous in classifying and allocation a denial-of-service

(DoS) advance and anecdotic the blazon of cartage and its source. Logging can be acclimated to advance a account of source

addresses that bout the agreement admittance statements. A aftermost band allowing ip any any is appropriate to admittance all

other cartage flow.

Example 2-8 shows a sample ACL that characterizes a doubtable DoS attack. The aboriginal band checks for possible

ICMP Smurf attacks. The additional band checks for any array of TCP SYN attack. The third, fourth, and fifth lines

check for any array of fragment attack. Finally, the aftermost four curve analysis for accepted agreement types. This ACL is a

very basal all-encompassing archetype and can be configured for around any protocol, ports, flags, and so on in a

classification ACL.

Example 2-8. Archetype of DoS Assuming ACL

access-list 101 admittance icmp any any eq echo

access-list 101 admittance tcp any any syn

access-list 101 admittance tcp any any fragment

access-list 101 admittance udp any any fragment

access-list 101 admittance ip any any fragment

access-list 101 admittance tcp any any

access-list 101 admittance udp any any

access-list 101 admittance icmp any any

access-list 101 admittance ip any any

After applying this ACL on the doubtable admission interface, access the appearance access-list command repeatedly

and analysis for the band that shows the accomplished hit counts, advertence the accessible account of the attack. Continue to

tune this ACL to added attenuated bottomward the blazon of cartage until a afterpiece bout is found. This is a actual useful

technique to apparatus beneath a DoS attack, decidedly back you are borderline what blazon of DoS advance is

underway.

Transit ACLs

Transit ACLs

Transit ACLS are agnate to basement aegis ACLs in two ways: alteration ACLS accord you a conceptual view,

and they do not crave appropriate configuration. Alteration ACLs represent one of the abounding means to access network

security by absolutely acceptance accepted cartage into the network. For best arrangement environments, filtering

should be activated to ascendancy entering cartage into the arrangement and to block any crooked attack at the edge

of the network. Account provider networks, for example, generally ascendancy cartage entering or departure customer

networks by application bend or alteration filtering. This protects exceptionable cartage from one chump to addition because

unwanted cartage is alone at the account provider edge.

A alteration ACL is developed application the afterward guidelines:

Using antispoofing aegis based on best practices from the afterward three RFCs:

- RFC 1918—Private abode amplitude not routable on the Internet

- RFC 3330—Special use addresses that ability crave filtering

- RFC 2827—Antispoofing guidelines

Explicitly allowing acknowledgment cartage for all access basal from the centralized arrangement to the Internet

Explicitly allowing evidently sourced cartage that is basal from the alien arrangement destined to the

protected centralized network

Explicitly application a abjure account against the end of the ACL

Visit the Cisco affidavit URL apparent in the Tip that follows for an archetype of alteration ACL.

Tip

For added capacity on alteration ACLs and basal agreement templates, accredit to

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Infrastructure Aegis ACLs (iACL)

Infrastructure Aegis ACLs (iACL)

Infrastructure ACL (iACL) is a conceptual view, and no appropriate agreement is required. It is mainly acclimated to

minimize the accident of absolute basement attacks by absolutely allowing alone accustomed cartage to the

infrastructure accessories (such as the routers, switches, and firewalls). This address secures arrangement devices

by abstinent admission from accurate alien sources to all basement accessory addresses that do not crave direct

access. When configuring an iACL, be accurate to ensure that that iACL allows all alteration cartage traversing the

router and advancement an ceaseless packet flow, thereby acknowledging with basal RFCs such as RFC 1918, RFC

3330, and RFC 2827 admission clarification and anti-spoofing guidelines.

Because they are armed with a cardinal of techniques and solutions that aegis networks from both

accidental and awful risks, you should actively accede application basement aegis ACLs for

deployment at all arrangement admission points.

Receive ACLs (rACL)

Receive ACLs (rACL)

Cisco 12000 alternation Gigabit Switch Routers (GSR) and 7500 platforms abutment Accept ACL (rACL) to increase

security and thereby assure the router from accidental and potentially abominable traffic. High volumes of data

sent to the GRP can be overwhelming, consistent in an able denial-of-service (DoS) attack. GSRs charge to be

protected adjoin such scenarios, which may aftereffect from DoS attacks directed at the GRP of the router. There

are few techniques accessible to allay DoS, such as rate-limiting cartage destined to the GRP from the line

cards. Unfortunately, this access comes with a accommodation and some limitations. The amount attached for normalpriority

traffic destined to the GRP does not agreement aegis to acute traffic, such as routing

protocol abstracts in the accident of an advance channeled via several band cards.

Receive ACL can be configured application the afterward all-around agreement command and broadcast to anniversary line

card in the router. Standard and continued ACL numbers are accurate for rACL.

ip accept access-list

Turbo ACLs

Turbo ACLs

Traditional ACLs are searched sequentially (top-down) to acquisition analogous criteria. As the ACLs grow, a significant

amount of time and anamnesis can be captivated for lookups back packets are actuality processed. This adds a

variable cessation to the packet forwarding and after-effects in achievement issues. The Turbo ACL affection is designed

to action ACLs added calmly to advance router performance. This affection is accessible on high-end platforms

such as the Cisco 7200 and 7500 alternation routers and the Cisco 12000 alternation Gigabit Switch Routers (GSR).

The Turbo ACLs affection compiles the ACLs into a accumulation of lookup tables while advancement the aboriginal match

requirements. Packet headers are acclimated to admission these tables in a small, anchored cardinal of lookups, independent

of the absolute cardinal of ACL entries. This abundantly improves the achievement and saves ACLs lookup

cycles.

Note

ACLs configured with time-range or automatic ACL are not accurate and are afar from Turbo ACL

acceleration.

To accredit the Turbo ACL feature, use the access-list aggregate command from the all-around agreement mode

to abridge all ACLs. This command should be activated afterwards the accustomed ACLs accept been configured and are ready

to be compiled.

The Turbo ACL affection is disabled by default. Back Turbo ACL is not enabled, the accustomed ACL processing is

enabled, with no accident of ACL acceleration.

Use the appearance access-list and the appearance access-list aggregate commands to verify that the Turbo ACL feature

has taken aftereffect and ACLs accept been aggregate for acceleration. The ACLs will be flagged as (Compiled),

indicating they are operating as an accelerated ACL.

Configuring Distributed Time-Based ACLs

Configuring Distributed Time-Based ACLs

Because this affection is enabled automatically back the accustomed time-range ACL is configured on a band card

interface, there is no command syntax to accredit this feature. The command syntax is the aforementioned as for the timebased

ACL. The action is alone a software cipher affiliation in the IOS; no added commands are required.

Use the afterward commands to adviser the cachet and affectation statistics for the Interprocessor Communication

(IPC) letters amid the RP and band card:

clear time-range ipc

Used to bright the time-range IPC bulletin statistics and counters amid the RP and the band card.

debug time-range ipc

Used to accredit debugging achievement for ecology the time-range IPC letters amid the RP and the line

card.

show time-range ipc

Used to affectation the statistics about the time-range IPC letters amid the RP and the band card.

Distributed Time-Based ACLs

Distributed Time-Based ACLs

Distributed time-based ACLs were alien primarily for the high-end routers. Broadcast time-based ACLs

were advised to be implemented on the VPN-enabled Cisco 7500 alternation routers. As discussed earlier, timebased

ACLs were not initially accurate on the band cards in the Cisco 7500 series. If an interface on a 7500 line

card was configured with a time-based ACL, the packets switched into the interface were not "distributed

switched" through the band card. Instead, they were forwarded to the avenue processor for processing and

therefore did not booty advantage of the broadcast switching capability. The broadcast time-based ACLs

feature allows packets destined for an interface that are configured with time-based ACLs to be "distributedswitched"

through the band card.

Distributed time-based ACLs advantage the achievement allowances of broadcast switching and the flexibility

provided by time-based ACLs. The software alarm charge abide synchronized amid the Avenue Processor (RP)

and the band agenda for the broadcast time-based ACL to action properly.

Established ACLs

Established ACLs

The accustomed keyword in a TCP continued ACL validates that a packet belongs to an complete affiliation from

an advancing TCP affair accomplished beforehand and checks whether the TCP datagram has the acceptance (ACK)

or displace (RST) bit set. This apparatus allows alone centralized networks to admit a TCP affair outbound through

the device. Any TCP access originated from the alien arrangement entering are dropped.

The agreement in Example 2-6 for Figure 2-5 shows TCP cartage sourced from Arrangement A (10.2.2.0/24)

destined to Arrangement B (10.1.1.0/24) actuality permitted, while abstinent TCP cartage from Arrangement B destined to

Network A.

Figure 2-5. Accustomed ACL Example

ACL 101 in Example 2-6 permits all entering TCP packets to canyon through the router interface Ethernet1 only

when the TCP datagram has the accustomed (ACK) or the displace (RST) bit set, acceptance an accustomed TCP

session originated from inside. Back a host from Arrangement B (10.1.1.0/24) initiates a TCP affiliation by sending

the aboriginal TCP packet in the three-way handshake with the SYN bit set, it will be denied, and the TCP affair will

not succeed. Any TCP sessions accomplished from Arrangement A (10.2.2.0/24) destined to Arrangement B (10.1.1.0/24) will

be accustomed because they will accept the ACK/RST bit set for all the abiding packets. Any datagram with an

ACK/RST bit not set will be dropped.

Example 2-6. Accustomed ACL Example

interface Ethernet1

ip abode 10.1.1.2 255.255.255.0

ip access-group 101 in

!

access-list 101 admittance tcp any any established

Time-Based ACLs Using Time Ranges

Time-based ACLs are agnate to the continued ACLs in function; they accommodate the added affection of controlling

access based on the time. The time ambit relies on the router's arrangement clock. However, this affection works best

with Arrangement Time Protocol (NTP) synchronization. IP and IPX numbered or called continued ACLs are the only

functions that can use time ranges.

To configure time-based ACLs, a time ambit is created that defines specific times of the day and week. The time

range is articular by a name and again referenced aural the continued ACL acceptance ascendancy back the admittance or

deny statements in the ACL are in effect. Both called and numbered ACLs can advertence a time range.

Step 1. Assign a name to the time ambit to be configured and access time-range agreement approach for

subcommands.

Router(config)# time-range time-range-name

Step 2. Specify back this time ambit will be in effect. Multiple alternate statements are allowed; alone one

absolute account is allowed.

Define an complete time.

Router(config-time-range)# complete [start time date] [end time date]

Or ascertain a alternate time.

Router(config-time-range)# alternate days-of-the-week hh:mm to [days-of-theweek]

hh:mm

Step 3. Advertence the time ambit in the continued ACL.

Router(config)# access-list cardinal {permit | deny} antecedent destination timerange

name_of_time_range

Step 4. Apply the ACL to an interface.

Router(config)# interface {interface-name}

Router(config-if)# ip access-group {access-list-number|name} {in | out}

Example 2-7 shows that all IP cartage is actuality acceptable through the arrangement on weekdays (Monday through

Friday) during accustomed business hours.

Example 2-7. Time-Based ACL Example

interface Ethernet0

ip abode 172.16.1.2 255.255.255.0

ip access-group 101 in

access-list 101 admittance ip any any time-range mytime

time-range mytime

periodic weekdays 9:00 to 17:00

IP Alleged ACLs

IP Alleged ACLs

Cisco IOS Software additionally added the adequacy to use a name in the ACL. This allows accepted and continued ACLs

to be accustomed names instead of numbers. All added ambit abide the same. This is an added feature

added to the accustomed ACL convention. The command syntax architecture you use to ascertain a alleged ACL is the

following:

Router(config)# ip access-list {standard | extended} access-list-name

(Followed by permit/deny belief statements)

Example 2-3 shows the agreement of a accepted alleged ACL alleged myacl that allows all cartage sourced from

network 192.16.1.0/24 and host 172.65.1.1.

Example 2-3. Accepted Alleged ACL Example

ip access-list accepted myacl

permit 192.16.1.0 0.0.0.255

permit host 172.65.1.1

(Note: complete deny)

Example 2-4 shows agreement of an continued alleged ACL alleged myacl that allows SMTP admission to host

172.16.1.1 and DNS packets and all ICMP packets.

Example 2-4. Continued Alleged ACL Example

ip access-list continued myacl

permit tcp any host 172.16.1.1 eq smtp

permit tcp any any eq domain

permit udp any any eq domain

permit icmp any any

(Note: complete deny)

Lock and Key (Dynamic ACLs)

Lock and key (also accepted as Activating ACL) allows you to set up a activating admission that will acquiesce per-user

access ascendancy to a accurate source/destination application an affidavit mechanism. The lock-and-key feature

depends on the afterward items: the Telnet protocol, an affidavit process, and an continued ACL.

The afterward action elaborates the operation of lock-and-key access.

Configure an continued ACL to block cartage through the router, except the adeptness to telnet to the router

from any host. This is important, as the user needs to telnet to the router to accessible the activating access

entry. If the ACL is abstinent everything, the accomplished action will fail.

1.

Users who appetite to canyon cartage through the lock-and-key router charge admit a Telnet to the router and

authenticate auspiciously with accurate credentials; activating entries are busy accordingly.

2.

Either the bounded router or alien affidavit performs the affidavit action application TACACS+ or

Radius. (Cisco recommends application a TACACS+ server.)

3.

When the Telnet action completes, the router again disconnects the Telnet connection, and a dynamic

entry is busy in the continued ACL that was configured earlier. This activating admission permits cartage for a

particular period.

4.

Follow the accomplish apparent to configure lock-and-key access. Note this archetype uses bounded router authentication.

Configure a bounded username for authentication:

username analysis countersign test123

Under the vty lines, configure login local; this will activate the affidavit process.

line vty 0 4

login local

To automatically adjure the access-enable command and set the abeyance parameter, configure a username by

using one of the afterward methods:

1. Configure the access-enable command and accessory the abeyance with the user acceptance ascendancy on a peruser

basis.

username analysis autocommand access-enable host abeyance 10

2. Configure a all-around abeyance amount for all users who telnet in, so that they all accept the aforementioned timeout.

line vty 0 4

login local

autocommand access-enable host abeyance 10

Note

The amount 10 in the antecedent archetype is the idle-timeout for the ACL. Absolute-timeout in the Dynamic

ACL will consistently abandon this value.

Then configure an continued ACL that is activated back a user (any user) logs in to the router and the accessenable

command is invoked. The best complete time for this "hole" in the clarify is set to 15 minutes; 15

(minutes) is the complete timeout, and 10 (minutes) is the abandoned timeout. Afterwards 15 minutes, the activating admission is

removed, behindhand of the acceptance and whether anyone is connected. Absolute the networks to which the user needs

access by configuring the antecedent or destination abode and/or protocol/port details. The afterward example

allows the user to affix to the SMTP server 192.168.1.1 afterwards a acknowledged authentication.

Code View:

access-list 102 activating myacl abeyance 15 admittance tcp any host 192.168.1.1 eq smtp

The ACL should absolutely ensure that the adequacy for the host to telnet into the router is allowed, as apparent in

the archetype that follows. The IP abode acclimated in this archetype is the Ethernet IP abode of the router area the

user would telnet to accredit and accessible the activating hole.

access-list 102 admittance tcp any host 172.16.1.2 eq telnet

Apply this ACL to the interface on which the user is connected:

interface Ethernet0

ip abode 172.16.1.2 255.255.255.0

ip access-group 102 in

The ACL will appearance as follows afterwards a user has auspiciously authenticated, and a activating admission will be populated

in the continued ACL with the antecedent abode of the host. In the sample achievement that follows, the user host

address is 172.16.1.5, and the user is accustomed to affix to the SMTP server at 192.168.1.1. All added traffic

from this host is blocked.

Code View:

Router# appearance access-lists

Extended IP admission account 102

10 Activating myacl admittance tcp any host 172.16.1.1 eq smtp

permit ip host 172.16.1.5 admittance tcp any host 192.168.1.1 eq smtp (time left

160)

20 admittance tcp any host 172.16.1.2 eq telnet (104 matches)

The activating admission is added in the ACL for every user who passes authentication, based on the antecedent IP

address.

Reflexive ACLs

Reflexive ACLs acquiesce IP packets to be filtered based on upper-layer affair information. Automatic ACLs are

generally acclimated to acquiesce outbound cartage and to absolute entering cartage in acknowledgment to sessions basic central the

router. A automatic ACL is agnate to the Context-Based Admission Ascendancy (CBAC), which will be discussed in

Chapter 5.

Reflexive ACLs accept an important restriction—that is, they can be acclimated alone in affiliation with an extendednamed

IP ACL. They cannot be authentic with a numbered or standard-named IP ACL, or with any added non-IP

protocol ACLs. Automatic ACLs can be acclimated in aggregate with added accepted and changeless continued ACLs.

With the continued ACL in Archetype 2-5, all ICMP cartage statically and all TCP cartage basic from source

10.0.0.0/24 activity to destination 172.16.1.0/24 through the automatic router is acceptable on the acknowledgment path

through the use of a activating apparatus in the entering ACL. In essence, the automatic action permits alone the

return cartage that has been accomplished from inside. (All added cartage is denied.)

Example 2-5. Automatic ACL Example

interface Ethernet0

ip abode 172.16.1.2 255.255.255.0

ip access-group inbound_acl in

ip access-group outbound_acl out

!

ip access-list continued inbound_acl

permit icmp any any

evaluate tcp_reflect

!

ip access-list continued outbound_acl

permit icmp any any

permit tcp 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcp_reflect

The ambience bounden the outbound_acl ACL alleged tcp_reflect is affiliated with the appraise tcp_reflect advertence in

the inbound_acl ACL. Hence, cartage basic from 10.0.0.0/24 to destination 172.16.1.0/24 will be permitted,

and it will acknowledgment back it hits the inbound_acl.

Extended ACLs

Extended ACLs

Extended ACLs are acclimated to clarify more-specific cartage based on the antecedent address, the destination address, and

specific protocols, ports, and flags. A sample command syntax architecture for assorted types of continued ACLs for

each agreement is apparent in the account that follows:

To ascertain an continued IP ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} agreement antecedent source-wildcard destination destination-wildcard

[precedence precedence] [tos tos] [log | log-input] [time-range time-range-name]

[fragments]

To ascertain an continued TCP ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} tcp antecedent source-wildcard [operator [port]] destination destinationwildcard

[operator [port]] [established] [precedence precedence] [tos tos] [log

| log-input] [time-range time-range-name] [fragments]

To ascertain an continued User Datagram Agreement (UDP) ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} udp antecedent source-wildcard [operator [port]] destination destinationwildcard

[operator [port]] [precedence precedence] [tos tos] [log | log-input]

[time-range time-range-name] [fragments]

To ascertain an continued Internet Control Message Agreement (ICMP) ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} icmp antecedent source-wildcard destination destination-wildcard [icmp-type

[icmp-code] | icmp-message] [precedence precedence] [tos tos] [log | log-input]

[time-range time-range-name] [fragments]

To ascertain an continued Internet Group Management Agreement (IGMP) ACL:

Code View:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny |

permit} igmp antecedent source-wildcard destination destination-wildcard [igmptype]

[precedence precedence] [tos tos] [log | log-input] [time-range timerange-

name] [fragments]

In all Cisco IOS Software releases, the access-list-number for continued admission lists can be 101 to 199 or the

expanded numbers 2000 to 2699, as apparent in Table 2-6.

The afterward archetype permits Simple Mail Transfer Agreement (SMTP) (e-mail) cartage to host 172.16.1.1, Domain

Name System (DNS) traffic, and ICMP answer and answer acknowledgment packets sourced from all hosts:

Step 1. Ascertain an continued ACL.

Router(config)# access-list 101 admittance tcp any host 172.16.1.1 eq smtp

Router(config)# access-list 101 admittance tcp any any eq domain

Router(config)# access-list 101 admittance udp any any eq domain

Router(config)# access-list 101 admittance icmp any any echo

Router(config)# access-list 101 admittance icmp any any echo-reply

Step 2. Apply the ACL to an interface.

Router(config)# interface Serial0

Router(config-if)# ip access-group 101 in

Standard ACLs

Standard ACLs

Standard ACLs are the oldest and one of the best basal types of ACLs. Accepted ACLs audit cartage by

comparing the antecedent abode of the IP packets to the addresses configured in the ACL. A accepted ACL can be

defined to admittance or abjure specific antecedent IP addresses only.

The command syntax architecture to ascertain a numbered accepted ACL is the following:

Code View:

access-list access-list-number {deny | permit} antecedent [source-wildcard] [log]

The keyword log causes an advisory logging bulletin back the packet matches the access-list statement.

For all akin packets, a bulletin is beatific to the console, the buffer, or to a syslog server. The message

includes the ACL number, a notification of whether the packet was acceptable or denied, the antecedent address, and

the cardinal of packets.

Note

Fields represented by {} brackets are binding in the command syntax. Fields represented by []

brackets are optional.

In all Cisco IOS Software releases, the accepted access-list-number can be annihilation from 1 to 99 or the

expanded ambit 1300 to 1999, as apparent in Table 2-6. Archetype 2-2 shows a accepted numbered ACL allowing

access to hosts on the two authentic networks. The wildcard $.25 administer to the host portions of the network

addresses. Cartage from any host with a antecedent abode that does not bout the ACL belief will be dropped

because of the absolute deny.

Example 2-2. Accepted Numbered ACL Example

Router(config)# access-list 1 admittance 192.16.1.0 0.0.0.255

Router(config)# access-list 1 admittance 139.65.0.0 0.0.255.255

(Note: absolute deny)

Tip

A source/source-wildcard ambience of 0.0.0.0/255.255.255.255 can be authentic as any. The wildcard can

be bare if it is all zeros. Therefore, 10.1.1.1 0.0.0.0 is the aforementioned as host 10.1.1.1.

After the ACL is defined, it charge be activated to the interface (inbound or outbound direction).

Router(config)# interface

Router(config-if)# ip access-group {access-list-number|name} {in|out}

The afterward is addition archetype assuming the use of a accepted ACL to block all cartage except that from source

10.1.1.0/24. Note that the archetype has one admittance account followed by an absolute deny, which will block all

other traffic.

Step 1. Ascertain a accepted ACL.

Router(config)# access-list 1 admittance 10.1.1.0 0.0.0.255

Step 2. Administer the ACL to an interface.

Router(config)# interface Serial0

Router(config-if)# ip access-group 1 in

Types of Access Lists

Types of Access Lists

Many types of ACLs can be configured in Cisco IOS. The afterward lists are the best frequently accepted and used:

Standard ACLs

Extended ACLs

IP called ACLs

Lock and key (Dynamic ACLs)

Reflexive ACLs

Established ACLs

Time-based ACLs application time ranges

Distributed time-based ACLs

Turbo ACLs

Receive ACLs

Infrastructure aegis ACLs

Transit ACLs

Classification ACLs

Debugging cartage application ACLs

Outbound ACL

Outbound ACL

Examine the pseudocode that follows to accept packet processing. Back an outbound ACL is activated on an

interface, the router aboriginal performs a avenue lookup for the destination abode in the acquisition table to determine

the avenue (egress) interface.

Code View:

if {valid aisle begin in acquisition table} then

if {a bout is found} then

if {the activity is to permit) then

{router continues to activity the packet}

else {the activity is to deny} then

{router discards the packet sending an ICMP Unreachable bulletin to the source

address in the packet - bold this is not disabled}

endif

else {a bout is not found} then

{with the absence 'implicit deny' statement—the router discards the packet,

sending an ICMP Unreachable message}

endif

else {valid aisle not begin in acquisition table, the router drops the packet}

endif

Figure 2-3 shows the analytic flowchart for how a packet is candy adjoin an entering or outbound ACL.

Figure 2-3. Life of a Packet Undergoing the ACL Process

[View abounding admeasurement image]

Packet Flow Rules for Assorted Packet Types

The packet flowchart apparent in Figure 2-4 demonstrates how ACL rules are activated to assorted packet types such

as nonfragments, antecedent fragments, and noninitial bits that are arrested adjoin an ACL.

Figure 2-4. ACL Flow for Non-fragments, Antecedent Fragments, and Non-initial Fragments

[View abounding admeasurement image]

RFC 1858 covers aegis considerations for IP fragment clarification and highlights two attacks with two defending

mechanisms involving an IP fragment attack.

Note

The noninitial fragment packet contains alone Layer 3 information, not Layer 4 information, although the

ACL may accommodate both Layer 3 and Layer 4 information.

Note

Figure 2-4 is taken from the Cisco affidavit URL listed here. For added capacity on ACLS and IP

Fragments, appointment http://www.cisco.com/warp/public/105/acl_wp.html.

Guidelines for Implementing ACLs

Following are some accepted guidelines to accede back implementing ACLs:

ACLs can be activated to assorted interfaces on a device.

Only one ACL is accustomed per agreement per interface per direction. This agency that you can accept two ACLs

per interface—one entering and one outbound.

ACLs are candy from the top down. The adjustment of the access-list entries needs to be planned carefully.

More specific entries charge arise first.

When entering the ACL, the router appends the admission ascendancy entries (ACEs) at the bottom. In newer IOS

versions that accept sequencing function, it is accessible to admit ACE entries amid accepted entries.

There is an "implicit deny" for cartage that is not permitted. A single-entry ACL with alone one deny

statement has the aftereffect of abstinent all traffic. An ACL charge accept at atomic one admittance statement;

otherwise, all cartage is blocked.

Always actualize an ACL afore applying it to the interface. Back modifying or alteration an ACL, always

remove the ACL from the interface, accomplish the changes, and again reapply the ACL to the interface.

An outbound (egress) ACL activated to a router interface checks alone for cartage traversing through the

router—that is, cartage activity through the router and not cartage basic from the router.

Understanding ACL Processing

Understanding ACL Processing

This area helps you to accept ACL processing by answer entering and outbound ACLs, packet flow

rules, and guidelines for implementing ACLs.

Inbound ACL

Examine the pseudocode that follows to accept packet processing. When an entering ACL is activated on an

interface, the router checks the accustomed packet adjoin the ACL's statements for a match.

Code View:

if {a bout is found} then

if {the activity is to permit) then

{router continues to activity the packet}

else {the activity is to deny} then

{router discards the packet sending an ICMP Unreachable bulletin to the

source abode in the packet - bold this is not disabled}

endif

else {a bout is not found} then

{with the absence 'implicit deny' statement—the router discards the packet,

sending an ICMP Unreachable message}

endif

Direction of the ACL

Direction of the ACL

The agreement in, out, source, and destination are acclimated as referenced by the accessory in the ambience of the breeze of the

traffic. As an analogy, cartage on the router can be compared to a commuter aerial from Sydney to San

Francisco. If the clearing administration wants to stop this commuter traveling from Sydney (source) to San

Francisco (destination), there are two possibilities for interception:

The commuter could be chock-full at the Sydney airport at the clearing ascendancy (out) departing

outbound.

The commuter could be chock-full at the San Francisco airport at the clearing ascendancy (in) arriving

inbound.

When apropos to a accessory area an ACL is applied, these agreement are authentic as follows:

Out: Cartage that has already been candy through the router and is departure the router interface (also

called departure traffic). The antecedent is area the cartage originated (on the added ancillary of the router), and the

destination is area it is activity (beyond this router).

In: Cartage that arrives on the router interface (also alleged admission traffic) and will be candy by the

router for its destination traversing through this router. The antecedent is area it has accustomed from (before

this router), and the destination is area it is activity (on the added ancillary of the router).

ACL Configuration

ACL Configuration

There are two basal accomplish in configuring an ACL:

Step 1. Actualize an ACL.

Step 2. Administer an ACL account to an interface.

These are explained added in the sections that follow.

Creating an ACL

The aboriginal footfall in the agreement action is to actualize an ACL for anniversary agreement to be filtered, per interface. For

some protocols, one ACL can be created to clarify entering cartage and accession to clarify outbound traffic.

To actualize an ACL, specify the agreement to be filtered by allotment a different name or cardinal to the ACL and

defining the clarification criteria. Anniversary alone clarification aphorism that is allotment of an ACL is alleged an admission ascendancy entry

(ACE). A distinct ACL can accept assorted ACEs, and a accumulation of ACEs forms an ACL.

Assigning a Different Name or Cardinal to Anniversary ACL

Each ACL charge be abnormally articular by application either a name or a number. A accessory could accept several ACLs

configured; therefore, the accessory charge accept a way to analyze one ACL from another. Allotment a name or a

number to an ACL serves this cold forth with bounden the ACL entries together. The ACL name or number

also tells the accessory which blazon of ACL it is. (Various ACL types are discussed after in this chapter.)

Tables 2-5 and 2-6 appearance a account of protocols that can be authentic application either the called or numbered ACL. The

table additionally lists the ambit of ACL numbers that is accurate for anniversary protocol.

Table 2-5. Protocols with ACL Specified by Name

Protocol

Subnet Affectation Versus Changed Affectation Overview

Subnet Affectation Versus Changed Affectation Overview

The IP abode has two basal components: the arrangement abode and the host address. A affectation is acclimated to

partition the arrangement abode from the host abode aural the IP address. The afterward area describes two

types of masks—the subnet affectation and the changed mask.

Subnet Mask

As mentioned earlier, an IP abode consists of two parts: a arrangement abode and a host address. The subnet

mask is acclimated to authorize area the arrangement cardinal in an IP abode ends and the host cardinal begins. It is a

method acclimated for agreeable IP networks into a alternation of subgroups or subnets as accurate in RFC 950. The

mask is a 32-bit bifold arrangement that is akin up with the IP abode to about-face allotment of the host ID abode field

into a acreage for subnets. (Table 2-4 shows an example.)

Table 2-4. Affectation Example

Network abode (traffic that is to be

processed)

10.1.1.0

Network abode (binary) 00001010.00000001.00000001.00000000

Subnet affectation (decimal) 255.0.0.0

Subnet affectation (binary) 11111111.00000000.00000000.00000000

Wildcard/inverse affectation (decimal) 0.0.0.255

Wildcard/inverse affectation (binary) 00000000.00000000.00000000.11111111

Inverse Mask

Masks for IOS IP ACLs are the about-face (for example, affectation 0.0.0.255) and are referred to as the changed mask,

also frequently accepted as a wildcard mask. (The agreement wildcard and changed are acclimated interchangeably.) When

the amount of the affectation is burst bottomward into bifold numbers (0s and 1s), the after-effects actuate which abode bits

are to be advised in processing the traffic. A 0 indicates that the abode $.25 charge be advised (exact

match); a 1 in the affectation is a "don't care." Table 2-4 explains the abstraction further.

Based on the changed affectation apparent in binary, the aboriginal three sets (octets) charge bout the accustomed bifold network

address absolutely (00001010.00000001.00000001). The aftermost set of numbers represents "don't care" (.11111111).

Therefore, all cartage that begins with 10.1.1. matches because the aftermost octet is not considered. With this mask,

network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.

The ACL changed affectation can additionally be bent by adding the accustomed affectation from 255.255.255.255. See

Example 2-1.

Example 2-1. ACL Changed Mask

Code View:

The changed affectation for arrangement abode 172.16.1.0 with a subnet affectation of 255.255.240.0

is;

255.255.255.255 - 255.255.240.0 (subnet mask) = 0.0.15.255 (inverse mask)

Note

When configuring an ACL, you can acting continued dotted numbers with appropriate keywords that represent

the aforementioned equivalents, as apparent in the afterward examples:

Source/source-wildcard of 0.0.0.0/255.255.255.255 can additionally be represented with the keyword

"any" aural the ACL.

Source/wildcard of 10.1.1.2/0.0.0.0 can additionally be represented as "host 10.1.1.2."

Private IP Abode (RFC 1918)

Private IP Abode (RFC 1918)

Under the present IPv4 acclamation scheme, the IP abode amplitude is disconnected into two types: accessible IP address

space and clandestine IP abode space. The accessible IP abode amplitude is routable via the Internet and is managed by

one of the Regional Internet Registries (RIR). A baby allotment of the abode range, apparent in Table 2-1, has been

set abreast and appointed as a "reserved" or "private" IP abode range, as accurate in RFC 1918. These

addresses are aloof for use by clandestine networks and are not baffled on the Internet. These clandestine IP address

ranges charge be filtered on bound routers so that no cartage with a clandestine abode as antecedent is accustomed from the

Internet. Table 2-3 includes the capacity of the clandestine abode ranges.

Table 2-3. RFC 1918 Abode Ranges Aloof for Clandestine Use

Class Ambit of Addresses

A 10.0.0.0 through 10.255.255.255

B 172.16.0.0 through 172.32.255.255

C 192.168.0.0 through 192.168.255.255

In accession to the ahead declared RFC 1918-based clandestine addresses range, the IANA has blocked a special

Class B clandestine abode ambit and aloof it for automated clandestine IP acclamation (APIPA). For example, when

using Dynamic Host Configuration Protocol (DHCP), if the DHCP server cannot be begin for an assigned IP

address, the operating arrangement will automatically accredit addresses from this appropriate block to enable

communication.

Note

The RIRs are nonprofit organizations answerable to administer the role of administration for allocating Internet

number assets distribution, such as globally different IP addresses (IPv4 and IPv6) and autonomous

system numbers (within their assigned regions). For added information, appointment the RIR of your region:

APNIC http://www.apnic.net

ARIN http://www.arin.net

LACNIC http://www.lacnic.net

RIPE NCC http://www.ripe.net

AfriNIC http://www.afrinic.net

Understanding IP Abode Classes

Understanding IP Abode Classes

Class A—0NNNNNNN.HHHHHHHH.HHHHHHHH.HHHHHHHH

First octet represents the arrangement abode and the actual three octets represent the host

address.

First aerial adjustment bit is set to 0.

7 arrangement bits.

24 host bits.

First byte range: 0–127.

126 Chic A ranges abide (0 and 127 are reserved).

16,777,214 hosts are on anniversary Chic A.

Example: Host 10.0.0.1 on arrangement 10.0.0.0

Class B—10NNNNNN.NNNNNNNN.HHHHHHHH.HHHHHHHH

First two octets represent the arrangement abode and the actual two octets represent the host

address.

First two aerial adjustment $.25 are set to 1 and 0, respectively.

14 arrangement bits.

16 host bits.

First byte range: 128–191.

16,384 Chic B ranges exist.

65,532 hosts are on anniversary Chic B.

Example: Host 128.10.1.5 on arrangement 128.10.0.0

Class C—110NNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH

First three octets represent the arrangement address, and the actual octet represents the host

address.

First three high-order $.25 are set to 1, 1, and 0, respectively.

21 arrangement bits.

8 host bits.

First byte range: 192–223.

2,097,152 Chic C ranges exist.

254 hosts are on anniversary Chic C.

Example: Host 192.15.1.1 on arrangement 192.15.1.0

Class D—1110MMMM.MMMMMMMM.MMMMMMMM.MMMMMMMM

Mainly aloof as multicast addresses.

First four high-order $.25 are set to 1, 1, 1, and 0, respectively.

28 multicast abode bits.

First byte range: 224–247 (first octet of a Chic D abode has a minimum amount of 224 and a

maximum amount of 239).

Class D ambit is acclimated for multicast addresses—see RFC 1112.

Example: 225.1.100.100

Class E—1111RRRR.RRRRRRRR.RRRRRRRR.RRRRRRRR

Mainly aloof for beginning and approaching use.

First four aerial $.25 are set to 1, 1, 1, and 1, respectively.

28 aloof abode bits.

First byte range: 248–255 (first octet of a Chic E abode starts with 240).

In accession to actuality acclimated for experimentation, Chic E addresses are aloof for approaching use.

Note

N denotes the arrangement ID bits.

H denotes the host ID bits.

M denotes the multicast abode bits.

R denotes the aloof bits.

The chic of an IP abode can be accustomed from the aboriginal four $.25 of the aboriginal byte of the IP address. The

value of the aboriginal octet in the IP abode resolves to the chic aural the ambit of which the IP abode falls.

Table 2-1 summarizes the accessible ambit of IP addresses for the altered IP abode classes that were

previously discussed.

Table 2-1. Ambit of IP Addresses per Class

Class Accessible Ambit of Addresses

A 0.0.0.0 through 127.255.255.255

B 128.0.0.0 through 191.255.255.255

C 192.0.0.0 through 223.255.255.255

D 224.0.0.0 through 239.255.255.255

E 240.0.0.0 through 247.255.255.255

Table 2-2 shows the best cardinal of networks and hosts that can be acquired aural anniversary class.

Table 2-2. Networks and Hosts per Class

Class Max Cardinal of Networks Max Cardinal of Hosts per Network

A 126 (2^7–2) 16777214 (2^24–2)

B 16384 (2^14) 65534 (2^16–2)

C 2097152 (2^21) 254 (2^8–2)

D — —

E — —

Note

Class A—The best cardinal of networks is bargain by 2 to annual for the aloof arrangement IP

address of 0.xxx.xxx.xxx and 127.xxx.xxx.xxx.

The best cardinal of hosts per arrangement is additionally bargain by 2 to annual for the aloof host IP

address in which all the host ID abode $.25 are either 1 or 0—that is, the arrangement abode and the

broadcast address.

Classes of IP Addresses

Classes of IP Addresses

The Internet Assigned Numbers Authority (IANA) aggregate IP addresses into the afterward classes. Each chic has

its own requirements and purpose:

Class A

Class B

Class C

Class D

IP Abode Overview

IP Abode Overview

The IP abode is the abode assigned to a accurate arrangement and the host aural the network.

There are two basal types of IP addresses:

IP Adaptation 4 (IPv4): IPv4 was initially deployed in January 1983 and is frequently acclimated in today's

networks in accepted deployment. IPv4 addresses are 32-bit numbers displayed as four octets in dotted

decimal characters (for example, 10.1.1.1). RFC 1166 specifies the IPv4 abode format.

IP Adaptation 6 (IPv6) or IPng: IPv6, additionally accepted as IPng, is a next-generation Internet protocol, with a

new adaptation advised to be an evolutionary move in Internet addressing. Growth is the basal issue

because the IPv4 abode is acceptable added strained. This deficient has laid the foundation for the

next bearing IP. IPv6 addresses are 128-bit numbers and are about displayed in hexadecimal strings

(for example, 2080:0:0:2:8:400:20AC:217B). Cisco Systems appear IPv6 abutment in Cisco IOS

12.2(2)T on May 14, 2001.

Note

For added advice on IPv6, accredit to http://www.cisco.com/go/ipv6.

Note

This affiliate focuses alone on the IPv4 addresses, which are referred to as IP addresses.

Access Control

Access Control

The use of technology continues to aggrandize in this agenda age with the ever-increasing aggregate of data. An

exponential bulk of abstracts is bridge the networks today. Without any aegis apparatus in place, each

network has complete admission to the added with no way of appropriate amid accustomed and unauthorized

activity.

One of the axiological accomplish all-important to ascendancy arrangement admission is the adequacy to ascendancy the abstracts flow

within a network. One of the abounding means to accomplish this is to use an ACL, or admission ascendancy account (commonly

referred to as ACL). ACLs are effective, accessible to configure, and accessible beyond all above Cisco products.

This affiliate focuses primarily on the use and agreement of ACLs accessible on Cisco IOS and added accessories for

traffic filtering. The affiliate additionally gives an overview of IP addressing, IP classes, subnets, and masks.

Traffic Clarification Application ACLs

Cisco IOS provides traffic-filtering capabilities for ACLs with the adequacy to anticipate cartage from entering or

exiting the network. The use of an ACL is additionally sometimes referred to as filtering, because it regulates cartage by

allowing or abstinent arrangement access.

ACL Overview

An ACL is about a account of admittance or abjure statements that ascendancy arrangement admission to accomplish a aegis policy.

ACLs are an basal allotment of the end-to-end aegis solution. Articles and technologies such as firewalls,

encryption and authentication, and advance apprehension and blockage solutions, however, should be allotment of an

integrated admission to implementing any accumulated aegis policy.

ACL Applications

ACLs accept abounding applications (available beyond all Cisco platforms), including cartage filtering; however, ACLs

cannot be acclimated as a backup or acting for context-based stateful firewalls, which will be discussed

further in Affiliate 5, "Cisco IOS Firewall," and Affiliate 6, "Cisco Firewalls: Appliance and Module."

ACLs are acclimated in abundant ways. Some accepted applications of ACLs accommodate the following:

Filtering acquisition advice accustomed from or beatific to the adjoining neighbor(s)

Controlling alternate admission to anticipate crooked admission to the accessories in the network—for example,

Console, Telnet, or SSH access

Controlling cartage breeze and arrangement admission through devices

Securing the router by attached admission to casework on the router such as Hypertext Transfer Protocol

(HTTP), Simple Arrangement Management Protocol (SNMP), and Arrangement Time Protocol (NTP)

Defining absorbing cartage for dial-on-demand acquisition (DDR)

Defining absorbing cartage for IPsec basal clandestine arrangement (VPN) encryption

Several applications in IOS affection of account (QoS) features

Extensive use in aegis techniques and technologies (for example, TCP Intercept and IOS Firewall)

ACLs can be acclimated to accommodate a basal akin of aegis for all cartage accessing or traversing the network. If ACLs

are not configured, all packets casual through the router would be accustomed assimilate all genitalia of the network.

For example, ACLs can acquiesce one host to admission the Internet and anticipate addition host from accessing the

Internet, as apparent in Figure 2-1. Host A can admission assets on the Internet, admitting admission for Host B is

denied. ACLs can additionally be acclimated to actuate what blazon of cartage is forwarded or blocked at the router interfaces.

For example, all HTTP cartage can be permitted, while FTP cartage is blocked. This is aloof a simple example; much

more circuitous scenarios can be accomplished by application ACLs.

Figure 2-1. Secure Router Application ACL

When to Configure ACLs

ACLs can be acclimated on a accessory as the aboriginal band of aegis for the network. This can be accomplished application an ACL on

routers, switches, or firewalls that are placed amid an centralized arrangement (protected zone) and an external

network (unprotected zone), such as the Internet. ACLs can additionally be acclimated on a accessory placed amid two parts

of the network, to ascendancy cartage entering or departure a specific allotment of the network. Addition another is to use

ACLs to clarify entering cartage or outbound cartage on a device, or both for that matter. ACLs should be authentic on

a per-protocol and per source/destination/port base to accomplish added granularity and ascendancy on assorted types of

traffic.

To bigger accept the use of ACLs, the abutting sections accommodate an overview of basal IP addressing, subnets and

masks, and IP classes.

Security Wheel

Security Wheel

Network aegis is a connected action congenital about the accumulated aegis policy. The aegis caster depicted

in Figure 1-6 shows a recursive, advancing action of appetite against perfection—to accomplish a anchored network

infrastructure. The archetype incorporates the afterward bristles steps:

Step 1. Develop a aegis policy

A able aegis action should be acutely defined, implemented, and documented, yet simple

enough that users can calmly conduct business aural its parameters.

Step 2. Accomplish the arrangement secure

Secure the arrangement by implementing aegis solutions (implement authentication, encryption,

firewalls, advance prevention, and added techniques) to stop or anticipate crooked admission or

activities and to assure advice and advice systems.

Step 3. Adviser and respond.

This appearance detects violations to the aegis policy. It involves arrangement auditing and real-time

intrusion apprehension and blockage solutions. This additionally validates the aegis accomplishing in Step

2.

Step 4. Test.

This footfall validates the capability of the aegis action through arrangement auditing and vulnerability

scanning and tests absolute aegis safeguards.

Step 5. Manage and improve.

Use advice from the adviser and analysis phases to accomplish improvements to the security

implementation. Adjust the accumulated aegis action as aegis vulnerabilities and risks are

identified. Manage and advance accumulated aegis policy.

Figure 1-6. The Aegis Wheel

Lessons abstruse from Accomplish 2 through 5 should consistently be reflected aback to the accumulated aegis action in Step

1, so that the high-level aegis expectations are actuality met. This should be an advancing process, a continuous

life cycle!

Summary

This affiliate gave an overview of arrangement aegis and discussed the challenges of managing a anchored network

infrastructure. The affiliate discussed how the aegis archetype is alteration and that aegis solutions today

are no best artefact based. Instead, they are added band-aid aggressive and advised with business objectives in

mind. The affiliate additionally discussed the amount attempt of security—the CIA accord of confidentiality, integrity, and

availability—followed by abrupt altercation of aspects of aegis policies: standards, procedures, baselines,

guidelines, and assorted aegis models. The affiliate takes a abundant attending at the ambit aegis affair and

the multilayered aegis approach. The affiliate concludes with the Cisco aegis caster archetype involving five

cyclical steps.

References

Harris, Shon. CISSP All-in-One Exam Guide, Second Edition. McGraw-Hill Osborne Media, 2003.

https://www2.sans.org/resources/policies/#template

http://www.cisco.com/go/securityconsulting

http://www.doc.ic.ac.uk/~ajs300m/security/CIA.htm

http://portal.acm.org/citation.cfm?id=619980

http://www.gammassl.co.uk/topics/chinesewall.html

http://www.devx.com/security/Article/20472

Guel, Michele. "A Short Primer for Developing Aegis Policy," Cisco Systems,

http://www.sans.org/resources/policies/#primer

The Domino Effect

The Domino Effect

The OSI advertence archetypal was congenital to accredit altered layers to assignment apart of anniversary other. The

layered access was developed to board changes in the evolving technology. Anniversary OSI band is

responsible for a specific action aural the networking stack, with advice abounding up and bottomward to

the abutting consecutive band as abstracts is processed. Unfortunately, this agency that if one band is hacked,

communications are compromised after the added layers actuality acquainted of the problem. For example, as

shown in Figure 1-5, if the concrete band (Layer 1) was compromised, it could account all added layers to be

compromised in succession. Security is alone as able as the weakest link. When it comes to networking,

any band can be the weakest link.

Multilayer Ambit Solution

Multilayer Ambit Solution

As declared previously, today's solutions are alive against the admission of agreement aegis mechanisms at

various layers of the network, not aloof at the abuttals or bend devices. Today, it is recommended to deploy

Intrusion Prevention Arrangement (IPS) accessories on both the central and alfresco boundaries of clandestine networks.

Firewalls, on the added hand, are placed amid assorted business segments or departments aural the same

organization, adding the arrangement into analytic groupings and applying ambit aegis at anniversary articulation or

department. In this multiperimeter model, anniversary articulation can accept altered layers of aegis aural it.

Effective ambit aegis has become added important over contempo years. Ambit aegis cannot be

trusted to alone the acceptable aegis mechanisms of firewalls and IDS. Web applications, wireless access,

network interconnectivities, and VPNs accept fabricated the ambit a abundant added complicated abstraction than it was a

couple of years ago.

A layered admission requires implementing aegis solutions at altered spectrums of the network. Another

similar abstraction is islands of security. To apparatus islands of security, do not bind your cerebration to perimeter

security. Do not depend on aloof one adjustment for your security. You should, instead, accept layers of

protection—perimeter, distribution, core, and admission layer. Figure 1-4 illustrates a basal multilayered security

mechanism, which is advised to assure the abstracts breeze in the system.

This layered access is accompanying to the technology of an ambiance and the complication of anniversary of the

technologies at anniversary layer. The complication comes from altered protocols, applications, hardware, and security

mechanisms that assignment at one or added of the seven layers in the OSI model. Just as there are altered levels

within an environment, altered types of attacks can action at anniversary akin and would crave respective

countermeasures.

Security in Layers

Security in Layers

As discussed earlier, aegis in layers is the adopted and best scalable access to aegis a network. One

single apparatus cannot be relied on for the aegis of a system. To assure your infrastructure, you must

apply aegis in layers. This layered access is additionally alleged aegis in depth. The abstraction is that you create

multiple systems so that a abortion in one does not leave you vulnerable, but is bent in the abutting layer.

Additionally, in a layered approach, the vulnerability can be bound and independent to the afflicted band because

of the activated aegis at capricious levels.

A Solid Ambit Aegis Solution

A Solid Ambit Aegis Solution

A absolute ambit aegis band-aid enables communications beyond it as authentic by the aegis policy,

yet protects the arrangement assets from breaches, attacks, or crooked use. It controls assorted network

entry and avenue points. It additionally increases user affirmation by implementing assorted layers of security.

The Cisco advanced ambit of Cisco ambit aegis solutions provides several levels of ambit aegis that can

be deployed throughout your arrangement as authentic by your aegis policy. These solutions are awful adjustable and

can be tailored to your aegis policy.

The Difficulty of Defining Perimeter

The Difficulty of Defining Perimeter

Traditional networks are growing with the amalgamation of alien arrangement access. Wireless networks, laptops,

mobile phones, PDAs, and abundant added wireless accessories charge to affix from alfresco the action into

the accumulated network. To accomplish these needs, the abstraction of central against alfresco becomes rather complicated.

For example, back you affix to the accumulated arrangement application a basic clandestine arrangement (VPN), you are no

longer on the alfresco the network. You are now on the central of the network, and so is aggregate that is

running on your computer.

Globally networked businesses await on their networks to acquaint with employees, customers, partners,

and suppliers. Although actual admission to advice and advice is an advantage, it raises concerns

about aegis and attention admission to analytical arrangement resources.

Network administrators charge to apperceive who is accessing which assets and authorize bright perimeters to control

the access. An able aegis action balances accessibility with protection. Aegis behavior are activated at

network perimeters. Often bodies anticipate of a ambit as the abuttals amid an centralized arrangement and the

public Internet, but a ambit can be accustomed anywhere aural a clandestine network, or amid your network

and a partner's network.

Is Ambit Security Disappearing?

Is Ambit Security Disappearing?

In essence, the ambit has been adapted and continued to the assorted levels aural the network. In other

words, networks today do not accept a distinct point of entrance; they are multi-entry accessible environments where

controlled admission is appropriate from anywhere aural the network. This transformation leads us to alpha cerebration in

terms of multiperimeter networks.

Perimeter Security

Perimeter Security

Opinions on ambit aegis accept afflicted a abundant accord over the accomplished few years. Allotment of that change is that

the actual attributes of ambit aegis is acceptable more uncertain, and anybody has a altered appearance of

just what it is. The banned of the ambit itself are acceptable ample and extensive, with no geographic

boundaries, and alien admission is acceptable allotment of the basic network.

Security Models

Security Models

An important aspect in the architecture and assay of defended systems is the aegis model, because it integrates

the aegis action that should be activated in the system. A aegis archetypal is a allegorical assuming of a security

policy. It maps the requirements of the action makers into a set of rules and regulations that are to be followed

by a computer arrangement or a arrangement system. A aegis action is a set of abstruse goals and high-level

requirements, and the aegis archetypal is the do's and don'ts to accomplish this happen.

You should apperceive about several important aegis models alike admitting anecdotic them in detail is above the

scope of this book:

The Bell-LaPadula Archetypal (BLM), additionally alleged the multilevel model, was alien mainly to accomplish access

control in government and aggressive applications. BLM protects the acquaintance of the advice within

a system.

The Biba archetypal is a modification of the Bell-LaPadula archetypal that mainly emphasizes the candor of the

information aural a system.

The Clark-Wilson archetypal prevents accustomed users from authoritative crooked modification to the data.

This archetypal introduces a arrangement of triples: a subject, a program, and an object.

The Admission Ascendancy Matrix is a accepted archetypal of admission ascendancy that is based on the abstraction of subjects

and objects.

The Advice Breeze archetypal restricts advice in its breeze so that it moves alone to and from approved

security levels.

The Chinese Wall archetypal combines bartering acumen with accurately acknowledged binding controls. It is

required in the operation of abounding banking casework organizations.

The Lattice archetypal deals with aggressive information. Lattice-based admission ascendancy models were developed in

the aboriginal 1970s to accord with the acquaintance of aggressive information. In the backward 1970s and aboriginal 1980s,

researchers activated these models to assertive candor concerns. Later, appliance of the models to the

Chinese Wall policy, a acquaintance action different to the bartering sector, was developed. A balanced

perspective on lattice-based admission ascendancy models is provided.

Examples of Aegis Policies

Examples of Aegis Policies

Depending on the admeasurement of the organization, potentially dozens of aegis action capacity may be appropriate. For

some organizations, one ample certificate covers all facets; at added organizations, several smaller, individually

focused abstracts are needed. The sample account that follows covers some accepted behavior that an organization

should consider.

Acceptable use: This action outlines the adequate use of computer equipment. The rules are

established to assure the agent and the organization. Inappropriate use exposes the aggregation to risks

including virus attacks, accommodation of arrangement systems and services, and acknowledged issues.

Ethics: This action emphasizes the employee's and consumer's expectations to be accountable to fair business

practices. It establishes a ability of openness, trust, and candor in business practices. This action can

guide business behavior to ensure ethical conduct.

Information sensitivity: This action is advised to advice advisers actuate what advice can be

disclosed to nonemployees, as able-bodied as the about acuteness of advice that should not be disclosed

outside an alignment after able authorization. The advice covered in these guidelines includes

but is not bound to advice that is either stored or aggregate via any means. This includes electronic

information, advice on paper, and advice aggregate orally or visually (such as by telephone, video

conferencing, and teleconferencing).

E-mail: This action covers adapted use of any e-mail beatific from an organization's e-mail abode and

applies to all employees, vendors, and agents operating on account of the company.

Password: The purpose of this action is to authorize a accepted for conception of able passwords, the

protection of those passwords, and the abundance of change.

Risk assessment: This action is acclimated to empower the Advice Aegis (InfoSec) accumulation to perform

periodic advice aegis accident assessments (RA) for the purpose of free areas of vulnerability

and to admit adapted remediation.

Tip

Examples of behavior listed ahead and added templates can be begin at the SANS website:

https://www2.sans.org/resources/policies/#template

Note

Policies charge to be concise, to the point, and accessible to apprehend and understand. Best behavior listed previously

are on boilerplate two to three pages.

Standards

Standards are industry-recognized best practices, frameworks, and agreed attempt of concepts and designs,

which are advised to implement, achieve, and advance the appropriate levels of processes and procedures.

Like aegis policies, standards are cardinal in attributes in that they ascertain systems ambit and processes.

Standards alter by industry. There are two notable standards in aegis advice management—ISO 17799

and COBIT. These are discussed in Chapter 25, "Security Framework and Regulatory Compliance."

Procedures

Procedures are low-level abstracts accouterment analytical instructions on how the aegis action and the

standards are to be implemented in a system. Procedures are abundant in attributes to accommodate maximum

information to users so that they can auspiciously apparatus and accomplish the aegis action and administer the

standards and guidelines of a aegis program.

Employees usually accredit to procedures added generally than added behavior and standards because procedures provide

the complete capacity of the accomplishing appearance of a aegis program.

Baselines

A baseline is the minimum akin of aegis claim in a system. Baselines accommodate users the agency to

achieve the complete minimum aegis appropriate that is constant beyond all the systems in the organization. For

example, a aggregation ability accept a baseline for Windows 2000 servers to accept Service Pack 4 installed on each

server in the assembly environment. The action certificate would supplement the baseline by spelling out

step-by-step instructions on area to download Service Pack 4 and how to install it to accede with this security

level.

Guidelines

Guidelines are recommended accomplishments and operational guides for users. Similar to procedures, guidelines are

tactical in nature. The above aberration amid standards and guidelines is that guidelines can be acclimated as

reference, admitting standards are binding accomplishments in best cases.

Figure 1-3 depicts the axiological accord amid aegis policies, standards, baselines, guidelines, and

procedures.

Figure 1-3. Relationships Amid Aegis Policies, Standards, Procedures, Baselines, and Guidelines

Security Policy

Security Policy

A aegis action is a set of rules, practices, and procedures dictating how acute advice is managed,

protected, and distributed. In the arrangement aegis realm, behavior are usually point specific, which agency they

cover a distinct area. A aegis action is a certificate that expresses absolutely what the aegis akin should be by

setting the goals of what the aegis mechanisms are to accomplish. Aegis action is accounting by higher

management and is advised to call the "whats" of advice security. The abutting area gives a few

examples of aegis policies. Procedures, standards, baselines, and guidelines are the "hows" for

implementation of the policy. Advice aegis behavior accentuate the aegis and abundance of information

resources; they are the foundation of advice aegis aural an organization.

Trust is one of the capital capacity in abounding policies. Some companies do not accept behavior because they assurance in

their bodies and assurance that anybody will do the appropriate thing. But, that is not consistently the case, as we all know.

Therefore, best organizations charge behavior to ensure that anybody complies with the aforementioned set of rules.

In my experience, behavior tend to drag people's alarm because bodies do not appetite to be apprenticed by

rules and regulations. Instead, bodies appetite abandon and non-accountability. A action should ascertain the akin of

control users charge beam and antithesis that with abundance goals. An ever austere action will be adamantine to

implement because acquiescence will be basal or ignored. On the contrary, a about authentic action can be

evaded and does not ensure accountability and responsibility. A acceptable action has to accept the appropriate balance.

Policies, Standards, Procedures, Baselines, Guidelines

Policies, Standards, Procedures, Baselines, Guidelines

A aegis archetypal is a multilayered framework fabricated of abounding chip entities and analytic and physical

protection mechanisms, all alive calm to accommodate a defended arrangement that complies with industry best

practices and regulations.

Availability

Availability

Availability is the blockage of accident of admission to assets and advice to ensure that advice is

available for use back it is needed. It is acute to accomplish abiding that advice requested is readily

accessible to the accustomed users at all times. Denial of account (DoS) is one of several types of aegis attacks

that attempts to abjure admission to the adapted user, generally for the account of disruption of service.

Integrity

Integrity

Integrity prevents crooked modification of data, systems, and information, thereby accouterment affirmation of

the accurateness of advice and systems. If your abstracts has integrity, you can be abiding that it is an authentic and

unchanged representation of the aboriginal defended information. A accepted blazon of a aegis advance is man-in-themiddle.

In this blazon of attack, an burglar intercepts abstracts in alteration and makes changes to it.

Confidentiality

Confidentiality

Confidentiality prevents crooked acknowledgment of acute information. It is the adequacy to ensure that the

necessary akin of clandestineness is activated and that advice is buried from crooked users. Back it

comes to security, acquaintance is conceivably the best accessible aspect of the CIA triad, and it is the aspect of

security best generally attacked. Cryptography and encryption methods are examples of attempts to ensure the

confidentiality of abstracts transferred from one computer to another. For example, back assuming an online

banking transaction, the user wants to assure the aloofness of the annual details, such as passwords and card

numbers. Cryptography provides a defended manual attention the acute abstracts traversing beyond the

shared medium.

Principles of Security—The CIA Model

Principles of Security—The CIA Model

A simple but broadly applicative aegis archetypal is the confidentiality, integrity, and availability (CIA) triad. These

three key attempt should adviser all defended systems. CIA additionally provides a altitude apparatus for security

implementations. These attempt are applicative beyond the absolute spectrum of aegis analysis—from access,

to a user's Internet history, to the aegis of encrypted abstracts beyond the Internet. A aperture of any of these three

principles can accept austere after-effects for all parties concerned.

Figure 1-2. The CIA Triad

Transformation of the Aegis Paradigm

Transformation of the Aegis Paradigm

As the admeasurement of networks continues to abound and attacks to those networks become added sophisticated, the

way we anticipate about aegis changes. Here are some of the above factors that are alteration the security

paradigm:

Security is no best about "products": Aegis solutions charge be called with business objectives in

mind and chip with operational procedures and tools.

Scalability demands are increasing: With the accretion cardinal of vulnerabilities and aegis threats,

solutions charge calibration to bags of hosts in ample enterprises.

Legacy endpoint aegis Total Cost of Ownership (TCO) is a challenge: Reactive articles force

deployment and face-lifting of assorted agents and administration paradigms.

Day aught damage: Rapidly breeding attacks (Slammer, Nimda, MyDoom) appear too fast for reactive

products to control. Therefore, an automated, proactive aegis arrangement is bare to action the dynamic

array of modern-day bacilli and worms.

With modern-day broadcast networks, aegis cannot be activated alone at the arrangement bend or perimeter. We

will altercate ambit aegis in added detail after in this chapter.

Zero-day attacks or new and alien bacilli abide to affliction enterprises and account provider networks.

To attack to authorize aegis adjoin attacks, enterprises try to application systems as vulnerabilities become

known. This acutely cannot calibration in ample networks, and this bearings can be addressed alone with real-time

proactive-based systems.

Security now is about administration and abridgement of accident in a rapidly evolving environment. Maximum risk

reduction is accomplished with an chip band-aid congenital on a adjustable and able basement and effective

operations and administration tools. Business objectives should drive aegis decisions. Today, we are in the

new era that armament us to amend aegis and beginning prevention.

Overview of Arrangement Security

Overview of Arrangement Security

At the aforementioned time networks are growing exponentially, they are acceptable circuitous and mission critical, bringing

new challenges to those who run and administer them. The charge for chip arrangement basement comprising

voice, video, and abstracts (all-in-one) casework is evident, but these rapidly growing technologies acquaint fresh

security concerns. Therefore, as arrangement managers attempt to accommodate the latest technology in their network

infrastructure, arrangement aegis has become a cardinal action in architecture and advancement today's avant-garde highgrowth

networks.

This affiliate presents a ample description of arrangement aegis in the ambience of today's rapidly alteration network

environments. The aegis archetype is changing, and aegis solutions today are band-aid apprenticed and designed

to accommodated the requirements of business. To advice you face the complexities of managing a avant-garde network, this

chapter discusses the amount attempt of security—the CIA triad: confidentiality, integrity, and availability.

In accession to discussing CIA, this affiliate discusses aegis behavior that are the affection of all arrangement security

implementations. The altercation covers the afterward aspects of aegis policies: standards, procedures,

baselines, guidelines, and assorted aegis models.

The affiliate takes a afterpiece attending at the ambit aegis affair and the multilayered ambit approach. The

chapter concludes with the Cisco aegis caster archetype involving bristles alternate steps.

Fundamental Questions for Arrangement Security

When you are planning, designing, or implementing a arrangement or are assigned to achieve and administer one, it is

useful to ask yourself the afterward questions:

1. What are you aggravating to assure or maintain?

2. What are your business objectives?

3. What do you charge to achieve these objectives?

4. What technologies or solutions are appropriate to abutment these objectives?

5. Are your objectives accordant with your aegis infrastructure, operations, and tools?

6. What risks are associated with bare security?

7. What are the implications of not implementing security?

8. Will you acquaint new risks not covered by your accepted aegis solutions or policy?

9. How do you abate that risk?

10. What is your altruism for risk?

You can use these questions to affectation and acknowledgment some of the basal questions that underlie fundamental

requirements for establishing a defended network. Arrangement aegis technologies abate accident and accommodate a

foundation for accretion businesses with intranet, extranet, and cyberbanking business applications.

Solutions additionally assure acute abstracts and accumulated assets from advance and corruption.

Advanced technologies now action opportunities for baby and medium-sized businesses (SMB), as able-bodied as

enterprise and all-embracing networks to abound and compete; they additionally highlight a charge to assure computer

systems adjoin a advanced ambit of aegis threats.

The claiming of befitting your arrangement basement defended has never been greater or added acute to your

business. Despite ample investments in advice security, organizations abide to be afflicted by

cyber incidents. At the aforementioned time, administration aims for greater after-effects with beneath resources. Hence, improving

security capability charcoal vital, if not essential, while accessory of both capability and adaptability has

also become a primary objective.

Without able safeguards, every allotment of a arrangement is accessible to a aegis aperture or crooked activity

from intruders, competitors, or alike employees. Many of the organizations that administer their own internal

network aegis and use the Internet for added than aloof sending/receiving e-mails acquaintance a network

attack—and added than bisected of these companies do not alike apperceive they were attacked. Smaller companies are

often complacent, accepting acquired a apocryphal faculty of security. They usually acknowledge to the aftermost virus or the best recent

defacing of their website. But they are trapped in a bearings area they do not accept the all-important time and

resources to absorb on security.

To cope with these problems, Cisco has developed the SAFE Blueprint, a absolute aegis plan that

recommends and explains specific aegis solutions for altered elements of networks.

Cisco additionally offers the chip aegis solution, which delivers casework aloft and above the "one admeasurement fits all"

model. In addition, Cisco casework are advised to bear amount throughout the absolute arrangement activity aeon that

includes the stages of prepare, plan, design, implement, operate, and optimize (PPDIOO). the Cisco PPDIOO

model, as apparent in Figure 1-1, encompasses all the achieve from arrangement eyes to optimization, enabling Cisco to

provide a broader portfolio of abutment and end-to-end solutions to its customers.

Identification (IDENT) Protocol and PIX Performance

Identification (IDENT) Protocol

and PIX Performance

There is one accurate agreement that we charge to abode because it affects PIX

performance.This is the identification agreement defined in RFC 1413.The

purpose of this agreement is to accredit HTTP, FTP, or POP servers to affirm the

identity of clients.When a applicant connects to one of these ports, a server running

IDENT will attack to affix to TCP anchorage 113 on the client. If successful, the

server will apprehend assertive anecdotic abstracts from the applicant machine. In theory, this

process would abate spam or adulterine acceptance by banishment users to affix from

legitimate sources. In practice, the IDENT agreement can be baffled easily.

Users abaft a PIX firewall are adequate from IDENT by default. Back the

IDENT agreement provides advice about the user, it can accommodate capacity about

the centralized network, which can be a abuse of your aegis policy.The PIX

firewall, like any acceptable firewall, prevents this admission of centralized capacity to the outside.

However, the downside of this aegis is that users could apperceive a very

noticeable adjournment in the server responding to their requests as it attempts to check

their identities, or they could alike acquaintance a absolute abridgement of response.

To analyze IDENT issues, set logging to the debugging level. Once that is

turned on, you will see denied TCP attempts to anchorage 113 attempts.To get around

this issue, you accept the afterward choices:

1. You can acquaintance the ambassador of the server alive IDENTD and

have it angry off. However, you will accept to do this for anniversary server that

has this problem.

2. You can canyon IDENT cartage through your firewall unmolested by permitting

it with admission lists or conduits.This would canyon centralized network

details to the outside, which can accommodation security.

3. Another (the recommended) band-aid is to use the account resetinbound

command.This command sends a TCP displace (RST) to the IDENT

server, which about tells it that the applicant does not abutment IDENT.

Upon accepting that reset, the server provides the requested account to

the user. Once this command is entered, the PIX firewall starts sending

resets to cartage not acceptable by the aegis action rather than dropping

it silently and causing the user to acquire a time penalty.

www.syngress.com

614 Affiliate 10 • Troubleshooting and Achievement Monitoring

Summary

This affiliate alien a troubleshooting alignment based on the OSI

model. Application this approach, you alpha at the everyman layers and appointment up the stack.

Doing this enables you to annihilate lower (and about simpler) band causes

before absorption efforts on college (and about added complex) band aspects of

PIX firewall troubleshooting.

Knowledge is power! Knowing the assorted models of PIX firewalls and their

capabilities is acutely important to troubleshooting. Assertive models of the PIX

firewall, such as archetypal 501 and 506, do not abutment failover. Knowing such

details would anticipate you from crumbling your time attempting to break problems

with appearance not accurate on a accurate model. Added advantageous advice to

know about the PIX firewall includes the cardinal of accurate admission as

well as the cardinal and types of NICs accurate (such as Token Ring and

Ethernet).

Although the PIX firewall supports a bound cardinal of arrangement types,

familiarity with the cables acclimated to affix to those networks can be a advantageous asset

to troubleshooting.The PIX firewall uses accepted TA586A/B base schemes for

10/100 Ethernet, and SC multimode cilia optic cables for Gigabit Ethernet.The

failover cable is an instance of a specialized action fabricated accessible by adhering to

a acrimonious Cisco proprietary base scheme.

In adjustment for the PIX firewall to achieve its function, it charge be able to

service its centralized networks as able-bodied as apperceive how to advanced cartage to the appropriate

destination.This is fabricated accessible application a changeless routes or RIP.You charge to

be able to troubleshoot and boldness reachability issues to accredit the PIX firewall

to achieve its job.

Translation is appropriate for accouterment connectivity through the PIX firewall.

Your troubleshooting toolbox includes abounding Cisco commands such as appearance xlate,

show nat, and appearance global, all acclimated to assay adaptation configurations and operations.

Ensure that you achieve bright xlate a consistently accomplished footfall in your troubleshooting,

especially afterwards authoritative agreement changes.

Other connectivity issues you charge to troubleshoot absorb ensuring that

only the able admission is accepted to assertive alien networks.You can use commands

such as appearance conduit, appearance access-list, and appearance access-group to validate what

access is granted.

IPsec is apparently one of the best circuitous appearance you will anytime configure

on the PIX firewall.The troubleshooting is appropriately complex. In this chapter, we

covered several of the best analytical commands accessible for acceptance IPsec

www.syngress.com

Troubleshooting and Achievement Ecology • Affiliate 10 615

operation.When troubleshooting, bisect your efforts to accredit bigger focus by

first troubleshooting and absolute IKE issues, again absorption on IPsec. IPsec

depends on IKE, but IKE does not charge IPsec to achieve its functions.

With the accession of PIX adaptation 6.2, Cisco has provided a advantageous packet

capture and assay apparatus in the anatomy of the abduction command.This command

allows you to troubleshoot networks accidentally by enabling the abduction and

analysis of networks affiliated to the PIX firewall.This reduces the charge to

install a third-party accessory on the ambition arrangement to access advice about it.

The best troubleshooting convenance is proactive ecology to ascertain problems

before they become unmanageable.You can achieve this proactive accompaniment by

gathering achievement abstracts about assorted aspects of your PIX firewall such as

CPU performance, anamnesis consumption, and arrangement bandwidth utilization

statistics.

Solutions Fast Track

Troubleshooting Accouterments and Cabling

 Use the OSI archetypal to adviser your troubleshooting efforts, starting with

Layer 1 (the concrete layer) and alive your way up.

 There are several models of the PIX firewall, starting with the fixed

configuration 501 up to the accepted top-of-the-line model, the

configurable 535. In addition, a Firewall Services Module (FWSM) is

available for the Catalyst 6500 alternation switches.

 Ecology the PIX firewall POST can accommodate admired information

about the accouterments that is installed.

 The appearance interface command provides actual advantageous statistics about network

interfaces, which can accommodate clues about arrangement malfunctions.

 The PIX firewall uses the TA586A/B base accepted for connectivity

to 10/100 Ethernet networks. Gigabit Ethernet networks affix to the

PIX firewall via SC multimode cilia optic cables.

www.syngress.com

616 Affiliate 10 • Troubleshooting and Achievement Monitoring

Troubleshooting Connectivity

 Like any arrangement device, the PIX firewall charge apperceive how to ability its

destinations.

 The PIX firewall can use changeless routes or RIP.

 The acquisition troubleshooting action is agnate to the accomplish that you

would achieve on a router (checking acquisition tables, acceptance next-hop

reachability, and so on).

 IP abode appointment should be one of the aboriginal items that is arrested for

correctness afore any added item.

 Back adaptation agreement has as abundant aftereffect on connectivity as

routing, you charge to apperceive how to validate it.

Troubleshooting IPsec

 IPsec troubleshooting needs to be actual methodical due to its complexity.

 Validate IKE aboriginal afore attempting to accouterment IPsec itself, back IPsec

depends on IKE for its operation.

 The appearance isakmp command can accord a quick snapshot of IKE

configuration on the firewall, enabling you to assay the ambit for

correctness.

 The appearance crypto ipsec command with baddest keywords can accredit you to

check assorted aspects of IPsec, such as its aegis associations and

transform sets.

Capturing Traffic

 Cisco alien the abduction command in PIX adaptation 6.2.

 This command enables you to accidentally abduction packets of networks

connected to the PIX firewall.

 Captured packets can be beheld on the console, beheld or downloaded

from a Web browser, or downloaded to a workstation via TFTP for

analysis by third-party software such as tcpdump.

www.syngress.com

Troubleshooting and Achievement Ecology • Affiliate 10 617

Monitoring and Troubleshooting Performance

 Proactive ecology can anticipate problems from becoming

unmanageable.

 CPU achievement and anamnesis burning can be indicators of

problems.

 The appearance processes command can advice analyze the processes that are

running and the ones that could be arresting added PIX firewall

resources than they should.

Q: Which PIX firewall models abutment Gigabit Ethernet?

A: 525 and 535.

Q: I doubtable a key conflict amid my IKE peers.What can I do to verify

that?

A: You can assay syslog messages, which will affectation advice about

these types of errors.You can additionally use appearance crypto isakmp and appearance the

configuration.

Q: What is the latest adaptation of PIX software that supports Token Ring and

FDDI interfaces?

A: Adaptation 5.3. versions afterwards that accept no abutment for Token Ring or FDDI.

Q: How do I actuate how abundant anamnesis is installed on my PIX firewall?

A: Use either the appearance adaptation command or the appearance anamnesis command.

www.syngress.com

Frequently Asked Questions

The afterward Frequently Asked Questions, answered by the authors of this book,

are advised to both admeasurement your compassionate of the concepts presented in

this affiliate and to abetment you with real-life accomplishing of these concepts. To

have your questions about this affiliate answered by the author, browse to

www.syngress.com/solutions and bang on the “Ask the Author” form.

618 Affiliate 10 • Troubleshooting and Achievement Monitoring

Q: In a failover configuration, what determines which firewall is alive and

which is standby?

A: The failover cable that Cisco provides is strange, such that one end will cause

the firewall to become the alive in a failover agreement admitting the

other end will become standby.

Q: Where is the agreement book for the PIX firewall stored?

A: It is stored in beam memory. No NVRAM like that is frequently begin on

Cisco routers.

Q: What acquisition protocols does the PIX firewall support?

A: At the time of this writing, alone RIP versions 1 and 2 are supported.

Network Performance Monitoring-The show interface Command-The show traffic Command

Network Achievement Monitoring

Congested arrangement interfaces can abase all-embracing performance.You charge to

ensure that the interfaces on your PIX firewall can handle the demands placed on

them. Cisco offers several commands to analysis the cachet of your interfaces.

The appearance interface Command

One such command is appearance interface.You can analysis how abundant bandwidth is

being captivated and analysis a countless of absurdity counters.We accept discussed show

interface ahead in the chapter, and will not change what has already been

covered.

www.syngress.com

612 Affiliate 10 • Troubleshooting and Achievement Monitoring

The appearance cartage Command

You can attenuated your focus to abduction the specific cardinal of packets and bytes

that are transiting anniversary interface on the PIX firewall.The appearance interface command

provides agnate information, but you accept to accomplish it a specific point to zoom in

on that advice to actuate absolutely the bulk of cartage actuality anesthetized on a

per-interface basis.

The appearance cartage command provides statistics on the cardinal of packets and

bytes anesthetized through anniversary interface. As you can see in the achievement in Figure 10.27,

show cartage tells you how continued the interface has been in operation (either the firewall

below has been in operation about three hours or that abundant time has

elapsed back the allowance of the statistics).The command achievement displays the

amount of cartage transmitted and accustomed in that bulk of time.

Figure 10.27 Achievement of the appearance cartage Command

PIX1# appearance traffic

outside:

received (in 10035.150 secs):

2 packets 678 bytes

0 pkts/sec 0 bytes/sec

transmitted (in 10035.150 secs):

14 packets 1026 bytes

0 pkts/sec 0 bytes/sec

inside:

received (in 10035.150 secs):

0 packets 0 bytes

0 pkts/sec 0 bytes/sec

transmitted (in 10035.150 secs):

15 packets 900 bytes

0 pkts/sec 0 bytes/sec

You can displace the cartage counters application the bright cartage command, which resets

the counters to 0.Network Performance Monitoring