Self-reverse Access Control List (for example, another version)

* **************************** The data source is from the network and is only used for communication! * ********************************** Concept: 1. ESTABLISHED is used for reflection in the access list, which is equivalent to anti-Xie access list-similar. That is, only the TCP session is established first, and the returned packet must have the corresponding port and a certain number

* **************************** The data source is from the network and is only used for communication! * ********************************** Concept: 1. ESTABLISHED is used for reflection in the access list, which is equivalent to anti-Xie access list-similar. That is, only the TCP session is established first, and the returned packet must have the corresponding port and a certain number

* **************************** The data source is from the network and is only used for communication! **********************************

Concept:

1. ESTABLISHED isAccessListUsed for reflection, equivalent to anti-XieAccessList-- Similar.
That is, only the TCP session is established first, and the returned packet must contain the port corresponding to the source TCP.
And a certain identification field, is allowed to pass, in other words, it has limitations,
First, the session must be initiated inside and outside the mailbox,
Second, it is only applicable to TCP sessions and not UDP sessions.
Third, FTP changes the port number when establishing a session between the client and the server. It is not applicable.

2. Self-CountermeasureAccessControlList
Self-CountermeasureAccessListThe English name of Reflexive is Reflexive Access Lists.OneDirectionAccessControlList, Automatically createdOneBackwardControlList, Yes and the originalControlList-The source and destination IP addresses are reversed, and the source and destination port numbers are the opposite.OneList. And there is a certain time limit, after the time, it will time out, this newly createdListIt will disappear, which greatly increases the security.

**************************************** **************************************** ***********

【Anti-ACL] Self-InverseAccessControlList
Reflexive Access Lists
1.OneFacingControlProblem

First, let's look


Image Attachment: outinnet.jpg



YesOneThe requirement is that we need to allow internal machinesAccessExternal, but external hosts are not allowedAccessInternally, some people say that this is simple and can be usedOneAccessControlListTo configure Seial1 as follows:
Router (config) # access-list 100 deny ip any
Router (config-if) # ip access-group 100 in
The result is that it cannot be used outside.AccessInternal, but the data packet we sent out from the internal is also coming back, so this approach is not feasible.

We can continue to use our brains. We know that TCP hasOneThree-way handshake, which is included in the TCP packet headerOneFlag, our extensionAccessControlListYou can perform this flagControl. According to our analysis, when the internal host initiates a connection to the outside, the SYN bit is 1, while the external host response packet contains SYN = 1 ACK = 1
WhileOneThe external host wants to initiate a connection internally.OneThe packet is only SYN = 1, and ACK = 0. Therefore, we can do this

Router (config) # access-list 100 permit tcp any ack
Or
Router (config) # access-list 100 permit tcp any established
Then apply it to the interface
Router (config-if) # ip access-group 100 in

This method is acceptable, but if it is not a TCP application, what should UDP programs do? Obviously, this method cannot be used. We use self-CountermeasureAccessListThis problem can be effectively solved.

2. Self-CountermeasureAccessControlList
Self-CountermeasureAccessListThe English name is Reflexive Access Lists. The word Reflexive is translated into self-inverse? That is, accordingOneDirectionAccessControlList, Automatically createdOneBackwardControlList, Then, createOneWhat kindControlListWhat about it? Is the same as the originalControlList-The source and destination IP addresses are reversed, and the source and destination port numbers are the opposite.OneList. And there is a certain time limit, after the time, it will time out, this newly createdListIt will disappear, which greatly increases the security.
Case study:
The topology is as follows:



Image Attachment: 3router1.jpg


The requirements are as follows:
R1 imitates the Intranet, and R3 imitates the Internet. Now R1 is required to remotely log on to R3, but R3 is not allowed to initiate any connection to R1.

The initial configurations of the three routers are as follows:
R1 # sh run
Interface Serial0
Ip address 10.1.1.1 255.255.255.0

Router ospf 1
Log-adjacency-changes
Network 0.0.0.0 255.255.255.255 area 0

Line vty 0 4
Password cisco
Login

R2 # sh run
Interface Serial0
Ip address 10.1.1.2 255.255.255.0
Clockrate 64000

Interface Serial1
Ip address 192.168.1.1 255.255.255.0
Clockrate 64000

Router ospf 1
Log-adjacency-changes
Network 0.0.0.0 255.255.255.255 area 0

R3 # sh run

Interface Loopback0
Ip address 3.3.3.3 255.255.255.0

Interface Ethernet0
No ip address
Shutdown

Interface Serial0
No ip address

Interface Serial1
Ip address 192.168.1.2 255.255.255.0

Router ospf 1
Log-adjacency-changes
Network 0.0.0.0 255.255.255.255 area 0

Line vty 0 4
Password cisco
Login

Route table on R1

R1 # sh ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area
N1-ospf nssa external type 1, N2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2
I-IS, L1-IS level-1, L2-IS level-2, ia-IS inter area
*-Candidate default, U-per-user static route, o-ODR
P-periodic downloaded static route

Gateway of last resort is not set

3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/129] via 10.1.1.2, 00:03:42, Serial0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Serial0
O 192.168.1.0/24 [110/128] via 10.1.1.2, 00:03:42, Serial0

Test
R1 # ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/62/68 MS


R1 #
R1 # telnet 3.3.3.3
Trying 3.3.3.3... Open
User Access Verification
Password:
R3>

Test on R3:
R3 # ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/60 MS

R3 # telnet 10.1.1.1
Trying 10.1.1.1... Open
User Access Verification
Password:
R1>
The route is unobstructed. R1 can log on to R3 remotely, because noControlSo R3 canAccessR1

Solution 1:
Use ExtensionAccessControlList,ControlTCP flag
Configure the following on R2:
Interface Serial1
Ip address 192.168.1.1 255.255.255.0
Ip access-group 100 in
Clockrate 64000

Access-list 100 permit tcp any established // use ACK.
Access-list 100 permit ospf any // keep the ospf route protocol working properly

Test on R1:
R1 # ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1 # telnet 3.3.3.3
Trying 3.3.3.3... Open


User Access Verification

Password:
R3>
At this time, we found that the ping was not successful. Why?
Access-list 100 permit tcp any established
Access-list 100 permit ospf any
InAccessControlListThe ICMP protocol is not allowed, so the returned data packet is rejected on R2, but telnet is successful becauseAccessControlListTCP is allowed.

Perform a test on R3:
R3 # ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U. U. U
Success rate is 0 percent (0/5)
R3 # telnet 10.1.1.1
Trying 10.1.1.1...
% Destination unreachable; gateway or host down
We can't see R3.AccessEverything on R1. Why? The reason for ping failure is that we have blocked ICMP on R2, but telnet cannot. Although we have allowed TCP packets, it is because R3 initiated an initial connection to R1, in TCP, the flag SYN = 1, ACK = 0, and ourAccessControlListThe keyword established defines that only packets with ACK = 1 can be allowed. Therefore, the initial connection package is rejected, so this approach satisfies the test requirements.

Solution 2:
Use self-CountermeasureAccessControlList
Configure the following in R2:
Interface Serial0
Ip address 10.1.1.2 255.255.255.0
Ip access-group tcp-out in
Clockrate 64000
!
Interface Serial1
Ip address 192.168.1.1 255.255.255.0
Ip access-group tcp-in
Clockrate 64000

Ip access-list extended tcp-in
Permit ospf any
Evaluate telnet
Ip access-list extended tcp-out
Permit ospf any
Permit tcp any reflect telnet

Note the following points:
1) Self-inversionAccessControlListOnly name-based extensionsAccessControlListWork together
2) he cannot work on his own and must be parasitic on expansion.AccessControlListAnd has twoAccessListThat is

OneListCreate anti-BotList
For example
Ip access-list extended tcp-out
Permit tcp any reflect telnet

Note: The keyword refect is generated when the data stream that conforms to tcp any is passed.OneThe username is telnet.ListBut it is generated and cannot be used, because it is not applied to the interface

Out-of-orderOneListCall
Ip access-list extended tcp-in
Evaluate telnet
Coming inAccessListUse the keyword evaluate to call the generated telnet self-counter.List.

Test on R1

R1> en
R1 # telnet 3.3.3.3
Trying 3.3.3.3... Open
User Access Verification
Password:
R3>

Let's take a look at R2:
R2 # show access-lists
Extended IP access list tcp-in
10 permit ospf any (72 matches)
20 evaluate telnet
Extended IP access list tcp-out
20 permit ospf any (72 matches)
30 permit tcp any reflect telnet
Reflexive IP access list telnet
Permit tcp host 3.3.3.3 eq telnet host 10.1.1.1 eq 11003 (26 matches) (time left 258)

GeneratedOneSelf-CountermeasureAccessControlListThe source port is 23, and the destination port is 11003, which is exactly the data stream we returned from telnet from R1.

Perform the following test on R3:
R3 # telnet 10.1.1.1
Trying 10.1.1.1...
% Destination unreachable; gateway or host down
We cannot see it. The source port number for this connection isOneMore than 10000OneRandom port number. The destination port number is 23,AccessControlListThis data stream is not allowed, soAccessFailed. This satisfies our test requirements.

We can also self-reverseListExisting TimeControlLet's take a look at this self-countermeasure.List
Permit tcp host 3.3.3.3 eq telnet host 10.1.1.1 eq 11003 (26 matches) (time left 258), time left 258 means that if there is no data stream, then another 258 seconds, this self-InverseListIt must be cleared from the cache. This undoubtedly increases security and reduces the possibility of IP spoofing.

You can modify the time as follows:
Ip access-list extended tcp-out
Permit tcp any reflect telnet timeout 600 // unit: seconds

In global modeOneCommand to modify the timeout value:

R2 (config) # ip reflexive-list timeout 600

In this way, the time is changed to 10 minutes, and the default value is 5 minutes.

Now you haveOneNew requirements:

We require that you can telnet to R3 at R2, but R3 cannotAccessR2
We configure the following on R2:
Interface Serial1
Ip address 192.168.1.1 255.255.255.0
Ip access-group tcp-in
Ip access-group tcp-out
Clockrate 64000

Ip access-list extended tcp-in
Permit ospf any
Evaluate telnet
Ip access-list extended tcp-out
Permit ospf any
Permit tcp any reflect telnet

First, let's test on R3:
R3 # telnet 192.168.1.1
Trying 192.168.1.1...
% Destination unreachable; gateway or host down
The result is satisfactory.
Let's test it on R2:
R2 # telnet 3.3.3.3
Trying 3.3.3.3...
% Connection timed out; remote host not responding
The results are beyond our expectation. Why?
Let's take a look atAccessList
R2 # show access-lists
Extended IP access list tcp-in
10 permit ospf any (230 matches)
20 evaluate telnet
Extended IP access list tcp-out
20 permit ospf any (202 matches)
30 permit tcp any reflect telnet
Reflexive IP access list telnet
Self-CountermeasureListIt turns out to be empty! Why? The reason is thatAccessListOfOneFeature is outAccessListThe packet generated by the router is not checked, that is, the data flow from telnet from R2 to R3 is generated from R2.AccessControlListCheck
Ip access-list extended tcp-out
Permit ospf any
Permit tcp any reflect telnet

AccessControlList, So naturally there will be no self-InverseAccessListTelnet.

There are two solutions:

OneYes through the local policy route-map)

Ip local policy route-map cisco

Route-map cisco permit 10
Match ip address tcp-out

Test again on R2:
R2 # telnet 3.3.3.3
Trying 3.3.3.3... Open

User Access Verification
Password:
R3>
R2AccessList:
// Note that you cannot set exit in the preceding configuration. If so, the auto-reverseListThe remaining time is immediately reduced to 6 seconds. It is difficult to observe the results. I use remote Logon (telnet) on R1 to R2 and then observe
R2 # show access-lists
Extended IP access list tcp-in
10 permit ospf any (8 matches)
20 evaluate telnet
Extended IP access list tcp-out
10 permit ospf any
20 permit tcp any reflect telnet
Reflexive IP access list telnet
Permit tcp host 3.3.3.3 eq telnet host 192.168.1.1 eq 11002 (time left 297)
Okay. Now let's take a look!

Of course, we have anotherOneMethod:
Configure this on R2:
Ip access-list extended tcp-in
Permit ospf any
Evaluate telnet
Permit tcp any eq telnet any ack ----------------------------- added this command
Ip access-list extended tcp-out
Permit ospf any
Permit tcp any reflect telnet

Test on R2:
R2 # telnet 3.3.3.3
Trying 3.3.3.3... Open
User Access Verification
Password:
R3>

Successful Login meets our expectations:
Test on R3:
R3 # telnet 192.168.1.1
Trying 192.168.1.1...
% Destination unreachable; gateway or host down
The results are what we need.

Summary:
Self-CountermeasureAccessControlListAnalyze the data stream on Layer 4, yesOneGenerated on demandControlListWhen there is no data stream, that is, when it is not needed, it will automatically disappear, which is a more automated dataControlTo a certain extent, this method prevents IP address spoofing attacks, effectively protecting users' networks from hacker damages, and is most effective for UDP packets (for UDP packets, extendedAccessControlListNo way ).