Chapter 5 : Lab 5.5.3 Developing ACLs to Implement Firewall Rule Set

Step 1: Cable and connect the network as shown in the topology diagram

NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you record the cable connections and TCP/IP settings so that these can be restored at the conclusion of the lab.

a. Connect and configure the devices in accordance with the given topology and configuration.

Routing will have to be configured across the serial links to establish data communications.

b. Configure Telnet access on each router.

c. Ping between Host1, Host2, and Production Server to confirm network connectivity.

Troubleshoot and establish connectivity if the pings or Telnet fail.

 

Step 2: Perform basic router configurations

a. Configure the network devices according to the following guidelines:

  • • Configure the hostnames on each device.
  • • Configure an EXEC mode password of class.
  • • Configure a password of cisco for console connections.
  • • Configure a password of cisco for vty connections.
  • • Configure IP addresses on all devices.
  • • Enable EIGRP on all routers and configure each to advertise all of the connected networks.
  • • Verify full IP connectivity using the ping command.

b. Confirm Application Layer connectivity by telneting to all routers.

Step 3: Create firewall rule set and access list statements

Using the security policy information for the FilmCompany remote access, create the firewall rules that must be implemented to enforce the policy. After the firewall rule is documented, create the access list statement that will implement the firewall rule. There may be more than one statement necessary to implement a rule.

Security Policy 1: Remote users must be able to access the Production Server to view their schedules

over the web and to enter new orders.

Firewall Rule: Permit users on the 10.1.1.0/24 access to the Production Server (172.17.1.1) on TCP

port 80.

Access List statement(s): permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 80

Access List placement: Inbound on router SR1 Fa0/1 (remember that extended ACLs should be

placed close as possible to the source of the traffic). For each of the following security policies:

a. Create a firewall rule.

b. Create an access list statement.

c. Determine the access list placement to implement the firewall rule.

Security Policy 2: Remote users must be able to FTP files to and from the Production Server.

Firewall Rule: Permit users on the 10.1.1.0/24 access to the Production Server (172.17.1.1) on TCP

ports 20 and 21.

Access List statement(s): permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 range

20 21 or two separate access-list statements, each permitting one of the ports.

Access List placement: Inbound on router SR1 Fa0/1 (remember that extended ACLs should be

placed close as possible to the source of the traffic)

Security Policy 3: Remote users can use the Production Server to send and retrieve email using IMAP

and SMTP protocols.

Firewall Rule: Permit users on the 10.1.1.0/24 access to the Production Server (172.17.1.1) on TCP

ports 143 and 25

Access List statement(s):

permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 25

permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 143

Access List placement: Inbound on router SR1 Fa0/1 (remember that extended ACLs should be

placed close as possible to the source of the traffic)

Security Policy 4: Remote users must not be able to access any other services available on the

Production Server.

Firewall Rule: Deny all other IP protocols between users on the 10.1.1.0/24 network to the

Production Server (172.17.1.1)

Access List statement(s): deny ip 10.1.1.0 0.0.0.255 host 172.17.1.1.

Access List placement: Inbound on router SR1 Fa0/1

Security Policy 5: No traffic is permitted from individual workstations at the main office to remote worker

workstations. Any files that need to be transferred between the two sites must be stored on the

Production Server and retrieved via FTP.

Firewall Rule: Deny all IP protocols from users on the 10.3.1.0/24 to the 10.1.1.0/24 network.

Access List statement(s): deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255

Access List placement: Inbound on router BR4 Fa0/1

Security Policy 6: No traffic is permitted from workstations at the remote site to workstations at the main

site.

Firewall Rule: Deny all IP protocols from users on the 10.1.1.0/24 to the 10.3.1.0/24 network.

Access List statement(s): deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255

Access List placement: Inbound on router SR1 Fa0/1

Security Policy 7: No Telnet traffic is permitted from the remote site workstations to any devices,

except their local switch.

Firewall Rule: Deny all TCP traffic from users on the 10.1.1.0/24 network on port 23.

Access List statement(s): deny tcp 10.1.1.0 0.0.0.255 any eq 23

Access List placement: Inbound on router SR1 Fa0/1

 

Step 4: Create Extended ACLs

a. Review the access list placement information that you created to implement each of the

FilmCompany security policies. List all of the different access list placements that you noted above.

Inbound on router SR1 Fa0/1

Inbound on router BR4 Fa0/1

Based on the placement information, how many access lists do you have to create?

On Router SR1

1

On Router Edge2

0

On Router BR4

1

b. Based on the access list statements you developed in Task 3, create each access list that is needed

to implement the security policies. When creating access lists, remember the following principles:

  • • Only one access list can be applied per protocol, per direction on each interface.
  • • Access list statements are processed in order.
  • • Once an access list is created and applied on an interface, all traffic that does not match any access

list statement will be dropped.

c. Use a text file to create the access lists, or write them here. Evaluate each access list statement to

ensure that it will filter traffic as intended.

Access list to be placed on SR1 Fa0/1 inbound:

permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 80

permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 range 20 21

permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 25

permit tcp 10.1.1.0 0.0.0.255 host 172.17.1.1 eq 143

deny ip 10.1.1.0 0.0.0.255 host 172.17.1.1

deny ip 10.1.1.0 0.0.0.255 10.3.1.0 0.0.0.255

deny tcp 10.1.1.0 0.0.0.255 any eq 23

permit ip any any

Access list to be placed on BR4 Fa0/1 inbound:

deny ip 10.3.1.0 0.0.0.255 10.1.1.0 0.0.0.255

permit ip any any

Why is the order of access list statements so important?

untuk mengurangi beban prosesor router dan menurunkan latency



Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s