Show page

Differences

This shows you the differences between two versions of the page.

--- sred:laborator_1._acl [2020/10/13 00:18]
horia.stoenescu added acl tasks
+++ sred:laborator_1._acl [2022/10/14 23:55] (current)
horia.stoenescu [Setup]
@@ Line 1: / Line 1: @@
-======== Lab 1. ACL ========
+======== Lab 1. Packet filtering - ACL ========
 ==== Setup ====
-The topology consists of one Cisco router model 7200 with one networking card module [[https://www.cisco.com/c/en/us/td/docs/interfaces_modules/port_adapters/install_upgrade/ethernet/pa-4e_10baset_install_config/pa_4e/3493over.html|PA-4E]] and two Ubuntu machines which serves as client (L2) and server (L1).
-Eve-ng virtual machine should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path ///opt/unetlab/addons/dynamips//).
+=== Story ===
+In an imaginary scenario, our company is at the beginning and has few money to invest in infrastructure. We have a HQ with 1 Linux machine serving as the web server and 2 branches represented with 1 client per each one. The routing between them is done using a Cisco router and minimum filtering provided by ACLs.
+=== Local host prerequisites ===
+If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewall machines and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches.
+You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]].
+For Linux OS, you can use Remmina or Remote Desktop Viewer (both should be already installed). Check this link also: [[https://remmina.org/how-to-install-remmina/|Remmina install]].
+=== Lab infra ===
+After starting the nodes, in order to access the machine you need
+The topology consists of one Cisco router model 7200 (with image name **c7200-adventerprisek9-mz.124-11.T1.image** - see this [[http://31.22.89.2/cisco-ios/7200/|link]] for other 7200 images) with one networking card module [[https://www.cisco.com/c/en/us/td/docs/interfaces_modules/port_adapters/install_upgrade/ethernet/pa-4e_10baset_install_config/pa_4e/3493over.html|PA-4E]] and 3 Ubuntu machines which serves as server and clients (client1 and client2).
+To simulate this, we are using an eve-ng virtual machine that should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path ///opt/unetlab/addons/dynamips//).
+<note>
+For Cisco router node we are using idle value: 0x6149f77c (as this is the one has the highest count value). This way, we make sure that dynamips process is not in high cpu load.
+</note>
 You have to do the following:
-- add IPs for network between the server and the network equipment (use range 10.10.10.0/24)
+- add IPs for network between the server and the network equipment (use range 1.1.1.0/24)
-- add IPs for network between the client and the network equipment (use range 10.20.20.0/24)
+- add IPs for network between the clients and the network equipment (use ranges 2.2.2.0/24 and 3.3.3.0/24)
 First IP is allocated for router and the second one for Linux machine
 - add routes to make sure the endpoints can ping each other
-==== Exercises using ACLs ====
+<note tip>
-. **Filter ICMP traffic**:
+In case you want reminders for syntax, you might find the following links useful: [[https://ocw.cs.pub.ro/courses/sred/setup_lab#cisco_routers|Cisco]] and [[https://ocw.cs.pub.ro/courses/sred/setup_lab#linux_machines_ubuntuvm_kalivm_and_internetvm|Linux]]
+</note>
-We have the following scenario: suppose on the L1 there are multiple services available on 2 different interfaces (intf_1 with the IP already configured and intf_2 which we will configure below). I want only the first one to be 'pingable' by the clients to ensure some security.
+**Topology**:
-. **Filter non-DNS and non-HTTP traffic:**
+{{:sred:lab1_topology.png?800|}}
-Remove the old ACL from interface e0/0.
+<note>
+Credentials webui eve-ng: user: **admin**; password: **eve**
-On this taks, you need write a new ACL (can use the value 101) with the following requirements:
+Credentials ubuntu machines: user: **eve**; password: **eve**
-- allow DNS traffic to host 8.8.8.8 (test with nslookup or host)
-- all HTTP traffic to host upb.ro (test with curl or wget). For upb.ro host use IP address 141.85.220.33
+No enable password is set for router!
+</note>
-- deny any other type of traffic to host 8.8.8.8 and upb.ro
+==== Tutorial exercises using ACLs ====
+. **Standard ACL - basic filtering**:
-Apply this to the client network and find the ip addess for upb.ro, test curl upb.ro and then try to ping upb.ro or 8.8.8.8. Do not forget to add on client the nameserver.
+We have the following scenario: suppose I have on the client1 2 interfaces linked to the router (we will use a subinterface here) and I want only from the first one to ping the server and client2:
+<code>
+root@client1:/home/eve/Desktop# ip a a 2.2.2.3/24 dev eth0:0
+root@client1:/home/eve/Desktop# ip a s dev eth0
+: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 00:50:00:00:03:00 brd ff:ff:ff:ff:ff:ff
+    inet 2.2.2.2/24 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet 2.2.2.3/24 scope global secondary eth0
+       valid_lft forever preferred_lft forever
+</code>
+Check that ping from both client1 works from both interfaces (use -I flag).
+<code>
+root@client1:/home/eve/Desktop# ping -c 1 -I 2.2.2.3 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) from 2.2.2.3 : 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=11.0 ms
+[...]
+</code>
+Add on the router the first ACL (stanard - called 1) that will permit only the first ip address:
+<code>
+cisco_7200(config)#ip access-list standard 1
+cisco_7200(config-std-nacl)#permit host 2.2.2.2
+cisco_7200(config-std-nacl)#deny any
+cisco_7200(config-std-nacl)#exit
+cisco_7200(config)#int e1/1
+cisco_7200(config-if)#ip access-group 1 in
+</code>
+Check again from client1 and see how for the second ip 2.2.2.3, the router responds with an icmp packet with code 13 (packet filtered):
+<code>
+root@client1:/home/eve/Desktop# ping -c 1 -I 2.2.2.2 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) from 2.2.2.2 : 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=11.6 ms
+--- 1.1.1.2 ping statistics ---
+packets transmitted, 1 received, 0% packet loss, time 0ms
+rtt min/avg/max/mdev = 11.659/11.659/11.659/0.000 ms
+root@client1:/home/eve/Desktop# ping -c 1 -I 2.2.2.3 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) from 2.2.2.3 : 56(84) bytes of data.
+From 2.2.2.1 icmp_seq=1 Packet filtered
+--- 1.1.1.2 ping statistics ---
+packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
+</code>
+You can also use tcpdump with verbosity on:
+<code>
+eve@client1:~/Desktop$ sudo tcpdump -i eth0 -vv src 2.2.2.1
+tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
+:52:33.644250 IP (tos 0x0, ttl 255, id 105, offset 0, flags [none], proto ICMP (1), length 56)
+.2.2.1 > client1: ICMP host 1.1.1.2 unreachable - admin prohibited filter, length 36
+	IP (tos 0x0, ttl 63, id 19367, offset 0, flags [DF], proto ICMP (1), length 84)
+</code>
+. **Filter traffic from client2:**
+<note important>
+Remove the old ACL (1) from interface e1/1 (the acl can be kept and make sure not to reuse the name):
+<code>
+cisco_7200(config-if)#exit
+cisco_7200(config)#int e1/1
+cisco_7200(config-if)#no ip access-group 1 in
+</code>
+</note>
+The server machine has a web server (**listens on port 8080**) with some CCNs and romanian SSNs (CNP) - note that they are all fake.
+<note>
+Module [[https://stackabuse.com/serving-files-with-pythons-simplehttpserver-module/|SimpleHTTPServer]] is used for simulating a web server with files to be accessed.
+The server is already running as in .bashrc there is created a new screen with this server:
+<code>
+pushd /home/eve/important_data; screen -d -m python -m SimpleHTTPServer 8080; popd
+</code>
+Try firstly locally to send a GET request to localserver:
+<code>
+eve@server:~$ sudo netstat -atupn | grep 8080
+tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      2071/python
+eve@server:~$ curl localhost:8080
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
+<title>Directory listing for /</title>
+<body>
+<h2>Directory listing for /</h2>
+<hr>
+<ul>
+<li><a href="CCN">CCN</a>
+<li><a href="CNP">CNP</a>
+</ul>
+<hr>
+</body>
+</html>
+</code>
+If the server is not up, create a new terminal and start it using the command from above (in .bashrc).
+</note>
+This second scenario is based on client2 old behavior. During some period of time, we saw that he is not behaving as expected (he is constantly accessing hacking websites and learning how to create fake identities) and as we do not have currently a firewall in our network, we will use again ACLs to stop him from accessing our important data from HQ.
+To simulate another service (like a chat), we will use nc on server.
+From another terminal, start the nc process listening on port 4444.
+<code>
+eve@server:~$ nc -l 4444
+[...]
+</code>
+On this taks, you need write a new ACL (extended with value 101) with the following requirements:
+- deny traffic from client2 (with ip: 3.3.3.2) to server (with ip: 1.1.1.2) on port 8080
+- deny traffic from client2 to server on port 4444
+- allow any other type of traffic
+Apply this to the client2 network and try to access from browser or cli the webserver and also to connect to chat:
+<code>
+root@client2:/home/eve/Desktop# nc 1.1.1.2 4444 # see how no response is seen here
+root@client2:/home/eve/Desktop# wget 1.1.1.2:8080
+--2020-10-22 17:26:22--  http://1.1.1.2:8080/
+Connecting to 1.1.1.2:8080... failed: No route to host.
+</code>
+Try also from the client1 side to be sure it still working:
+<code>
+root@client1:~# nc 1.1.1.2 4444
+test
+test2
+^C
+# and on the server side
+eve@server:~$ nc -l 4444
+test
+test2
+[...]
+root@client1:~# curl -I 1.1.1.2:8080
+HTTP/1.0 200 OK
+Server: SimpleHTTP/0.6 Python/2.7.17
+[...]
+</code>
 . **Filter based on QoS information on the IP header**:
@@ Line 43: / Line 203: @@
 </code>
-Add extended ACL 102 to inbound direction on intf e0/0.
+Add extended ACL 102 to outbound direction on intf e1/0.
+<code>
+cisco_7200(config)#int e1/0
+cisco_7200(config-if)#ip access-group 102 out
+</code>
 Try to send an icmp-echo request to server.
-See that without adding the TOS value to ping command, the packets are filtered. Let’s
+See that without adding the TOS value to ping command, the packets are filtered. Let’s try again with -Q flag added (try to look over ping [[https://linux.die.net/man/8/ping|manual]] also):
-try again with -Q flag added (try to look over ping manual also).
+<code>
+root@client2:/home/eve/Desktop# ping 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+From 3.3.3.1 icmp_seq=1 Packet filtered
+From 3.3.3.1 icmp_seq=2 Packet filtered
+[...]
+root@client2:/home/eve/Desktop# ping 1.1.1.2 -Q 4
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=16.6 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=14.4 ms
+# check the same on client1
+</code>
 . **Standard and extended access lists**:
@@ Line 56: / Line 232: @@
 explicitly defined as standard or extended. For easier debugging, there is also recommended to use only capitalized letters.
-For an ACL we can see how many times a rule was matched (for example, this can be
+For an ACL we can see how many times a rule was matched from privileged exec mode (for example, this can be
-used for collecting information about the behavior of users in a company).
+used for collecting information about the behavior of users in a company):
+<code>
+cisco_7200(config-if)#do sh ip access-lists 102
+Extended IP access list 102
+permit ip any any tos max-reliability (4 matches)
+deny ip any any (10 matches)
+</code>
-Another thing to note here are the line numbers (can be seen as priority values - the
+Another thing to note here are the line numbers - 10 and 20 in 102 ACL - (can be seen as priority values - the
-lowest value has the bigger priority) which are not incremented by default by one and instead there exists a gap for inserting new lines between them. In the case from above let’s say I want to introduce before ‘deny ip any any’ a new rule for permitting the source ip address 10.20.20.3.
+lowest value has the bigger priority) which are not incremented by default by one and instead there exists a gap for inserting new lines between them. In the case from above let’s say I want to introduce before ‘deny ip any any’ a new rule for permitting the source ip address 2.2.2.3:
+<code>
+cisco_7200(config)#ip access-list extended 102
+cisco_7200(config-ext-nacl)#15 permit ip host 2.2.2.3 any
-Both standard and extended ACLs filter traffic based on static entries from layer 3
+root@client1:~# ping -I 2.2.2.3 1.1.1.2
-headers (IPs, QoS etc.) and layer 4 (TCP SYN flag, TCP MPTCP option etc.). However, this type of filtering is not very reliable as this information can be bypassed by an attacker by simply modifying the packets. One such example is scapy (a python library) which can be used to forge different packets and test the capabilities of firewalls.
+PING 1.1.1.2 (1.1.1.2) from 2.2.2.3 : 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=16.0 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=12.9 ms
+[...]
+cisco_7200(config)#do sh ip access 102
+Extended IP access list 102
+permit ip any any tos max-reliability (4 matches)
+permit ip host 2.2.2.3 any (2 matches)
+deny ip any any (10 matches)
+# see above the 2 matches from those 2 icmp-requests
+</code>
+Both standard and extended ACLs filter traffic based on static entries from layer 3 headers (IPs, QoS etc.) and layer 4 (TCP SYN flag, TCP MPTCP option etc.). However, this type of filtering is not very reliable as this information can be bypassed by an attacker by simply modifying the packets. One such example is scapy (a python library) which can be used to forge different packets and test the capabilities of firewalls.
 . **Reflexive ACLs**:
-Used for inspecting and monitor session data. An entry in the ACL can be used to reflect
+Used for inspecting and monitor session data. An entry in the ACL can be used to reflect the traffic and create a second ACL, called reflexive IP access list. They are used to allow traffic based on them. Note that entries in them have a timeout value and are removed after it expires (dynamic entries in ACL).
-the traffic and create a second ACL, called reflexive IP access list. They are used to allow traffic based on them. Note that entries in them have a timeout value and are removed after it expires (dynamic entries in ACL).
-After sending some pings from client to 10.30.30.2 (gateway), new entries are created
+Router config for inspecting icmp traffic:
-for ICMP_OUT_CLIENT.
+<code>
+cisco_7200(config)#ip access-list extended ONLY_CLIENT1
+cisco_7200(config-ext-nacl)#10 permit icmp host 2.2.2.2 any reflect ICMP_OUT_CLIENT
+cisco_7200(config-ext-nacl)#exit
+cisco_7200(config)#ip access-list extended TO_CLIENT_LAN
+cisco_7200(config-ext-nacl)#10 evaluate ICMP_OUT_CLIENT
+cisco_7200(config-ext-nacl)#int e1/1
+cisco_7200(config-if)#ip access-group ONLY_CLIENT1 in
+cisco_7200(config-if)#ip access-group TO_CLIENT_LAN out
+</code>
-Exercise: do the same thing for DNS traffic. Verify by using nslookup or host on client
+Send some icmp echo-requests from client1, new entries are created for ICMP_OUT_CLIENT:
-machine the creation of reflexive ACL on the router.
+<code>
+cisco_7200(config-if)#do sh ip access ICMP_OUT_CLIENT
+Reflexive IP access list ICMP_OUT_CLIENT
+# from client1
+root@client1:~# ping -c 3 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=43.7 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=20.6 ms
+bytes from 1.1.1.2: icmp_seq=3 ttl=63 time=16.4 ms
+[...]
+# check dynamic acl created
+cisco_7200(config-if)#do sh ip access ICMP_OUT_CLIENT
+Reflexive IP access list ICMP_OUT_CLIENT
+     permit icmp host 1.1.1.2 host 2.2.2.2  (29 matches) (time left 247)
+</code>
 <note>
@@ Line 81: / Line 303: @@
 . **Temporary access control**:
-a. using time-range:
+a. using **time-range**:
-Standard, extended and reflexive ACLs can be configured to activate at a specific time
+Standard, extended and reflexive ACLs can be configured to activate at a specific time using time-range command in config mode. In the following example, the HTTP traffic is only allowed on weekdays between 12:00 and 20:00 (for example, in a company with 8 working
-using time-range command in config mode. In the following example, the HTTP traffic is only allowed on weekdays between 09:00 and 17:00 (for example, in a company with 8 working
+hours with that period of time).
-hours).
+<code>
+cisco_7200#sh clock
+*19:17:25.555 UTC Thu Oct 15 2020
+cisco_7200#conf t
+cisco_7200(config)#time-range PERIODIC
+cisco_7200(config-time-range)#periodic weekdays 12:00 to 20:00
+cisco_7200(config-time-range)#exit
+cisco_7200(config)#do sh time-range PERIODIC
+time-range entry: PERIODIC (active)
+   periodic weekdays 12:00 to 20:00
+</code>
-Rewrite the ACL ONLY_CLIENT (from above) to include time-range PERIODIC.
+(yes, the times may not be set fully correct in our case, but for the sake of our example, it does not matter)
-Send an icmp request from client to 10.30.30.2:
+Rewrite the ACL ONLY_CLIENT (from above) to include time-range PERIODIC:
+<code>
+# see that the reflexive ACL is null
+cisco_7200(config)#do sh ip access ICMP_OUT_CLIENT
+Reflexive IP access list ICMP_OUT_CLIENT
+cisco_7200(config)#ip access-list extended ONLY_CLIENT1
+cisco_7200(config-ext-nacl)#no 10
+cisco_7200(config-ext-nacl)#10 permit icmp host 2.2.2.2 any time-range PERIODIC reflect ICMP_OUT_CLIENT
+cisco_7200(config-ext-nacl)#do sh ip access ONLY_CLIENT1
+Extended IP access list ONLY_CLIENT1
+permit icmp host 2.2.2.2 any time-range PERIODIC (active) reflect ICMP_OUT_CLIENT # see the active between ()
+# apply again ONLY_CLIENT1 to in and TO_CLIENT_LAN (that is evaluating ICMP_OUT_CLIENT) to out on e1/1
+</code>
-b. using lock-and-key:
+Send some ping from client1:
-The second method consists in creating a temporary ACL using lock-and-key feature
+<code>
-from Cisco, which is also known as dynamic ACL. It is activated automatically only when
+root@client1:~# ping 1.1.1.2
-the user is authenticated. The next example is using telnet on router
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
-CISCO_packet_filter.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=12.0 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=19.2 ms
+[...]
+# check the reflexive acl on the router
+cisco_7200(config-if)#do sh ip access ICMP_OUT_CLIENT
+Reflexive IP access list ICMP_OUT_CLIENT
+     permit icmp host 1.1.1.2 host 2.2.2.2  (7 matches) (time left 299)
+</code>
-This will create the credentials student:student (used for local login), add them for
+<note>
-logging to vty 0 and add a command that is executed automatically: enable the access for the host that is authenticated (the ip of it is retained).
+If the current time is out of range, then the acl entry is marked as **inactive**:
+<code>
+cisco_7200(config-if)#do sh ip access ONLY_CLIENT1
+Extended IP access list ONLY_CLIENT1
+permit icmp host 2.2.2.2 any time-range PERIODIC (inactive) reflect ICMP_OUT_CLIENT (15 matches)
+# see the time
+Router(config-if)#do sh clock
+*00:00:24.148 UTC Tue Oct 5 2021
+Router(config-if)#
+Router(config-if)#do sh time-range PERIODIC
+time-range entry: PERIODIC (inactive)
+   periodic weekdays 13:00 to 23:59
+   used in: IP ACL entry
+</code>
+</note>
+b. using **lock-and-key**:
+The second method consists in creating a temporary ACL using lock-and-key feature from Cisco, which is also known as dynamic ACL. It is activated automatically only when the user is authenticated. The next example is using telnet on router.
+<code>
+cisco_7200(config)#username student password student
+cisco_7200(config)#line vty 0
+cisco_7200(config-line)#login local
+cisco_7200(config-line)#autocommand access-enable host timeout 1
+</code>
+This will create the credentials **student:student** (used for local login), add them for logging to vty 0 and add a command that is executed automatically: enable the access for the host that is authenticated (the ip of it is retained).
 Next, create an inbound ACL for permitting ICMP and telnet connections.
+<code>
+cisco_7200(config)#ip access-list extended HOST_ONLY
+cisco_7200(config-ext-nacl)#10 dynamic HOST_ICMP permit icmp any any
+cisco_7200(config-ext-nacl)#15 permit tcp any any eq telnet
+cisco_7200(config-ext-nacl)#20 deny ip any any
+</code>
 Create also the outbound one.
+<code>
+cisco_7200(config)#ip access-list extended TO_LOCAL_LAN
+cisco_7200(config-ext-nacl)#10 dynamic HOST_ICMP_IN permit icmp any any
+cisco_7200(config-ext-nacl)#20 deny ip any any
+</code>
-Add the ACLs to interface e0/0.
+Add the ACLs to interface e1/1:
+<code>
+cisco_7200(config)#int e1/1
+cisco_7200(config-if)#ip access-group HOST_ONLY in
+cisco_7200(config-if)#ip access-group TO_LOCAL_LAN out
+</code>
 In the end try to ping (will fail firstly), connect and ping again.
+<code>
+root@client1:~# ping -c 3 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+From 2.2.2.1 icmp_seq=1 Packet filtered
+From 2.2.2.1 icmp_seq=2 Packet filtered
+From 2.2.2.1 icmp_seq=3 Packet filtered
+[...]
+root@client1:~# telnet 2.2.2.1
+Trying 2.2.2.1...
+Connected to 2.2.2.1.
+Escape character is '^]'.
+User Access Verification
+Username: student
+Password: Connection closed by foreign host.
+root@client1:~# ping -c 3 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=19.2 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=16.0 ms
+bytes from 1.1.1.2: icmp_seq=3 ttl=63 time=13.1 ms
+[...]
+# on router
+Extended IP access list HOST_ONLY
+Dynamic HOST_ICMP permit icmp any any
+       permit icmp host 2.2.2.2 any (3 matches) (time left 40)
+permit tcp any any eq telnet (93 matches)
+deny ip any any (12 matches)
+# see how the denies before auth to router
+# also, the return traffic is let now as user is auth
+Extended IP access list TO_LOCAL_LAN
+Dynamic HOST_ICMP_IN permit icmp any any
+       permit icmp any host 2.2.2.2 (3 matches) (time left 39)
+</code>
+==== Exercises ====
+. **Reflexive ACLs** [5p]:
+Do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new RACL name. Send the GET request and check quickly the entries in the dynamic ACL as it will last for few secs (due to finished session client-server).
+You can add a new entry in ONLY_CLIENT1 extended acl or create 2 new ones for inbound and outbound directions.
+. **Temporary access control** [5p]:
+Add another time-range (router time should be out of it - like 'outside working hours').
+Send some icmp echo requests from client1 to server and check again the RACL ICMP_OUT_CLIENT - it should contain an entry that expires in 300 seconds (default value) or less with a number of matches (we have for example, 7 above).
+Remove entry 10 from ONLY_CLIENT1 and create a new one for 'outside working hours' time-range, ping to 1.1.1.2 with the same RACL ICMP_OUT_CLIENT.
+Send again icmp echo requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely.

Remote setup

Eve-ng cloud setup

Local setup

SRED project 2023

Cookbooks:

Courses

See them on course page

sred/laborator_1._acl.1602537499.txt.gz · Last modified: 2020/10/13 00:18 by horia.stoenescu

Show page Old revisions

Media Manager Back to top