Monday, September 12, 2011

Time Based ACLs (Filtering with IOS Part 4)

I have R1, R2, and R3, and I want to use Time Based ACLs to effectively help create a security policy that I can apply to R2. I consider R2's fa0/0 the inside network and R2's s0/0 the outside network. I want to allow R1 to open a connection on TCP port 80 to R3, but only during working hours. Working hours are considered Monday through Friday from 9 AM to 5 PM.

To accomplish this, I will create a time range for working hours on R2 and reference this time range with a permit statement within an ACL. Further more, I will add another router, R4 to serve as basic NTP time source for R2.

I'll start with configuring the ntp master on R4.

R4#show clock
13:59:16.415 UTC Mon Sep 12 2011
R4#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#ntp master 1 

Now I'll associate R2 to R4.

R2(config)#ntp server 
R2#show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~        .LOCL.          1    39    64  377    46.4   -0.09     0.2
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

Now that I have a basic NTP set up, I'll create a time range called WORK_HOURS on R2.

R2(config)#time-range WORK_HOURS 
R2(config-time-range)#periodic weekdays 09:00 to 17:00 

Now I'll create an ACL allowing access from the inside to the outside on TCP 80 and reference the time-range

R2(config)#ip access-list extended HTTP 
R2(config-ext-nacl)#permit tcp any host eq 80 time-range WORK_HOURS

I'll verify that the clock is currently within working hours.

R2#sh clock
15:21:40.945 CDT Mon Sep 12 2011

Now when I show the access-list, I see (active) next to the entry.

R2#show access-list
Extended IP access list HTTP
    10 permit tcp any host eq www time-range WORK_HOURS (active)

For testing purposes, I'll change the time on R4, the NTP master, wait a bit for it to sync, and see how that affects the ACL entry.

R4#clock set 17:08:00 12 sep 2011

On R2, I'll verify that the clock has updated.

R2#show clock
17:11:21.961 CDT Mon Sep 12 2011
R2#show access-list
Extended IP access list HTTP
    10 permit tcp any host eq www time-range WORK_HOURS (inactive)

Now the entry shows as inactive.

While the entry is inactive, I'll apply the ACL to the inside interface and expect the behavior to not allow access when I attempt to connect from R1 to R3 on TCP port 80.

R2(config)#int fa0/0
R2(config-if)#access-list HTTP in
R2(config-if)#ip access-group HTTP in

On R1

R1#copy http://jason:cisco@ null:
%Error opening http://*****:*****@ (I/O error)

Now I'll set the NTP source within the time-range parameters and wait for the time to sync.

R4#clock set 16:00:00 12 sep 2011

On R2, I'll look at the ACL and see that it is currently active.

R2#sh access-list
Extended IP access list HTTP
    10 permit tcp any host eq www time-range WORK_HOURS (active)

Another attempt to copy the file shows success now.

R1#copy http://jason:cisco@ null:
Loading http://*****:*****@ !!!!!!!!!

Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10

No comments:

Post a Comment