An ACL (Access-list), can allow clients, to access particular server for a specific service, as the number of server increases, the number of lines in an ACL increases as well.
let see how to implement security policies, with access-list and how can we simplify the Access-list by the use of object grouping. (by default FW ACL are extendet). lets see the structure of an ACL on the PIX Firewall.
MYPIX(config)# access-list 1 permit ? configure mode commands/options: Enter protocol number (0 - 255) Hostname or A.B.C.D Match based on destination network address ah any Abbreviation for an address and mask of 0.0.0.0 0.0.0.0 eigrp esp gre host Use this keyword to configure destination host icmp icmp6 igmp igrp ip ipinip ipsec nos object-group Specify a service or protocol object-group after this keyword ospf pcp pim pptp snp tcp udp MYPIX(config)# access-list 1 permit tcp ? configure mode commands/options: Hostname or A.B.C.D Source IP address any Abbreviation for source address and mask of 0.0.0.0 0.0.0.0 host Use this keyword to configure source host interface Use interface address as source address object-group Network object-group for source address MYPIX(config)# access-list 1 permit tcp any ? configure mode commands/options: Hostname or A.B.C.D Destination IP address any Abbreviation for destination address and mask of 0.0.0.0 0.0.0.0 eq Port equal to operator gt Port greater than operator host Use this keyword to configure destination host interface Use interface address as destination address lt Port less than operator neq Port not equal to operator object-group Optional service object-group name for source port or <strong>network object-group</strong> for destination address range Port range operator MYPIX(config)# access-list 1 permit tcp any any ? configure mode commands/options: eq Port equal to operator gt Port greater than operator inactive Keyword for disabling an ACL element log Keyword for enabling log option on this ACL element lt Port less than operator neq Port not equal to operator object-group Optional <strong>service object-group</strong> for destination port range Port range operator time-range Keyword for attaching time-range option to this ACL element MYPIX(config)# access-list 1 permit tcp any any ? configure mode commands/options: eq Port equal to operator gt Port greater than operator inactive Keyword for disabling an ACL element log Keyword for enabling log option on this ACL element lt Port less than operator neq Port not equal to operator object-group Optional service object-group for destination port range Port range operator time-range Keyword for attaching time-range option to this ACL element
With Object grouping, we find a way to group object of a similar type so that a single ACL can apply to all the object in the group.
The following types of object group exist:
icmp-type Specifies a group of ICMP types, such as echo
network Specifies a group of host or subnet IP addresses -> is used to group client host, server or subnets.
protocol Specifies a group of protocols, such as TCP, etc -> is used to group protocoles, can contain one of the keywords, icmp, ip, tcp, or upd, or a value between 1 to 254 to represent an IP Protocol Number.
service Specifies a group of TCP/UDP ports/services -> , to group TCP or UDP ports numbers assigned to a different service
Lets do an example on how to use object groups.
First we are going to configurethe access-list, then we are showing how to use the object group.
Connections from low (0 – outside) to high security (1 – inside ) are disallowed unless the configuration explicitly permits them. An access list is applied to an interface and checks all traffic with no difference between the direction of traffic as outbound (high-to-low security) and inbound (low-to-high security), but an ACL is not necesary if going from a higher security level to a lower. everything that is inspected in the global_policy policy-map will be allowed.
policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 _default_h323_map inspect h323 ras _default_h323_map inspect rsh inspect rtsp inspect esmtp _default_esmtp_map inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp class class-default
ok that is working, lets clear the access list, in order to simplify this example using Object Groups.
Now say that we are told that we need to configure our pix to allow users to access the following servers, in a single object.
WWW 2.2.2.1
Syslog 2.2.2.2
FTP 2.2.2.3
Email 2.2.2.4
for the momment we will allow any IP Traffic comming from the outside to access this servers, and the requeriment is to use the least amount of lines in our configuration.
so we can configure:
An object can be a member of a group. For object groups to be nested, they must be of the same type, for example, all networks/hosts, protocols, or services
Finally we have:
Very nice feature Cisco!!