Silent Network--Dynamic access list

Dynamic access list

Dynamic ACLs, also known as Lock-and-key ACLs, were introduced as options in Cisco IOS in 1996. Dynamic ACLs only support IP traffic. The dynamic ACL relies on the Telnet connection, the user Telnet the router, and validates the pass, at which time Telnet disconnects automatically and generates a temporary ACL statement dynamically. Temporary ACL statements disappear for a period of time without the related traffic passing through the statement.

Dynamic Access tables are an important feature enhancement for traditional access tables. From the dynamic Access table name, we can see that the Dynamic Access table is the Access table that can create dynamic Access table entries. Traditional standard Access tables and extended Access tables cannot create dynamic Access table entries. Once a table entry has been added to the traditional Access table, the table key will always work unless it is manually deleted. In dynamic access tables, readers can create specific, temporary access tables based on the user authentication process.

Users typically have the ability to open a Telnet session to a router by providing a user name and password. You can also configure the router so that it requires only the password and does not require a user name, but we do not recommend it. After the user is authenticated, the router shuts down the Telnet session and places a dynamic Access table entry in an Access table to allow the source address to pass through a message that authenticates the user's workstation address. This allows the user to configure Access tables on the security boundary, allowing only those workstations that can be authenticated by the user to send inward messages.

The benefits of this approach are obvious. In a traditional access table, if a user on the untrusted side of the router needs access to internal resources, a breach must be permanently opened in the Access table to allow the messages on those users ' workstations to enter the trusted network. These permanent breaches in the Access table give hackers the opportunity to send messages into the security boundary and reach the internal network. This can be done by allowing only certain messages of the trusted I P-source address to enter the interior to solve some of the problems. But suppose the user does not use the static I P address? Then the above method will not work. For example, a user can dial into the internet via Internet service provider (PROVIDER,ISP). In general, when a home user dials in I S p, the address of the I p is different, so if you do not open a big breach on the security boundary, you can not allow messages from these users to pass through, and if so, to provide hackers with an opportunity. The use of dynamic access tables in this case provides a higher level of performance than using the traditional I p Access table.SafetyLevel.

As I said before, dynamic access tables are a new type of Access table. In fact, this is true, but the syntax for dynamic access tables is very similar to the format of traditional access table entries, as described in the previous chapters. Syntax for dynamic access to table entries

is as follows:

access-list dynamic [Timeout] [Permit|deny] Any

The first of these is the same format as the traditional extended Access table, where the number is between 100~199. The second argument <name> is the string name of the dynamic Access table entry. The [timeout] parameter is optional. If the timeout parameter is used, the timeout absolute time of the dynamic table entry is specified. The < protocol> parameter can be any traditional TCP/IP protocol, such as IPs, TCP, UDP, ICMP, and so on. The source IP address is always replaced with the IP address of the authentication host, so the source address we define in the dynamic table entry should always use the keyword any. The destination IP (destination IP) and the purpose Shield (destination mask) are the same as the traditional extended Access table format. For the destination I p address, the safest way is to refer to the order subnet, or even to a single host. Because we cannot specify multiple dynamic Access table entries in each Access table, it is generally set to IP or TCP in protocol.

Example 1:

Defining dynamic ACL Entries

QM_IOSFW (config) #access-list 101 Permit TCP any host 12.12.12.2 eq telnet

Telnet that allows any external address to access the route

QM_IOSFW (config) #access-list 101 Dynamic DYACL permit IP any any

Dynamically generated ACLs

Apply Autocommand under Line vty

QM_IOSFW (config) #line vty 0 4

QM_IOSFW (config-line) #login local (this can be combined with AAA or local authentication)

QM_IOSFW (config-line) #autocommand access-enable host Timeout 5
(The Scarlet Letter is hiddenCommand, knock directly)

The ACL is lowered on the interface (must be called, otherwise it does not take effect)

QM_IOSFW (config) #int f0/0

QM_IOSFW (config-if) #ip Access-group 101 in

At this point the show IP access-list looks under the ACL entry:

Qm_iosfw#show IP access-lists

Extended IP Access List 101

Ten permit TCP any host 12.12.12.2 eq telnet

Dynamic DYACL permit IP any any

Without any dynamic entries, let's look at the external Telnet trigger:

Qm_r1#telnet 12.12.12.2/source-interface Loopback 0

Trying 12.12.12.2 ... Open

User Access Verification

Username:cisco

Password:

[Connection to 12.12.12.2 closed by foreign host]

Telnet connection is disconnected after Telnet is successful

Qm_iosfw#show IP access-lists

Extended IP Access List 101

Permit TCP any host 12.12.12.2 eq telnet (matches)

Dynamic DYACL permit IP any any

Permit IP host 1.1.1.1 any (5 matches) (Time left 296)

A dynamic ACL is generated on the gateway route.

These are the most basic dynamic ACLs, which illustrate some of the optimizations for dynamic ACLs:

Optimization One:

At this point, if the administrator needs to remotely administer the IOSFW router, it is found that each Telnet login will be disconnected because the Telnet session will soon be shut down after authentication, which will prevent the administrator from managing his or her router via Telnet. This problem can be resolved by using the rotary command under some vty ports.

QM_IOSFW (config) #line vty 5

QM_IOSFW (config-line) #login Local

QM_IOSFW (Config-line) #rotary 1 (Use port number 3000+1 when telnet)

Test:

R1#telnet 12.12.12.2 3001

Trying 12.12.12.2, 3001 ... Open

User Access Verification

Username:cisco

Password:

Qm_iosfw>

Note One: Sometimes the direct Telnet 3001 port is unsuccessful, at which point you can telnet 23 to createDynamic ACLSAfter doing a 3001 telnet management.

Note two: After logging on, debugging completed as soon as possible to launch the session, if not launched, and no traffic through the dynamic acl,5 minutes, the dynamic ACL disappears, then the administrator's

The Telnet session window will be stuck under line and cannot be exited.

Optimization Two:

The time ACL can be combined to better control the extranet access to IOSFW, for example, the dynamic ACL can only

Evening 8 o'clock to point use, at this time can combine Time-range.

QM_IOSFW (config) #time-range Access

QM_IOSFW (Config-time-range) #periodic daily 20:00 to 23:59

QM_IOSFW (config) #access-list 101 Permit TCP any host 12.12.12.2 eq telnet time-range access

At this time only in the evening between 8:00 and 12:00 can be a telnet trigger to IOSFW, thereby indirectly protecting the intranet access time.

Optimization Three:

Combine AAA on username and password management, here slightly! For AAA verification issues, refer to the ACS Configuration guide I wrote.

Optimization Four:

The global mode protects the extranet user from Telnet access to the IOSFW, which can prevent Dos attacks.

QM_IOSFW (config) #login block-for 1 attempts 3 within 10

You can only telnet once in 1 seconds, and after three failures, you must stay for 10 seconds before you can telnet.

QM_IOSFW (config) #login on-failure log

Generates a log of login failures.

QM_IOSFW (config) #login on-success log

Generate log of Login success.

This article from the "11986439" blog, reproduced please contact the author!

Silent Network--Dynamic access list