1/26/11

Access list syslog correlation

ACL syslog correlation is a Cisco IOS feature which provides the ability to identify which access list entry (ACE) was responsible for a permit or deny action appearing in syslog.
Consider the following access list applied to filter externally-sourced traffic destined for the internal network:
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
 10 permit icmp any any echo-reply
 20 permit udp any eq domain any
 30 permit tcp any any established
 40 permit tcp any host 172.16.0.202 eq www
 50 deny tcp any any eq 22 log
 999 deny ip any any
Lines 10 through 40 allow miscellaneous traffic types in, and line 50 explicitly denies inbound traffic destined to TCP/22 for the purpose of logging. Line 60 defines an explicit "deny any"; this isn't required, but included here for clarity.
When an inbound packet is matched and discard by rule 50, the following syslog message is generated:
%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(57289) ->
 10.0.0.1(22), 1 packet
This log message informs the administrator of the action taken and the ACL which matched the packet, but in some cases we may want more detail readily available. This is where ACL hash correlation comes in handy. We can redefine the ACL rule to include an arbitrary keyword, up to 64 characters in length:
Router(config)# ip access-list ext EXTERNAL->INTERNAL
Router(config-ext-nacl)# 50 deny tcp any any eq 22 log Deny_SSH
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
 10 permit icmp any any echo-reply
 20 permit udp any eq domain any
 30 permit tcp any any established
 40 permit tcp any host 172.16.0.202 eq www
 50 deny tcp any any eq 22 log (tag = Deny_SSH)
 999 deny ip any any
Now when that rule discards a packet, its log message includes our tag:
%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(54843) ->
 10.0.0.1(22), 1 packet  [Deny_SSH]
These tags can be reused by multiple ACEs. Continuing our example, say we also want to deny traffic to SSH servers running on an alternate port, TCP/2222:
Router(config)# ip access-list ext EXTERNAL->INTERNAL
Router(config-ext-nacl)# 60 deny tcp any any eq 2222 log Deny_SSH
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
 10 permit icmp any any echo-reply
 20 permit udp any eq domain any
 30 permit tcp any any established
 40 permit tcp any host 172.16.0.202 eq www
 50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH)
 60 deny tcp any any eq 2222 log (tag = Deny_SSH)
 999 deny ip any any
ACL logging tags are great for readily identifying ACE matches, particularly when you expect certain matches to occur, but manually defining a tag for each ACE isn't always practical. This is especially true when you want to maintain syslog correlation among hundreds or thousands of individual ACL rules. In such cases, automatically generated hashes would be the preferred option. Automatic hashing is enabled globally, and applied to any ACE with the log keyword with no argument following it.
Here we enable hash generation and add a few more ACEs to our ACL:
Router(config)# ip access-list logging hash-generation
Router(config)# ip access-list extended EXTERNAL->INTERNAL
Router(config-ext-nacl)# 70 deny tcp any any eq 1000 log
Router(config-ext-nacl)# 80 deny tcp any any eq 2000 log
Router(config-ext-nacl)# 90 deny tcp any any eq 3000 log
Router(config-ext-nacl)# ^Z
Router# show ip access-lists
Extended IP access list EXTERNAL->INTERNAL
 10 permit icmp any any echo-reply
 20 permit udp any eq domain any
 30 permit tcp any any established
 40 permit tcp any host 172.16.0.202 eq www
 50 deny tcp any any eq 22 log (1 match) (tag = Deny_SSH)
 60 deny tcp any any eq 2222 log (tag = Deny_SSH)
 70 deny tcp any any eq 1000 log (hash = 0x594F8697)
 80 deny tcp any any eq 2000 log (hash = 0xE471528C)
 90 deny tcp any any eq 3000 log (hash = 0x34CC0DD6)
 999 deny ip any any
As expected, a trigger by any of the ACEs with a hash appended works just as it does with tags:
%SEC-6-IPACCESSLOGP: list EXTERNAL->INTERNAL denied tcp 10.0.0.2(21196) ->
 10.0.0.1(1000), 1 packet  [0x594F8697]
While not immediately useful, a hash can be used to filter an ACL configuration and quickly identify the ACE responsible for an action:
Router# show ip access-lists EXTERNAL->INTERNAL | include 594F8697
 70 deny tcp any any eq 1000 log (1 match) (hash = 0x594F8697)
at
Labels: , ,

How to Change JKS KeyStore Private Key Password

Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...

  • AIX Security Checklist
    AIX Environment Procedures The best way to approach this portion of the checklist is to do a comprehensive physical inventory of the server...
  • How to Change JKS KeyStore Private Key Password
    Use following keytool command to change the key store password >keytool  -storepasswd  -new [new password ]  -keystore  [path to key stor...