Show page

Differences

This shows you the differences between two versions of the page.

--- sred:laborator_1._acl [2020/10/22 16:25]
horia.stoenescu [Exercises using ACLs]
+++ sred:laborator_1._acl [2022/10/14 23:55] (current)
horia.stoenescu [Setup]
@@ Line 2: / Line 2: @@
 ==== Setup ====
-The topology consists of one Cisco router model 7200 with one networking card module [[https://www.cisco.com/c/en/us/td/docs/interfaces_modules/port_adapters/install_upgrade/ethernet/pa-4e_10baset_install_config/pa_4e/3493over.html|PA-4E]] and two Ubuntu machines which serves as client (L2) and server (L1).
-Eve-ng virtual machine should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path ///opt/unetlab/addons/dynamips//).
+=== Story ===
+In an imaginary scenario, our company is at the beginning and has few money to invest in infrastructure. We have a HQ with 1 Linux machine serving as the web server and 2 branches represented with 1 client per each one. The routing between them is done using a Cisco router and minimum filtering provided by ACLs.
+=== Local host prerequisites ===
+If you have a Windows/MacOS machine, you need to install on it [[https://www.realvnc.com/en/connect/download/viewer/windows/|vnc viewer]] to access the Linux/Firewall machines and [[https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html|putty]] for Cisco routers/switches.
+You can also check this client side pack from Eve-ng for [[https://www.eve-ng.net/index.php/download/#DL-WIN|Windows]] and [[https://www.eve-ng.net/index.php/download/#DL-OSX|MacOS]].
+For Linux OS, you can use Remmina or Remote Desktop Viewer (both should be already installed). Check this link also: [[https://remmina.org/how-to-install-remmina/|Remmina install]].
+=== Lab infra ===
+After starting the nodes, in order to access the machine you need
+The topology consists of one Cisco router model 7200 (with image name **c7200-adventerprisek9-mz.124-11.T1.image** - see this [[http://31.22.89.2/cisco-ios/7200/|link]] for other 7200 images) with one networking card module [[https://www.cisco.com/c/en/us/td/docs/interfaces_modules/port_adapters/install_upgrade/ethernet/pa-4e_10baset_install_config/pa_4e/3493over.html|PA-4E]] and 3 Ubuntu machines which serves as server and clients (client1 and client2).
+To simulate this, we are using an eve-ng virtual machine that should be already started for you with both binary image for Cisco router and iso for Ubuntu already added (for more, see the path ///opt/unetlab/addons/dynamips//).
+<note>
+For Cisco router node we are using idle value: 0x6149f77c (as this is the one has the highest count value). This way, we make sure that dynamips process is not in high cpu load.
+</note>
 You have to do the following:
-- add IPs for network between the server and the network equipment (use range 10.10.10.0/24)
+- add IPs for network between the server and the network equipment (use range 1.1.1.0/24)
-- add IPs for network between the client and the network equipment (use range 10.20.20.0/24)
+- add IPs for network between the clients and the network equipment (use ranges 2.2.2.0/24 and 3.3.3.0/24)
 First IP is allocated for router and the second one for Linux machine
 - add routes to make sure the endpoints can ping each other
-==== Exercises using ACLs ====
+<note tip>
+In case you want reminders for syntax, you might find the following links useful: [[https://ocw.cs.pub.ro/courses/sred/setup_lab#cisco_routers|Cisco]] and [[https://ocw.cs.pub.ro/courses/sred/setup_lab#linux_machines_ubuntuvm_kalivm_and_internetvm|Linux]]
+</note>
+**Topology**:
+{{:sred:lab1_topology.png?800|}}
+<note>
+Credentials webui eve-ng: user: **admin**; password: **eve**
+Credentials ubuntu machines: user: **eve**; password: **eve**
+No enable password is set for router!
+</note>
+==== Tutorial exercises using ACLs ====
 . **Standard ACL - basic filtering**:
@@ Line 76: / Line 109: @@
 </code>
-. **Filter non-DNS and non-HTTP traffic:**
+. **Filter traffic from client2:**
 <note important>
@@ Line 86: / Line 119: @@
 </code>
 </note>
+The server machine has a web server (**listens on port 8080**) with some CCNs and romanian SSNs (CNP) - note that they are all fake.
+<note>
+Module [[https://stackabuse.com/serving-files-with-pythons-simplehttpserver-module/|SimpleHTTPServer]] is used for simulating a web server with files to be accessed.
+The server is already running as in .bashrc there is created a new screen with this server:
+<code>
+pushd /home/eve/important_data; screen -d -m python -m SimpleHTTPServer 8080; popd
+</code>
+Try firstly locally to send a GET request to localserver:
+<code>
+eve@server:~$ sudo netstat -atupn | grep 8080
+tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      2071/python
+eve@server:~$ curl localhost:8080
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
+<title>Directory listing for /</title>
+<body>
+<h2>Directory listing for /</h2>
+<hr>
+<ul>
+<li><a href="CCN">CCN</a>
+<li><a href="CNP">CNP</a>
+</ul>
+<hr>
+</body>
+</html>
+</code>
+If the server is not up, create a new terminal and start it using the command from above (in .bashrc).
+</note>
+This second scenario is based on client2 old behavior. During some period of time, we saw that he is not behaving as expected (he is constantly accessing hacking websites and learning how to create fake identities) and as we do not have currently a firewall in our network, we will use again ACLs to stop him from accessing our important data from HQ.
+To simulate another service (like a chat), we will use nc on server.
+From another terminal, start the nc process listening on port 4444.
+<code>
+eve@server:~$ nc -l 4444
+[...]
+</code>
 On this taks, you need write a new ACL (extended with value 101) with the following requirements:
-- allow DNS traffic to host 8.8.8.8 (test with nslookup or host)
+- deny traffic from client2 (with ip: 3.3.3.2) to server (with ip: 1.1.1.2) on port 8080
-- all HTTP traffic to host upb.ro (test with curl or wget). For upb.ro host use IP address 141.85.220.33
+- deny traffic from client2 to server on port 4444
-- deny any other type of traffic to host 8.8.8.8 and upb.ro
+- allow any other type of traffic
-Apply this to the client network and find the ip addess for upb.ro, test curl upb.ro and then try to ping upb.ro or 8.8.8.8. Do not forget to add on client the nameserver.
+Apply this to the client2 network and try to access from browser or cli the webserver and also to connect to chat:
+<code>
+root@client2:/home/eve/Desktop# nc 1.1.1.2 4444 # see how no response is seen here
+root@client2:/home/eve/Desktop# wget 1.1.1.2:8080
+--2020-10-22 17:26:22--  http://1.1.1.2:8080/
+Connecting to 1.1.1.2:8080... failed: No route to host.
+</code>
+Try also from the client1 side to be sure it still working:
+<code>
+root@client1:~# nc 1.1.1.2 4444
+test
+test2
+^C
+# and on the server side
+eve@server:~$ nc -l 4444
+test
+test2
+[...]
+root@client1:~# curl -I 1.1.1.2:8080
+HTTP/1.0 200 OK
+Server: SimpleHTTP/0.6 Python/2.7.17
+[...]
+</code>
 . **Filter based on QoS information on the IP header**:
@@ Line 101: / Line 198: @@
 <code>
-cisco_7200(config)#ip access-list extended 101
+cisco_7200(config)#ip access-list extended 102
 cisco_7200(config-ext-nacl)#permit ip any any tos 2
 cisco_7200(config-ext-nacl)#deny ip any any
 </code>
-Add extended ACL 101 to inbound direction on intf e0/0.
+Add extended ACL 102 to outbound direction on intf e1/0.
 <code>
-cisco_7200(config)#int e1/1
+cisco_7200(config)#int e1/0
-cisco_7200(config-if)#ip access-group 101 in
+cisco_7200(config-if)#ip access-group 102 out
 </code>
 Try to send an icmp-echo request to server.
-See that without adding the TOS value to ping command, the packets are filtered. Let’s try again with -Q flag added (try to look over ping [[https://linux.die.net/man/8/ping|manual]] also).
+See that without adding the TOS value to ping command, the packets are filtered. Let’s try again with -Q flag added (try to look over ping [[https://linux.die.net/man/8/ping|manual]] also):
-Look also over the access list from privileged exec mode:
 <code>
-cisco_7200#sh ip access-lists 101
+root@client2:/home/eve/Desktop# ping 1.1.1.2
-Extended IP access list 101
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
-permit ip any any tos max-reliability (2 matches)
+From 3.3.3.1 icmp_seq=1 Packet filtered
-deny ip any any (20 matches)
+From 3.3.3.1 icmp_seq=2 Packet filtered
+[...]
+root@client2:/home/eve/Desktop# ping 1.1.1.2 -Q 4
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=16.6 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=14.4 ms
+# check the same on client1
 </code>
@@ Line 130: / Line 232: @@
 explicitly defined as standard or extended. For easier debugging, there is also recommended to use only capitalized letters.
-For an ACL we can see how many times a rule was matched (for example, this can be
+For an ACL we can see how many times a rule was matched from privileged exec mode (for example, this can be
-used for collecting information about the behavior of users in a company).
+used for collecting information about the behavior of users in a company):
+<code>
+cisco_7200(config-if)#do sh ip access-lists 102
+Extended IP access list 102
+permit ip any any tos max-reliability (4 matches)
+deny ip any any (10 matches)
+</code>
-Another thing to note here are the line numbers (can be seen as priority values - the
+Another thing to note here are the line numbers - 10 and 20 in 102 ACL - (can be seen as priority values - the
-lowest value has the bigger priority) which are not incremented by default by one and instead there exists a gap for inserting new lines between them. In the case from above let’s say I want to introduce before ‘deny ip any any’ a new rule for permitting the source ip address 10.20.20.3.
+lowest value has the bigger priority) which are not incremented by default by one and instead there exists a gap for inserting new lines between them. In the case from above let’s say I want to introduce before ‘deny ip any any’ a new rule for permitting the source ip address 2.2.2.3:
+<code>
+cisco_7200(config)#ip access-list extended 102
+cisco_7200(config-ext-nacl)#15 permit ip host 2.2.2.3 any
-Both standard and extended ACLs filter traffic based on static entries from layer 3
+root@client1:~# ping -I 2.2.2.3 1.1.1.2
-headers (IPs, QoS etc.) and layer 4 (TCP SYN flag, TCP MPTCP option etc.). However, this type of filtering is not very reliable as this information can be bypassed by an attacker by simply modifying the packets. One such example is scapy (a python library) which can be used to forge different packets and test the capabilities of firewalls.
+PING 1.1.1.2 (1.1.1.2) from 2.2.2.3 : 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=16.0 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=12.9 ms
+[...]
+cisco_7200(config)#do sh ip access 102
+Extended IP access list 102
+permit ip any any tos max-reliability (4 matches)
+permit ip host 2.2.2.3 any (2 matches)
+deny ip any any (10 matches)
+# see above the 2 matches from those 2 icmp-requests
+</code>
+Both standard and extended ACLs filter traffic based on static entries from layer 3 headers (IPs, QoS etc.) and layer 4 (TCP SYN flag, TCP MPTCP option etc.). However, this type of filtering is not very reliable as this information can be bypassed by an attacker by simply modifying the packets. One such example is scapy (a python library) which can be used to forge different packets and test the capabilities of firewalls.
 . **Reflexive ACLs**:
-Used for inspecting and monitor session data. An entry in the ACL can be used to reflect
+Used for inspecting and monitor session data. An entry in the ACL can be used to reflect the traffic and create a second ACL, called reflexive IP access list. They are used to allow traffic based on them. Note that entries in them have a timeout value and are removed after it expires (dynamic entries in ACL).
-the traffic and create a second ACL, called reflexive IP access list. They are used to allow traffic based on them. Note that entries in them have a timeout value and are removed after it expires (dynamic entries in ACL).
-After sending some pings from client to 10.30.30.2 (gateway), new entries are created
+Router config for inspecting icmp traffic:
-for ICMP_OUT_CLIENT.
+<code>
+cisco_7200(config)#ip access-list extended ONLY_CLIENT1
+cisco_7200(config-ext-nacl)#10 permit icmp host 2.2.2.2 any reflect ICMP_OUT_CLIENT
+cisco_7200(config-ext-nacl)#exit
+cisco_7200(config)#ip access-list extended TO_CLIENT_LAN
+cisco_7200(config-ext-nacl)#10 evaluate ICMP_OUT_CLIENT
+cisco_7200(config-ext-nacl)#int e1/1
+cisco_7200(config-if)#ip access-group ONLY_CLIENT1 in
+cisco_7200(config-if)#ip access-group TO_CLIENT_LAN out
+</code>
-Exercise: do the same thing for DNS traffic. Verify by using nslookup or host on client
+Send some icmp echo-requests from client1, new entries are created for ICMP_OUT_CLIENT:
-machine the creation of reflexive ACL on the router.
+<code>
+cisco_7200(config-if)#do sh ip access ICMP_OUT_CLIENT
+Reflexive IP access list ICMP_OUT_CLIENT
+# from client1
+root@client1:~# ping -c 3 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=43.7 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=20.6 ms
+bytes from 1.1.1.2: icmp_seq=3 ttl=63 time=16.4 ms
+[...]
+# check dynamic acl created
+cisco_7200(config-if)#do sh ip access ICMP_OUT_CLIENT
+Reflexive IP access list ICMP_OUT_CLIENT
+     permit icmp host 1.1.1.2 host 2.2.2.2  (29 matches) (time left 247)
+</code>
 <note>
@@ Line 156: / Line 304: @@
 a. using **time-range**:
-Standard, extended and reflexive ACLs can be configured to activate at a specific time
+Standard, extended and reflexive ACLs can be configured to activate at a specific time using time-range command in config mode. In the following example, the HTTP traffic is only allowed on weekdays between 12:00 and 20:00 (for example, in a company with 8 working
-using time-range command in config mode. In the following example, the HTTP traffic is only allowed on weekdays between 09:00 and 17:00 (for example, in a company with 8 working
+hours with that period of time).
-hours).
+<code>
+cisco_7200#sh clock
+*19:17:25.555 UTC Thu Oct 15 2020
+cisco_7200#conf t
+cisco_7200(config)#time-range PERIODIC
+cisco_7200(config-time-range)#periodic weekdays 12:00 to 20:00
+cisco_7200(config-time-range)#exit
+cisco_7200(config)#do sh time-range PERIODIC
+time-range entry: PERIODIC (active)
+   periodic weekdays 12:00 to 20:00
+</code>
-Rewrite the ACL ONLY_CLIENT (from above) to include time-range PERIODIC.
+(yes, the times may not be set fully correct in our case, but for the sake of our example, it does not matter)
-Send an icmp request from client to 10.30.30.2:
+Rewrite the ACL ONLY_CLIENT (from above) to include time-range PERIODIC:
+<code>
+# see that the reflexive ACL is null
+cisco_7200(config)#do sh ip access ICMP_OUT_CLIENT
+Reflexive IP access list ICMP_OUT_CLIENT
+cisco_7200(config)#ip access-list extended ONLY_CLIENT1
+cisco_7200(config-ext-nacl)#no 10
+cisco_7200(config-ext-nacl)#10 permit icmp host 2.2.2.2 any time-range PERIODIC reflect ICMP_OUT_CLIENT
+cisco_7200(config-ext-nacl)#do sh ip access ONLY_CLIENT1
+Extended IP access list ONLY_CLIENT1
+permit icmp host 2.2.2.2 any time-range PERIODIC (active) reflect ICMP_OUT_CLIENT # see the active between ()
+# apply again ONLY_CLIENT1 to in and TO_CLIENT_LAN (that is evaluating ICMP_OUT_CLIENT) to out on e1/1
+</code>
+Send some ping from client1:
+<code>
+root@client1:~# ping 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=12.0 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=19.2 ms
+[...]
+# check the reflexive acl on the router
+cisco_7200(config-if)#do sh ip access ICMP_OUT_CLIENT
+Reflexive IP access list ICMP_OUT_CLIENT
+     permit icmp host 1.1.1.2 host 2.2.2.2  (7 matches) (time left 299)
+</code>
+<note>
+If the current time is out of range, then the acl entry is marked as **inactive**:
+<code>
+cisco_7200(config-if)#do sh ip access ONLY_CLIENT1
+Extended IP access list ONLY_CLIENT1
+permit icmp host 2.2.2.2 any time-range PERIODIC (inactive) reflect ICMP_OUT_CLIENT (15 matches)
+# see the time
+Router(config-if)#do sh clock
+*00:00:24.148 UTC Tue Oct 5 2021
+Router(config-if)#
+Router(config-if)#do sh time-range PERIODIC
+time-range entry: PERIODIC (inactive)
+   periodic weekdays 13:00 to 23:59
+   used in: IP ACL entry
+</code>
+</note>
 b. using **lock-and-key**:
-The second method consists in creating a temporary ACL using lock-and-key feature
+The second method consists in creating a temporary ACL using lock-and-key feature from Cisco, which is also known as dynamic ACL. It is activated automatically only when the user is authenticated. The next example is using telnet on router.
-from Cisco, which is also known as dynamic ACL. It is activated automatically only when
-the user is authenticated. The next example is using telnet on router
-CISCO_packet_filter.
-This will create the credentials student:student (used for local login), add them for
+<code>
-logging to vty 0 and add a command that is executed automatically: enable the access for the host that is authenticated (the ip of it is retained).
+cisco_7200(config)#username student password student
+cisco_7200(config)#line vty 0
+cisco_7200(config-line)#login local
+cisco_7200(config-line)#autocommand access-enable host timeout 1
+</code>
+This will create the credentials **student:student** (used for local login), add them for logging to vty 0 and add a command that is executed automatically: enable the access for the host that is authenticated (the ip of it is retained).
 Next, create an inbound ACL for permitting ICMP and telnet connections.
+<code>
+cisco_7200(config)#ip access-list extended HOST_ONLY
+cisco_7200(config-ext-nacl)#10 dynamic HOST_ICMP permit icmp any any
+cisco_7200(config-ext-nacl)#15 permit tcp any any eq telnet
+cisco_7200(config-ext-nacl)#20 deny ip any any
+</code>
 Create also the outbound one.
+<code>
+cisco_7200(config)#ip access-list extended TO_LOCAL_LAN
+cisco_7200(config-ext-nacl)#10 dynamic HOST_ICMP_IN permit icmp any any
+cisco_7200(config-ext-nacl)#20 deny ip any any
+</code>
-Add the ACLs to interface e0/0.
+Add the ACLs to interface e1/1:
+<code>
+cisco_7200(config)#int e1/1
+cisco_7200(config-if)#ip access-group HOST_ONLY in
+cisco_7200(config-if)#ip access-group TO_LOCAL_LAN out
+</code>
 In the end try to ping (will fail firstly), connect and ping again.
+<code>
+root@client1:~# ping -c 3 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+From 2.2.2.1 icmp_seq=1 Packet filtered
+From 2.2.2.1 icmp_seq=2 Packet filtered
+From 2.2.2.1 icmp_seq=3 Packet filtered
+[...]
+root@client1:~# telnet 2.2.2.1
+Trying 2.2.2.1...
+Connected to 2.2.2.1.
+Escape character is '^]'.
+User Access Verification
+Username: student
+Password: Connection closed by foreign host.
+root@client1:~# ping -c 3 1.1.1.2
+PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
+bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=19.2 ms
+bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=16.0 ms
+bytes from 1.1.1.2: icmp_seq=3 ttl=63 time=13.1 ms
+[...]
+# on router
+Extended IP access list HOST_ONLY
+Dynamic HOST_ICMP permit icmp any any
+       permit icmp host 2.2.2.2 any (3 matches) (time left 40)
+permit tcp any any eq telnet (93 matches)
+deny ip any any (12 matches)
+# see how the denies before auth to router
+# also, the return traffic is let now as user is auth
+Extended IP access list TO_LOCAL_LAN
+Dynamic HOST_ICMP_IN permit icmp any any
+       permit icmp any host 2.2.2.2 (3 matches) (time left 39)
+</code>
+==== Exercises ====
+. **Reflexive ACLs** [5p]:
+Do the same thing for HTTP traffic on port 8080. Permit traffic again from 2.2.2.2 to any (or 1.1.1.2) with reflect to a new RACL name. Send the GET request and check quickly the entries in the dynamic ACL as it will last for few secs (due to finished session client-server).
+You can add a new entry in ONLY_CLIENT1 extended acl or create 2 new ones for inbound and outbound directions.
+. **Temporary access control** [5p]:
+Add another time-range (router time should be out of it - like 'outside working hours').
+Send some icmp echo requests from client1 to server and check again the RACL ICMP_OUT_CLIENT - it should contain an entry that expires in 300 seconds (default value) or less with a number of matches (we have for example, 7 above).
+Remove entry 10 from ONLY_CLIENT1 and create a new one for 'outside working hours' time-range, ping to 1.1.1.2 with the same RACL ICMP_OUT_CLIENT.
+Send again icmp echo requests from client1, traffic should be filtered and also the match value should remain the same and after the timeout, the dynamic acl ICMP_OUT_CLIENT entry will disappear completely.

Remote setup

Eve-ng cloud setup

Local setup

SRED project 2023

Cookbooks:

Courses

See them on course page

sred/laborator_1._acl.1603373127.txt.gz · Last modified: 2020/10/22 16:25 by horia.stoenescu

Show page Old revisions

Media Manager Back to top