Overview

Introduction

The Implement IOS Features to Mitigate Threats in a Network module provides you with the instructions and Cisco hardware to develop your hands-on skills in the following topics:

  • Implementing ACLs using the CLI to mitigate address spoofing
  • Implementing ACLs using the CLI to mitigate against ICMP reconnaissance attacks
  • Using TCP intercept to help prevent DoS attacks
  • Configuring and verifying VACLs

Exercise 1 - Implementing ACLs using the CLI to Mitigate Address Spoofing

In this exercise, you will configure a named access list to prevent IP address spoofing on the external interface of NYEDGE1.

Observing the routing table on NYCORE1 you can see that the internal network is made up of 5 subnets.

Exercise 2 - Implementing ACLs using the CLI to Mitigate Against ICMP Reconnaissance Attacks

In the previous exercise, you configured a basic access list to help mitigate spoofing. However, it would also make sense to add some additional network addresses to this access list such as 127.0.0.1 for example. In fact, if this network connects to the Internet, there should be no packets arriving at the outside interface with RFC1918 IP addresses, nor should there be any RFC3330 special use addresses.

As the title of this exercise suggests, you will also configure your access list to mitigate ICMP reconnaissance attacks.

Exercise 3 - Using TCP Intercept to Help Prevent DOS Attacks

TCP intercept is an IOS feature that can help protect networks against DoS attacks. If you are hosting services in a DMZ, you must implement access lists that will allow traffic into your network to a specific host and port. For this example, it can be assumed that the server in question is a web server (although it could be an email, FTP or any other server you want to host). HTTP runs over TCP on port 80 so you would have to have a rule that permits this traffic.

An access list will allow attempted DoS traffic through, but TCP intercept can help prevent this.

TCP Intercept is available in IOS 15 in the DATA feature license. Both NYEDGE1 and NYEDGE2 have this license installed, but NYWAN1 does not and you will notice that the commands are unavailable on this router.

Exercise 4 - Configure and Verify VACLs

VACLs (VLAN Access Control Lists) are another technology that you can use to help protect your network.

VACLs are particularly useful when you want to restrict access to certain hosts that may even be on the same VLAN. For example, you may have a scenario where you want to block communication between two servers on the same VLAN.

In this exercise, you will configure a VACL to block communication between NYEDGE1 and NYWAN1. This is straight forward as both devices are connected to the NYCORE1 switch.

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.