Wednesday, September 30, 2009

How Many Types of ACLs are there in Cisco's Big IOS Security World....Continued

I thought to add some more IOS Security features in my previous list...might not be an exact ACL feature but in some way sometimes relies heavily on ACL.

1. ACL using Group-Objects...YES...now can use group objects to minimize number of ACLs like we do in ASA :-) isn't that cool enough...those old days are gone now. Thanks to some great programmers sitting out there in Cisco.

ACL group object feature came I guess in IOS 12.4(20T). It allows you to configure two types of group object.

* Network Objects
* Service Objects

And guess what...one more surprise with this feature is now we can use / notation with our IP addresses in Network Objects Group like 1.1.1.1/1...isn't that cool

Anyways...I'll demonstrate this feature in my next post and till the time I'll try to find out IOS for it.

2.) TCP Intercept - Another Cool IOS security feature

3.) URPF - Sometimes it also has to rely on ACLs...depending upon it's configuration mode

4.) NBAR - Cool QOS based Security Feature

5.) CAR -Of Course it not four wheeler CAR but CAR is acronym for Committed Access Rate and can be used as a security feature.

6.) IOS based IPS

7.) 802.1x

8.) CoPP - Control Plane Policing

9.) Setting up privilege level / Menu based Access For Users

10.) Setting Up Connection Limits - Defining Max number of TCP/UDP/ICMP packets from Single host
under defined time value, Max number of Half TCP sessions from
anyone under defined time value

I am sure there would be some other features as well along with some protocol specific features like RTBHF and Sink hole filtering...Those are more or less CCIE Security Topics anyways :-)

Happy Studying & Stay Tuned....

Best Regards,
Deepak Arora
CCIE#XXXXX...Oops that number is still missing

Cisco IOS Software Activation - E Training

http://www.cisco.com/cdc_content_elements/flash/ios/csa/csa_tutorial.htm

Best Regards,
Deepak Arora

Tuesday, September 29, 2009

How Many Types of ACLs are there in Cisco's Big IOS Security World

Few days back I asked a question to a very confident CCNA Security guy...actually he just came to me before taking CCNA Security exam and asked me...hey,why don't you ask me something related to Security as I am feeling pretty confident that I know lots of security stuff now.

Hmmm...I said Okey and just asked him the following question :-)

How many ACLs and Firewall features we have in IOS related to Router Security ?

He said... Standard ACL, Extended ACL, Named ACL, Reflexive ACL, CBAC & Zone Based Firewall.

Hmmm...his list looks interesting but still not complete...maybe it was not a true CCNA Security Question as I never take a look at it's curriculum...Anyways...Following is my list and see if I missed something...Feel free to drop an email to me if you have something to add in this list.

1. Standard ACL
2. Extended ACL
3. Named ACL
4. TCP Established ACL / Reflexive ACL
5. Turbo ACL
6. CBAC
7. Zone Based Firewall
8. Time Based ACL
9. Dynamic ACL / Lock & Key ACL
10. Flexibal Packet Matching ACL
11. ACL to
to prevent fragmented IP packets from reaching you application ports

Holy Cow...Did you ever think about that :-(

I must say even I still need to dig myself about which one takes precedence over other when multiple types are configured together

Some more ACL stuff in coming days along with solution of my last ACL Post...

Happy Studying...

Best Regards,
Deepak Arora
CCIE# XXXXX...Oops that number is still missing :-)

Friday, September 25, 2009

Filtering ALL Even Subnets With Single ACL


These days I am quite busy with my job schedule which is keeping me away from studies & blog.

Anyways... today lets play around some ACLs. I know many people who think that they know ACL stuff very well. But actually that's not the case. Specially if they were been given task like I show up in Diagram here. The challenge here is following:

R2 has got plenty of networks to advertise using EIGRP to R1. Administrator f R1 wants that only Odd Network Subnets like 192.168.1.0/24...3.0/24 etc of R2 should be able to reach LAN segment of R1 and all Even subnets should not be able to do that. And for that you are only allowed to use single ACL entry....but also don't use Group Objects ( If you know really what they are :-) )

So good luck to all of you * R1 Admins :-) * I will post the solution and some more ACL details soon.

Happy Studying...

Regards,
Deepak Arora

Some More gr8 Video Tutorials By INE

http://classroom.internetworkexpert.com/ccna1_1/

http://classroom.internetworkexpert.com/p74646894/

http://classroom.internetworkexpert.com/p30707699/

http://classroom.internetworkexpert.com/vtunk/

http://classroom.internetworkexpert.com/p35024723/


Thanks!
Deepak Arora