Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών: Χρήση Access - List

Σχετικά έγγραφα
Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών: Access Lists

Δίκτυα Επικοινωνιών ΙΙ: OSPF Configuration

Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών: IOS Routing Configuration

2 Composition. Invertible Mappings

Εργαστήριο Ανάπτυξης Εφαρμογών Βάσεων Δεδομένων. Εξάμηνο 7 ο

ΚΥΠΡΙΑΚΗ ΕΤΑΙΡΕΙΑ ΠΛΗΡΟΦΟΡΙΚΗΣ CYPRUS COMPUTER SOCIETY ΠΑΓΚΥΠΡΙΟΣ ΜΑΘΗΤΙΚΟΣ ΔΙΑΓΩΝΙΣΜΟΣ ΠΛΗΡΟΦΟΡΙΚΗΣ 6/5/2006

Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών: OSPF Cost

Instruction Execution Times

ΚΥΠΡΙΑΚΗ ΕΤΑΙΡΕΙΑ ΠΛΗΡΟΦΟΡΙΚΗΣ CYPRUS COMPUTER SOCIETY ΠΑΓΚΥΠΡΙΟΣ ΜΑΘΗΤΙΚΟΣ ΔΙΑΓΩΝΙΣΜΟΣ ΠΛΗΡΟΦΟΡΙΚΗΣ 19/5/2007

CYTA Cloud Server Set Up Instructions

ΠΑΝΕΠΙΣΤΗΜΙΟΥ ΠΕΛΟΠΟΝΝΗΣΟΥ ΤΜΗΜΑ ΕΠΙΣΤΗΜΗΣ ΚΑΙ ΤΕΧΝΟΛΟΓΙΑΣ ΤΗΛΕΠΙΚΟΙΝΩΝΙΩΝ Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών

Homework 3 Solutions

(C) 2010 Pearson Education, Inc. All rights reserved.

3.4 SUM AND DIFFERENCE FORMULAS. NOTE: cos(α+β) cos α + cos β cos(α-β) cos α -cos β

department listing department name αχχουντσ ϕανε βαλικτ δδσϕηασδδη σδηφγ ασκϕηλκ τεχηνιχαλ αλαν ϕουν διξ τεχηνιχαλ ϕοην µαριανι

PARTIAL NOTES for 6.1 Trigonometric Identities

The Simply Typed Lambda Calculus

Finite Field Problems: Solutions

Section 8.3 Trigonometric Equations

EE512: Error Control Coding

Approximation of distance between locations on earth given by latitude and longitude

Section 9.2 Polar Equations and Graphs

derivation of the Laplacian from rectangular to spherical coordinates

Section 7.6 Double and Half Angle Formulas

[1] P Q. Fig. 3.1

6.1. Dirac Equation. Hamiltonian. Dirac Eq.

HOMEWORK 4 = G. In order to plot the stress versus the stretch we define a normalized stretch:

Inverse trigonometric functions & General Solution of Trigonometric Equations

ΚΥΠΡΙΑΚΟΣ ΣΥΝΔΕΣΜΟΣ ΠΛΗΡΟΦΟΡΙΚΗΣ CYPRUS COMPUTER SOCIETY 21 ος ΠΑΓΚΥΠΡΙΟΣ ΜΑΘΗΤΙΚΟΣ ΔΙΑΓΩΝΙΣΜΟΣ ΠΛΗΡΟΦΟΡΙΚΗΣ Δεύτερος Γύρος - 30 Μαρτίου 2011

Modbus basic setup notes for IO-Link AL1xxx Master Block

Lecture 2. Soundness and completeness of propositional logic

Partial Trace and Partial Transpose

ΓΡΑΜΜΙΚΟΣ & ΔΙΚΤΥΑΚΟΣ ΠΡΟΓΡΑΜΜΑΤΙΣΜΟΣ

Εργαστήριο ικτύων Υπολογιστών 6η ιάλεξη: Ασφάλεια δικτύων

Phys460.nb Solution for the t-dependent Schrodinger s equation How did we find the solution? (not required)

Overview. Transition Semantics. Configurations and the transition relation. Executions and computation

ANSWERSHEET (TOPIC = DIFFERENTIAL CALCULUS) COLLECTION #2. h 0 h h 0 h h 0 ( ) g k = g 0 + g 1 + g g 2009 =?

Block Ciphers Modes. Ramki Thurimella

Κεφάλαιο 13. Έλεγχος πρόσβασης με Firewall

Physical DB Design. B-Trees Index files can become quite large for large main files Indices on index files are possible.

Επίπεδο Μεταφοράς. (ανεβαίνουμε προς τα πάνω) Εργαστήριο Δικτύων Υπολογιστών Τμήμα Μηχανικών Η/Υ και Πληροφορικής

Συστήματα Διαχείρισης Βάσεων Δεδομένων

SUPERPOSITION, MEASUREMENT, NORMALIZATION, EXPECTATION VALUES. Reading: QM course packet Ch 5 up to 5.6

Right Rear Door. Let's now finish the door hinge saga with the right rear door

CRASH COURSE IN PRECALCULUS

Δημιουργία Λογαριασμού Διαχείρισης Business Telephony Create a Management Account for Business Telephony

TMA4115 Matematikk 3

Fractional Colorings and Zykov Products of graphs

DESIGN OF MACHINERY SOLUTION MANUAL h in h 4 0.

the total number of electrons passing through the lamp.

CHAPTER 48 APPLICATIONS OF MATRICES AND DETERMINANTS

Εργαστήριο Ανάπτυξης Εφαρμογών Βάσεων Δεδομένων. Εξάμηνο 7 ο

Exercises 10. Find a fundamental matrix of the given system of equations. Also find the fundamental matrix Φ(t) satisfying Φ(0) = I. 1.

Econ 2110: Fall 2008 Suggested Solutions to Problem Set 8 questions or comments to Dan Fetter 1

Test Data Management in Practice

C.S. 430 Assignment 6, Sample Solutions

ΚΥΠΡΙΑΚΗ ΕΤΑΙΡΕΙΑ ΠΛΗΡΟΦΟΡΙΚΗΣ CYPRUS COMPUTER SOCIETY ΠΑΓΚΥΠΡΙΟΣ ΜΑΘΗΤΙΚΟΣ ΔΙΑΓΩΝΙΣΜΟΣ ΠΛΗΡΟΦΟΡΙΚΗΣ 24/3/2007

Ordinal Arithmetic: Addition, Multiplication, Exponentiation and Limit

Galatia SIL Keyboard Information

Lecture 2: Dirac notation and a review of linear algebra Read Sakurai chapter 1, Baym chatper 3

Example Sheet 3 Solutions

Special edition of the Technical Chamber of Greece on Video Conference Services on the Internet, 2000 NUTWBCAM

Matrices and Determinants

Potential Dividers. 46 minutes. 46 marks. Page 1 of 11

Στρατηγικές Ασφάλειας

F-TF Sum and Difference angle

Practice Exam 2. Conceptual Questions. 1. State a Basic identity and then verify it. (a) Identity: Solution: One identity is csc(θ) = 1

Η ΠΡΟΣΩΠΙΚΗ ΟΡΙΟΘΕΤΗΣΗ ΤΟΥ ΧΩΡΟΥ Η ΠΕΡΙΠΤΩΣΗ ΤΩΝ CHAT ROOMS

Advanced Subsidiary Unit 1: Understanding and Written Response

CHAPTER 25 SOLVING EQUATIONS BY ITERATIVE METHODS

UNIVERSITY OF CALIFORNIA. EECS 150 Fall ) You are implementing an 4:1 Multiplexer that has the following specifications:

ΙΠΛΩΜΑΤΙΚΗ ΕΡΓΑΣΙΑ. ΘΕΜΑ: «ιερεύνηση της σχέσης µεταξύ φωνηµικής επίγνωσης και ορθογραφικής δεξιότητας σε παιδιά προσχολικής ηλικίας»

The challenges of non-stable predicates

Main source: "Discrete-time systems and computer control" by Α. ΣΚΟΔΡΑΣ ΨΗΦΙΑΚΟΣ ΕΛΕΓΧΟΣ ΔΙΑΛΕΞΗ 4 ΔΙΑΦΑΝΕΙΑ 1

SCITECH Volume 13, Issue 2 RESEARCH ORGANISATION Published online: March 29, 2018

Πώς μπορεί κανείς να έχει έναν διερμηνέα κατά την επίσκεψή του στον Οικογενειακό του Γιατρό στο Ίσλινγκτον Getting an interpreter when you visit your

Problem Set 3: Solutions

Srednicki Chapter 55

Εργαστήριο «Δίκτυα Υπολογιστών Ι»

Jesse Maassen and Mark Lundstrom Purdue University November 25, 2013

Math221: HW# 1 solutions

Στο εστιατόριο «ToDokimasesPrinToBgaleisStonKosmo?» έξω από τους δακτυλίους του Κρόνου, οι παραγγελίες γίνονται ηλεκτρονικά.

Other Test Constructions: Likelihood Ratio & Bayes Tests

Math 6 SL Probability Distributions Practice Test Mark Scheme

Démographie spatiale/spatial Demography

Internet protocol stack Encapsulation Connection oriented VS connectionless services Circuit Switching Packet Switching Store-and-forward switches

Review Test 3. MULTIPLE CHOICE. Choose the one alternative that best completes the statement or answers the question.

ΑΚΑ ΗΜΙΑ ΕΜΠΟΡΙΚΟΥ ΝΑΥΤΙΚΟΥ ΜΑΚΕ ΟΝΙΑΣ ΣΧΟΛΗ ΜΗΧΑΝΙΚΩΝ ΠΤΥΧΙΑΚΗ ΕΡΓΑΣΙΑ

Context-aware και mhealth

Every set of first-order formulas is equivalent to an independent set

b. Use the parametrization from (a) to compute the area of S a as S a ds. Be sure to substitute for ds!

Nowhere-zero flows Let be a digraph, Abelian group. A Γ-circulation in is a mapping : such that, where, and : tail in X, head in

Elements of Information Theory

ΕΙΣΑΓΩΓΗ ΣΤΗ ΣΤΑΤΙΣΤΙΚΗ ΑΝΑΛΥΣΗ

ΠΑΝΕΠΙΣΤΗΜΙΟ ΠΕΙΡΑΙΩΣ ΤΜΗΜΑ ΠΛΗΡΟΦΟΡΙΚΗΣ ΠΜΣ «ΠΡΟΗΓΜΕΝΑ ΣΥΣΤΗΜΑΤΑ ΠΛΗΡΟΦΟΡΙΚΗΣ» ΚΑΤΕΥΘΥΝΣΗ «ΕΥΦΥΕΙΣ ΤΕΧΝΟΛΟΓΙΕΣ ΕΠΙΚΟΙΝΩΝΙΑΣ ΑΝΘΡΩΠΟΥ - ΥΠΟΛΟΓΙΣΤΗ»

ΤΕΧΝΟΛΟΓΙΚΟ ΕΚΠΑΙΔΕΥΤΙΚΟ ΙΔΡΥΜΑ ΠΕΛΟΠΟΝΝΗΣΟΥ

Εργαστήριο Ανάπτυξης Εφαρμογών Βάσεων Δεδομένων. Εξάμηνο 7 ο

EPL 603 TOPICS IN SOFTWARE ENGINEERING. Lab 5: Component Adaptation Environment (COPE)

Assalamu `alaikum wr. wb.

Transcript:

Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών: Χρήση Access - List Δρ. Απόστολος Γκάμας Διδάσκων (407/80) gkamas@uop.gr Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 1 1

ACL Summary Access lists perform several functions within a Cisco router, including: Implement security / access procedures Act as a protocol "firewall" Extended access lists allow filtering on address, protocol, and applications. Access lists are used to limit broadcast traffic. Filter the packet flows that flow in or out router interfaces. Help protect expanding network resources without impeding the flow of legitimate communication. Differentiate packet traffic into categories that permit or deny other features. Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 2 2

ACL Summary You can also use access lists to: Identify packets for priority or custom queuing Restrict or reduce the contents of routing updates Access lists also process packets for other security features to: Provide IP traffic dynamic access control with enhanced user authentication using the lock-and-key feature Identify packets for encryption Identify Telnet access allowed to the router virtual terminals Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 3 3

What are Access Lists? Statements that specify conditions that an administrator sets so the router will handle the traffic covered by the access list in an out-of-the ordinary manner. Give added control for processing the specific packets in a unique way. Two main types of access lists are: Standard Extended Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 4 4

Standard Access Lists Standard access lists for IP check the source address of packets that could be routed. The result permits or denies output for an entire protocol suite, based on the network/subnet/host address. If the packets are denied by the standard access list, all these packets for the given category are dropped. Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 5 5

Extended Access Lists Check for both source and destination packet addresses. Also can check for specific protocols, port numbers, and other parameters. Also permits or denies with more granularity. Check for specific protocols, port numbers, and other parameters. This allows administrators more flexibility to describe what checking the access list will do. Packets can be permitted or denied output based on where the packet originated and on its destination. For example, it can allow electronic mail traffic from E0 to specific S0 destinations, while denying remote logins or file transfers Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 6 6

A list of tests: Deny or Permit Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 7 7

A List of Tests: Deny or Permit Access list statements operate in sequential, logical order. Evaluate packets from the top down. If a packet header and access list statement match, the packet skips the rest of the statements. If a condition match is true, the packet is permitted or denied. There can be only one access list per protocol per interface. Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 8 8

Deny Any Statement For logical completeness, an access list must have conditions that test true for all packets using the access list. A final implied statement (DENY ANY) covers all packets for which conditions did not test true. This final test condition matches all other packets. It results in a deny. Instead of proceeding in or out an interface, all these remaining packets are dropped. Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 9 9

Access List Command Overview In practice, access list commands can be lengthy character strings. Access lists can be complicated to enter or interpret. However, you can simplify understanding the general access list configuration commands by reducing the commands to two general elements Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 10 10

Access List Command Overview Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 11 11

Wildcard Mask Bits IP access lists use wildcard masking. Wildcard Masking for IP address bits uses the number 1 and the number 0 to identify how to treat the corresponding IP address bits. A wildcard mask bit 0 means check the corresponding bit value. A wildcard mask bit 1 means do not check (ignore) that corresponding bit value. Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 12 12

How to use wildcard mask bits Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 13 13

Standard ACL (1-99) Access-list list# {permit/deny} source IP [wildcard mask] interface [router port] ip access-group [list#] in out (out is the default) If a match is made, the action defined in this access list statement is performed. If no match is made with an entry in the access list, the deny action is performed (implicit deny) Should be put close to the destination address because you can not specify the destination address. Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 14 14

Wildcard Mask 32 bit long Mask bits of 0 imply that the same bit positions must be compared Mask bits of 1 imply that the same bit positions are considered to match Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 15 15

Extended ACL (100-199) Access-list list# {permit/deny} protocol source [source mask] destination [destination mask] operator [port] Should be put close to the source Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 16 16

Correct Placement of Extended ACLs Since extended ACLs have destination information, you want to place it as close to the source as possible. Place an extended ACL on the first router interface the packet enters and specify inbound in the access-group command. Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 17 17

Correct Placement of Extended ACLs In the graphic below, we want to deny network 221.23.123.0 from accessing the server 198.150.13.34. What router and interface should the access list be applied to? Write the access list on Router C, apply it to the E0, and specify in This will keep the network free of traffic from 221.23.123.0 destined for 198.150.13.34 but still allow 221.23.123.0 access to the Internet Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 18 18

Example Configure an access list that blocks network 210.93.105.0 from exiting serial port s0 on some router. Allow all other to pass. access-list 4 deny 210.93.105.0 0.0.0.255 access-list 4 permit any interface s0 ip access-group 4 Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 19 19

Example (continued) Same example but would like to block only the first half IP of the network. access-list 4 deny 210.93.105.0 0.0.0.127 access-list 4 permit any interface s0 ip access-group 4 Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 20 20

Example (continued) Same example but would like to block only the even numbered IP of the network. access-list 4 deny 210.93.105.0 0.0.0.254 access-list 4 permit any interface s0 ip access-group 4 Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 21 21

Example (continued) Same example but would like to block only the odd numbered IP of the network. access-list 4 deny 210.93.105.1 0.0.0.254 access-list 4 permit any interface s0 ip access-group 4 Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 22 22

Time Savers: the any command Since ACLs have an implicit deny any statement at the end, you must write statements to permit others through. Using our previous example, if the students are denied access and all others are allowed, you would write two statements: Lab-A(config)#access-list 1 deny 192.5.5.0 0.0.0.127 Lab-A(config)#access-list 1 permit 0.0.0.0 255.255.255.255 Since the last statement is commonly used to override the deny any, Cisco gives you an option--the any command: Lab-A(config)#access-list 1 permit any Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 23 23

Time Savers: the host command Many times, a network administrator will need to write an ACL to permit a particular host (or deny a host). The statement can be written in two ways. Either... or... Lab-A(config)#access-list 1 permit 192.5.5.10 0.0.0.0 Lab-A(config)#access-list 1 permit host 192.5.5.10 Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 24 24

Ext. ACL Misc Port accounting access-list 106 permit udp any any eq Match only packets on a given port number fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, incl. input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers tos Match packets with given TOS value Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 25 25

Ext. ACL Misc. cnt. 26 TCP header fields access-list 106 permit tcp any any ack Match on the ACK bit eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, incl. input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit tos Match packets with given TOS value urg Match on the URG bit Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 26

Verifying ACLs Show commands: show access-lists shows all access-lists configured on the router show access-lists {name number} shows the identified access list show ip interface shows the access-lists applied to the interface--both inbound and outbound. show running-config shows all access lists and what interfaces they are applied on Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 27 27

Enhanced Access Lists Time-Based Access lists whose statements become active based upon the time of day and/or day of the week. Reflexive Create dynamic openings on the untrusted side of a router based on sessions originating from a trusted side of the router. Dynamic (Lock and Key) Create dynamic entries. Context-Based Access Control (CBAC) Allows for secure handling of multi-channel connections based on upper layer information. Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 28 28

BGP route filtering Filtering incoming/outgoing routes Network filter router bgp <AS> neighbor <ip-address> remote-as <his-as> neighbor <ip-address> distribute-list <ACL> [in/out]! access-list <ACL> [permit/deny] <network> <mask> Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 29 29

BGP route filtering 2 Filtering with AS-path router bgp <AS> neighbor <ip-address> remote-as <his-as> neighbor <ip-address> filter-list <AS-ACL> [in/out]! ip as-path access-list <AS-ACL> [permit/deny] <regexp> regexp examples: ^$ - network originated in local AS.* - matches anything _123_ - networks reachable through AS 123 Υλοποίηση Δικτυακών Υποδομών και Υπηρεσιών Διαφάνεια 30 30

2024 © DocPlayer.gr Πολιτική Απορρήτου | Όροι Χρήσης | Σχόλια