Access Control List1. Khi Qut ACL l mt danh sch cc cu lnh c p t vo cc cng ca router. Danh sch ny ch ra cho router bit loi packet no c chp nhn v loi packet no b hy b. S chp nhn v hu b ny c th da vo a ch ngun, a ch ch hoc ch s port. ACL c hai phng thc hot ng chnh l phn loi v lc.

1.1. B phn loi. Cc router cng s dng ACL ch nh cc lung giao thng c th. Sau khi mt ACL ch nh v phn loi giao thng, ta c th cu hnh router pht hin c cc s xm nhp. 1.2. B lc. V s lng ca cc kt ni router ra ngoi mng tng v vic s dng internet ngy cng tng. Nhng qun tr vin lun i mt vi nhng tnh hung tin thoi lng nan loi b nhng giao thng khng mong mun trong khi vn duy tr vic cho php cc truy xut thch ng. 2. Cch thc hot ng ACL hot ng theo hai cch: 2.1.Inbound ACL Cc gi tin i vo c tin hnh trc khi chng c nh tuyn ti cng bn ngoi. Mt inbound ACL hiu qu hn bi v n tit kim mt phn u ca vic tra cu nh tuyn nu gi tin s b b qua sau khi n b cm bi nhng bc khim tra ca b lc. Nu gi tin c cho php th n s c tin hnh cho vic nh tuyn. 2.2.Out bound ACL

Nhng gi tin i vo c nh tuyn ti cng ra ngoi v sau c tin hnh thng qua ACL t trong ra.

Khi mt gi tin i vo mt cng, router s kim tra bng nh tuyn xem xt nu gi tin thuc bng nh tuyn, cn khng thuc th gi tin s b loi b. Tip theo router kim tra cng ch ca gi tin nu n thuc ACL. Nu khng thuc ACL gi tin c th c gi ra ngoi.

Vi mt ACL t ngoi vo, khi mt gi tin vo n mt cng ca router s kim tra cng ngun nu gi tin thuc ACL. Nu khng router s kim tra bng nh tuyn xem gi tin ny c nm trong bng nh tuyn hay khng. Nu khng router s loi b gi tin ny. Trng thi hot ng ca ACL duyt theo trnh t gi tin t trn xung, mt trng thi ti mt thi im. Nu header ca gi tin trng vi trng thi ca ACL, ty theo tng trng thi ca ACL l cm hoc cho php th gi tin cng s b loi b hoc cho php. Qu trnh c th tip tc cho n khi kt thc danh sch ca ACL 3. Cc Loi ACL3.1. Standard ACL: ACL theo chun s kim tra a ch ngun ca gi

tin c th c nh tuyn. Kt qu c th cho php v cm cho ton b gi giao thc da trn mng ngun v cc a ch ip ngun.3.2. Extended ACL: ACL m rng tng t nh standard ACL, nhng

ACL m rng kim tra cc thnh phn c ngun v ch, iu ny cho php cc qun tr vin kim sot linh hot hn. Ngoi ra chng ta cn c them cc dng ACL khc nh:3.3. Dynamic ACL

ACL ng ph thuc vo kt ni Telnet, chng thc v ACL m rng. Cu hnh kha v m (lock-and-key) bt u vi ng dng ca ACL m rng kha giao thng thng qua router. Nhng ngi dng no mun i qua th router b kha bi ACL m rng cho n khi h s dng Telnet kt ni n router v c chng thc. Sau kt ni Telnet b rt v mt dng lnh n ca ACL ng s c them vo ACL m rng. iu ny cho php lung giao thng ti thi im c th. S dng ACL ng khi mun s dng mt ti khon ngi dng hay group t xa truy cp vo mt my trong h thng mng thng qua

Internet. Kha v m chng thc ngi dng v cho php gii hn lt truy cp thng qua firewall router. Mt s li ch an ton ca ACL ng: Vic s dng nhng c ch mnh m chng thc cc ti khon c nhn Vic qun l n gin hn trong nhng mng ln Trong nhiu trng hp, vic gim thiu s lng ln cc tin trnh ca router cho ACL Gim nhng ri ro ca vic tn cng vo h thng mng t nhng hackers 3.4.Reflexive ACL ACL phn x cho php gi IP c lc da trn thng tin ca lp cao hn nh s port TCP. Thng thng chng c dng cho php giao thng t trong ra v gii hn giao thng t ngoi vo p ng vi cc phin c ngun gc t mng bn trong cc router. ACL phn x ch cha cc ch mc tm thi. Nhng ch mc ny t ng c to khi mt phin IP mi bt u. ACL phn x cung cp mt dng b lc chun xc hn ACL m rng, n cn gy nhiu kh khn cho vic gi mo a ch bi v nhng tiu ch ca b lc a ra phi trng khp trc khi mt gi tin c php thng qua.3.5. Time-Based ACL

ACL da vo thi gian hot ng tng t nh ACL m rng, nhng n cho php kim sot cc truy cp da vo thi gian. thit lp c ch ny, ta cn to mt phm vi thi gian c th p t ln vic kim sot v gii hn thi lng truy cp.

Li ch ca ACL da trn thi gian: Cung cp thm nhiu kh nng kim sot hn l ch c th cho php hoc cm mt ti khon truy cp n ti nguyn. C th thit lp nhng chnh sch bo v da trn thi gian. Chnh sch nh tuyn v truy vn c tng cng. Qun tr mng c th kim sot cc ghi nhn ng nhp. Cc danh mc ACL c th ghi nhn lung giao thng ti mt thi im nht nhtrong ngy nhng khng thng xuyn. Do ta c th cm mt cch n gin cc truy cp m khng cn phn tch nhng s kin c ghi nhn trong sut nhng lc cao im

M HNH MNG NH TRIN KHAI V KIM TRA ACL1. M hnh mng trin khai

2. Trin khai a. Cu hnh chungDng Dynamip cu hnh m hnh mng. Cu hnh cc cng v t a ch IP nh hnh v, vi internet l dng card mng o c dng nh l mt my ngoi mng internet truy cp vo mng ni b kim tra.

V ch xy dng m hnh nh kim tra tnh nng v cch hot ng ca ACL, nn chng ta s n gin ho m hnh ch, thay v ta s cu hnh NAT cho a ch ni b ra ngoi th ta s default getway cho my internet v a ch Firewall. - Cu hnh default gateway cho Client v Web tr v Firewall

b. Cu hnh Access-list i. Reflexive ACLu tin ta cu hnh reflexive ACL trn cng internal ca firewall. Mc ch p t chnh sch ny l lc v kim sot cc gi tin t ni b truy xut ra v ngn chn t ngoi truy xut vo trong, nhng vn m bo vic bn ngoi c th truy xut vo web ca cng ty.

Lnh cu hnh: ip access-list extended inboundfilters permit icmp any any reflect Icmptraffic ip access-list extended outboundfilters evaluate Icmptraffic ! interface FastEthernet0/0 ip address 172.16.2.1 255.255.255.0 ip access-group inboundfilters in ip access-group outboundfilters out

to extended acl tn inboundfilters cho php mi a ch ping to extended acl tn outboundfiler so snh cc gi tin trao i vi nhau p t cc acl vo cng cn kim tra nh ngha acl gim st hng ngoi vo trong nh ngha acl gim st hng trong ra ngoi

Sau khi cu hnh cc cu hnh cc ACL ta dng lnh show ip access-lists kim tra vic ci t ACL hon tt. Lc u khi bn trong (client) cha ping ra ngoi th ta show trong bng access list ch xut hin cc chnh sch access list m rng c p t t trc, ch cha hin ra cc gi tin di chuyn (khoanh vng 1) Sau ta cho my Client ping ra ngoi Internet v ng thi show bng access list s xut hin dng Reflexive ACL c tn icmptraffic (khoanh vng 2) Reflexive ip access-list icmptraffic Permit icmp host 192.168.1.2 host 172.16.2.2 (7 matches) (timeleft 297) Dng lnh theo di c qu trnh cho php ping t bn trong ra bn ngoi, c th y l t my client (172.16.2.2) ping ra my ngoi internet (192.168.1.2), 7 matches c ngha rng khi bt k mt gi tin no i ra hay i vo router u c kim tra tnh chnh xc da trn nhng quy lut c xy dng trn ACL xem gi tin trng bao nhiu cc quy tc trong bng entry ca ACL kim tra thm ta ci t cho my client mt a ch ip khc sau ping ra ngoi internet, bng access list s hin th a ch mi ny, qua ta kim chng c hot ng ca reflexive access list v c th gim st vic truy cp ca cc my trong ni b.(khoanh vng 3)

Bn ngoi khng th ping c vo bn trong client, nhng vn c th ping v truy xut web bnh thng. V ta p t chnh sch ACL ny ln cng internal F0/0, chn cc truy cp t bn ngoi vo h thng ni b, ng thi vn truy cp vo c trang web ca cng ty.

Vi nhng thng s b trn c th nhn ra mt vn cha c cp n l khng thy nhc n vic truy xut web ca cc my ni b. V vy ta s thit lp thm mt ACL hng t ngoi ra Ip access-list extended inboundfilters Permit tcp any host 172.16.1.2 reflect icmptraffic eq 80 Cu lnh cu hnh ny ACL s cho php h thng ni b c th i ra ngoi v truy cp web bnh thng.

ii. Dynamic ACLVi m hnh trn, trong tnh hung nu nh ngi qun tr mun t bn ngoi i vo h thng th chc chn s b chn li v khng th vt qua c ACL, nh th s lm gim i s linh hot trong cng vic qun tr h thng ca qun tr vin. V vy chng ta s thit lp mt dynamic ACL h c th telnet vo to mt li i ring c th kt ni remote desktop vo h thng. a. u tin ta s to mt ti khon cho php telnet vo h thng. Username test password test Username test autocommand access-enable timeout 5 Line vty 0 4 Login local Sau chng ta thit lp ring l mt dynamic acl th nghim qu trnh chn v cho phep telnet t bn ngoi. access-list 101 dynamic testtelnet timeout 120 permit ip any any access-list 101 permit tcp any any eq 23 access-list 101 deny icmp any any Sau khi cu hnh cc lnh xong ta show ip access-list s hin ra cc acl m ta ci t. K n ta cho bn internet ping vo bn trong th s thng bo l Destination host unreachable cho bit l gi tin b drop ngay t firewall, sau ta cho internet telnet vo a ch 192.168.1.1 (a ch cng ngoi ca firewall), ng nhp username v password nh bnh thng to t trc . ng nhp xong ta thy xut hin mt dng thng bo: Connection to host lost

Mc d ngha ca dng thng bo l kt ni n host b mt, nhng tht cht do dynamic acl theo c ch lock-and-key, nn khi ta telnet n h thng thnh cng th ta s c cp mt cha kho m cnh ca vo h thng tc con ng t my ca ta n h thng c m ca, v vic k n l ta c th ping thnh cng vo h thng hoc c th s dng remote desktop.

b. Kt hp Dynamic vo Reflexive ACL Bng cch s dng nhng dng lnh c cu hnh reflexive acl ca lab bn trn v cu hnh nh sau: ip access-list extended inboundfilters permit icmp any any reflect icmptraffic end conf t ip access-list extended outboundfilters dynamic kethop permit icmp any any permit tcp any host 192.168.1.1 eq 23 evaluate icmptraffic

Ta cu hnh tng t nh trn reflexive acl v thm vo trong access-list extended outboundfilters hai dng lnh c t m. Nhng iu quan trng y v va m bo vic truy xut web v ngn chn a ch l t bn ngoi v va cho php administrator c th truy cp telnet vo h thng. Trong phn Reflexivve ACL ta u p dng c inboundfilters v outboundfilter vo 1 cng F0/0 (internal) ca router. Cn trng hp ny th ta p t nh sau:

Trn cng F0/0 (internal) p t inboundfilters hng in c th chn cc a ch nghi ng xm nhp vo h thng v cng F0/1(external) p t outboundfilters hng in cho php telnet vo h thng. Sauk hi xy dng xong, vic tin hnh kim tra cng tng t nh trn phn Dynamic ACL. u tin s cho ping th t internet vo h thng s nhn c Destination host unreachable, k tip telnet vo cng ngoi ca router thnh cng, con ng t my ca mnh ti router s c thng sut.