Home

Cyber ACL User Manual - Cyber Operations, Inc.

1. X ER r 8 Denyicmp Any to Any 47 34 X ER r 9Permiticmp Any to Any 29 47 7 Ej I 10 Permit tcp 81 67 0 0 16 port gt 25690 to 224 95 0 0 24 port gt 15969 established Append New Entry Append New Sublist Save Cancel PIE Referenced By p d Figure 1 Access List Edit Access List Conflicts and Entries With No Effect CYBER ACL highlights entries which have no effect with a gray background color and if you let your cursor hover over the entry it will show you the index of the entry which causes the highlighted entry to have no effect Likewise entries which conflict with other entries are highlighted using a darker nearly black background An example of a conflicting entry would be trying to permit traffic that was completely blocked by an earlier entry If you let your cursor hover over the entry 1t will show you the index of the entry which causes the conflict Importing From the List Entries page you can also import entries from existing access lists or export access lists Y ou can also click the Import Access Lists link from the navigation menu which will give you a larger selection of options when importing as well as the ability to import all lists from configuration sources containing multiple access lists From the Import page you can also import directly from the device cuve Paperations He Network Definitions Reporting Reference ACL Import Name For The Imported Access List s
2. 05 27 10 08 47 jon 05 22 10 13 41 kevin 05 22 10 11 41 kevin 05 22 10 11 40 kevin Cyber ACL Copyright 1999 2010 Cyber Operations Inc All rights reserved Event List Settings List Settings Entry Modified Entry Modified Entry Added Import Entry Deleted Import Import Import Entry Added Entry Added List Created Definitions Page 1 of 1 Comment Entries Pasted fr Permit ip Any to 153 Cahaba Valley Parkway Pelham Alabama 35124 USA Ph 866 404 2923 Cyber ACL Access Control Lists Reference Show Changes Event To Present Event To Present Event To Present Event To Present Event To Present Event To Present Event To Present Event To Present Event To Present Event To Present Event To Present Event To Present Event To Present Show 20 perpage Rollback Rollback Rollback Rollback Rollback Rollback Rollback Rollback Rollback Rollback Rollback Rollback Rollback Rollback Logout Figure 3 Revision History Comparing Access Lists You can compare any two access lists within CYBER ACL Go to the Edit List page of the first access list you would like to compare select the second access list from the popup menu by clicking on the Compare List link in the Navbar You will be presented with a page detailing the differences between the two access lists 10 Cyber ALL Network Definitions Reporting Reference Access List Compar
3. Interfaces An Interface represents an interface and or named ACL or filter on a device which can be used as a interface for synchronization Whether a specific network interface is specified as part of an Interface depends on the type of device the Interface is on 19 tuber FS Ci yber ACL AAA Access Control Lists Network Definitions Reporting Reference Interface Summary First lt lt 1 gt gt Last Page 1 of 1 Show 20 perpage Sync Device Interface Synchronize Last Sync Cisco4 deploytest Y Success Juniper2 Inbound Y Success a Outbound d Success Linux Server Dantest iptables H Failed Synchronize Cyber ACL Logout Copyright 1999 2010 Cyber Operations Inc All rights reserved 153 Cahaba Valley Parkway Pelham Alabama 35124 USA Ph 866 404 2923 Figure 11 Interface Summary An Interface has an associated ACL which allows you to control the access list entries which are sent to the device each time it is synchronized The device list of the parent device of the Interface is automatically included as a sublist in the interface list You can add entries directly to the Interface list or you can include other access lists as sublists Interfaces also support specifying a device script A device script is a script you specify which can modify the access list for the device before it 1s sent to the device during synchronization Device scripts are specified per Interface o
4. Linux Server Add Remove gt gt lt lt Add All Remove All gt gt Save Cancel Delete Cyber ACL Logout Copyright 1999 2010 Cyber Operations Inc All rights reserved 153 Cahaba Valley Parkway Pelham Alabama 35124 USA Ph 866 404 2923 Figure 7 Group Setup Groups each have an associated access list From the Edit Group page this access list can be accessed by clicking the Group Common ACL Entries link This will take you to the Edit ACL which is discussed in the section Access Lists of this manual The access list for a group is automatically included as a sublist of each member of the group This means that any access list entry you add to a group s access list is effectively added to the access list of any device or interface included in that group as well as any members of other groups included within that group Importing Existing Lists You can import access lists from Cyber Operations internal format which is used by both FLM ANT and ACL Manager and you can also import lists from many router formats 15 Using the Importer If you need to import multiple access lists at a time or need more flexible options then you can use the importer interface by clicking the link Import Access Lists from the navigation menu See the section Importing for more information Import Directly from a Device You can import access lists directly fro
5. The web based interface allows access from any platform and allows you to configure the system to suit your organization s needs System Requirements Processor OS Sparc Solaris or Intel Linux Hardware The processing RAM disk drive requirements may vary depending on the expected usage Database Oracle or PostgreSQL Authentication Authorization TACACS Radius or LDAP Also CYBER ACL can be configured to use local accounts or it can use its own internal Authentication system Webserver Typically apache 2 x but is compatible with most others CAC PKI supported Devices Cisco IOS based routers Juniper routers Cisco PIX firewalls Cisco ASA devices Aruba mobility controllers Force 10 routers and Netscreen firewalls You can also control your organization s iptables and deploy via Cyber Operations FLM ANT sensors Communication to Devices SSH SCP Telnet TFTP Logging Syslog compatible Many other options are configurable Notifications SNMP traps and Email Notifications Customization is available If you have integration requirements for other Linux distributions or UNIX variants you require the use of another database system you need to integrate with a different authorization system or you need support for another type of router or firewall please contact us at Cyber Operations so that we can assist you Additional Resources Additional current information 1s available on our website http www cyberoperations c
6. You can view your groups by clicking on the Groups navigation link Clicking the Add New Group link takes you to the edit group after you enter a name for your group in the given field On the Edit Group page there are three tabbed areas The Devices area allows you to add or remove devices to your group The Interfaces area allows you to add or remove interfaces to your group Finally the Groups area allows you to add other groups to your group effectively nesting them within one another Within each tabbed area the left area labeled Members shows the items that are currently included in the group and the right area labeled Non Members shows all items that are not included To add items select them on the right side under Non Members and click the Add button To remove items select them on the left side under Members and click the Remove button You can select multiple items at a time for adding or removing You can remove all items from the group or add all items by clicking the Remove All or Add All buttons respectively 14 When you have finished including devices interfaces or other groups in your group click the Save button to save your new group cuber 2 Operations fy ber ACL Network Definitions Reporting Reference Group Setup DMZ Devices PURAS Meis Group Members Non Members Cisco4 Catalyst2960 Juniper2 Force10
7. or unix AuthType mode When AuthType is set to db or unix users and authorization can be configured from the Admin menu of CYBER ACL For Radius use Attribute 26 Vendor Specific Vendor 9 Cisco Sub Type 1 avpair set allowcmds to a comma separated list of allowed commands for a read only user allowcmds read acl read device also you can use wildcards allowcmds Access Lists List Basics Access lists also known as ACL s consist of a sequence of entries each of which specifies whether a certain type or group of packets will be permitted or denied through the filter CYBER ACL maintains your access lists in a platform independent format for you so that they can be easily sent to different device types typically a router or firewall Cyber ALL cy Network Definitions Reporting Reference Example1 First lt lt 1 2 3 gt gt Last Page 1 of 3 eu Show 10 perpage 22 Entries Action x gt I F 1Permittcp bogons Camera Services to Any Delete x 2 Wl r 2Permitip Any to 172 20 100 3 32 Cut X ate r 3 Permitudp 187 20 0 0 31 port 15292 to 133 44 0 0 14 port gt 4332 Copy x I T 4Permittcp 9 61 0 0 26 port 26008 to 171 82 0 0 26 port 16807 established Paste XK E r 5 Denyip 192 55 0 0 31 to 72 0 0 05 _ Select All I Eel r 6 Permiticmp Any to Any 181 145 Select Visible XK Eel r 7 Permit tcp 9 65 0 0 26 port 19497 31217 to 173 124 0 0 14 port 23737 Select None
8. x SSH SCP x Folder Device Authorization 9 Static Device Login Name Device Password O Global Authorization E 2 Prompt for Credentials Device Timeout Change Tracker Interval Save Cancel Delete Figure 9 Device Setup 18 cuber operations Ey ber ALT Network Definitions Reporting Reference Network e Alabama F l o Masa E A Engineering F o gateway Gateway o O cyberDAN Server E e Production _ o O juniper E C 1 R o juniper2 E A f lii 1G 5 n eosE oO Cyber ACL Build 8156 Logged in as jon Logout Copyright 1999 2011 Cyber Operations Inc All rights reserved 153 Cahaba Valley Parkway Pelham Alabama 35124 USA Ph 866 404 2923 Figure 10 Network Tree Change Trackers Creating a Change Tracker for a device allows you to automatically import a list from the device whenever it is modified on the device In order to create a Change Tracker click the New link from the Change Tracking navbar on the Device Setup page and then enter the name of the access list or filter on the device in the Device ACL Name field and the name you want the imported list to have in the Local List field NOTE Change Trackers are imported at regular intervals by the aclserver daemon so you will not see changes take effect immediately The interval can be set on the Device Setup page for a specific device
9. Testing CYBER ACL includes a feature which allows you to test what would happen to a theoretical packet as it 1s processed by an access list Clicking the Test button on the Advanced Search page of an access list will run your test case When you have entered your parameters click the Test button You will be taken to the List Entries page with the entry which matched your sample values highlighted This 1s the terminal entry for those values in the list meaning that it 1s the entry which finally permitted or denied the packet Luber ALL Cyber Access Control Lists Network Definitions Reporting Reference Example First lt lt 1 2 3 gt gt Last Page 1 of 3 Show 10 v per page 23 Entries Action x EL l 1 Permittcp bogons Camera Services to Any Do X _ iii Cut X El r 3 Permitudp 187 20 0 0 31 port 15292 to 133 44 0 0 14 port gt 4332 Copy M Bede r 4 Sublist Cyber FW Inbound Paste X Bedell r 5Permittcp 9 61 0 0 26 port 26008 to 171 82 0 0 26 port 16807 established Select All X Ed r 6 Deny ip 192 55 0 0 31 to 72 0 0 0 5 _ Select Visible x EL st M 7 Permit icmp Any to Any 181 145 Select None X adel r 8 Permittcp 9 65 0 0 26 port 19497 31217 to 173 124 0 0 14 port 23737 X El r 9 Deny icmp Any to Any 47 34 X EP r 10 Permiticmp Any to Any 29 47 Append New Entry Append New Sublist Save Cancel Delete Figure 15 Matching Entry CYBER ACL also includes the ab
10. for a specific device or specific interface so that when an ACL is sent to synchronized with that interface or device the device or interface specific definition 1s used instead of the global definition If a device and an interface both override a network definition then the interface definition will take precedence 13 To view or edit the network definitions for a device or interface click the network under Override These Networks on the Device Setup or Interface Setup page respectively Services The services feature allows you to define groups of ports and port ranges that can be used when defining access list entries To view defined services click on the Services link from the navigation menu A port or port range can be added to a service definition by clicking the Add Service link You will be asked to select Include or Exclude indicating whether you want this port or port range included or excluded from your service definition You will also need to enter the service name port number or range etc in the Service or Port Range field You can also enter a descriptive comment in the Comment field Click save when you are through entering the fields to return to the Edit Service page Groups Groups are custom defined combinations of devices interfaces and other groups which also allow you to define an access list to be included by each group member automatically
11. gt User Manual Cyber Operations Inc http www CyberOperations com 153 Cahaba Valley Parkway Pelham AL 35124 Ph 205 403 2923 Fax 205 403 6508 1999 2010 Cyber Operations Inc All rights reserved Cyber Operations and CYBER ACL are either registered trademarks or trademarks of Cyber Operations in the United States and or other countries Table of Contents Table OF GOINGS US suo 1 Mtro ducho RI Hh aaa 3 THINK So 3 AboUL C Y BER AC Drusus die e din E tree 3 Dy ster REGU he AAA tad dtd rmt ciis hid em DAT LAE EAR du 3 IN SOUT S A T re Securit yi EE 4 sio O etm a oe ced se MER NU NN 4 CY BER ACD Installation xcs ioseiswsbiataniis isaac 4 Updanng Gms BERAC Listados 4 System COMUN tad 4 Detupthe Database y dolo 5 Setup the WeD SOL Olsen eno 5 Contisuire Athorra i iinet lela a 6 A A ROO 7 A MEN E NNNM LIN NE UNUS TTE ne ee ee 7 Edit ACCESS EISE oio ei 7 Conflicts and Entries With NO Effect oreet Urso ient iii 7 A TT T ODE 8 EXD ORUING a E E A 9 History and Rollbae Sacer 9 Comparnne ACCESS SS ad 9 Uma SODA ii oem etanol 10 Defining Groups Networks and er vic Saa 11 INGINODK ia aaa 11 INGUWOTK COVOEDIOOS risa 12 DC dre MED E fee hoe 13 GLOUDS Sarai 13 Importing EXISUDe Lists uranio 14 Usine Me MP OMS Eo asas 15 Import Directhy Trom a DEVICE ata a 15 Dependencia LL 15 Workme A A O IO 15 DEV oirlo ainia 15 Change Tracker ica cone 18 TINCT ACES aus eite re be lopez A tu Pu DE 18 Device Type
12. web interface from the command line as well as some things not available from the web interface Please see the extensive built in help by running the command aclserver help Web Services CYBER ACL also includes web services so that the product can be controlled programmatically The WSDL is located at https lt yourServerName gt cg1 bin aclserver page wsdl Web services must be enabled and configured in the etc aclserver conf file See that file for instructions Branding and Customization Edit the html custom login html and html custom welcome html files to enter messages that will be shown on the login and welcome page respectively These are in html format and are inserted into the page Custom links can be added to the Reference menu Instructions are in the aclserver conf tile Many of the images in the html images folder can be overridden by creating a file of the same name in html custom images In general the replacement image should be the same width height as the original These are main bg jpg bg header login jpg bg header jpg welcome png reportheader jpg Documents can be added to the Additional Resources area by adding the file to the html custom resources folder 29 30 Support Please contact us 1f this manual does not answer your questions or if you experience any problems while using CYBER ACL Technical Support Monday Friday 8am 5pm CST 24 by 7 Support Contracts Ava
13. 6 52 0 0 21 port 23243 to 197 0 0 0 9 port 1226 20260 0 0 0o0O40N a2 18 Permit ip 196 21 0 0 23 to 7 0 0 0 12 19 Deny udp 196 89 0 0 23 port 8028 to 72 80 0 0 14 port 15685 Figure 4 Access List Comparison The revision history page will present you with a history of modifications to the list from most recent to least recent If you click on the date or event columns of a change you will be taken to a comparison of the list immediately prior and immediately after the change If you click the Rollback link for a change the list will be rolled back restored to its state immediately prior to that change A list that has been deleted can be restored with the Rollback feature Using Sublists In addition to regular access list entries you can also add references to other lists known as sublists Whenever the list is sent to a device synchronized the actual sublist will be substituted 1n place of the sublist entry This works recursively which means that the sublist may itself have sublists This feature is very useful if you have some common rules for multiple devices and interfaces but you also have rules which may be common across some are all of your 11 interfaces You can create a sublist containing the entries which are common across a group of interfaces then have each interface s list include your common list as a sublist Whenever your common list is modified any interface with a list that includes it as
14. AAA Action To Take If Multiple ACL s are Found Import All of Them Using the above Name plus device list name as the imported name amp Prompt For a Specific List to Import If an ACL of the Same Name already Exists Replace Contents of Existing ACLs Append to Existing ACLs Select File For Import Cisco Juniper iptables CSV Native Text or FLM ANT i Choose or Select Device to Import Configuration none v Import Cyber ACL Logout Copyright 1999 2010 Cyber Operations Inc All rights reserved 153 Cahaba Valley Parkway Pelham Alabama 35124 USA Ph 866 404 2923 Figure 2 Importer If you are importing from a file that contains more than one access list you will be presented with a menu to select which access list you would like to import Exporting ACL s can be exported to several formats by clicking one of the Export options in the Export Navbar from the Edit Access List page History and Rollback There is an automatic history maintained of all changes made to each access list in CYBER ACL In order to access this history click the link titled Revision History Navbar from the Edit Access List page Revision History First lt lt 1 gt gt Last Date User 06 01 10 06 51 jon 06 01 10 06 46 jon 05 27 10 12 37 kevin 05 27 10 09 53 kevin 05 27 10 08 51 jon 05 27 10 08 48 jon 05 27 10 08 48 jon 05 27 10 08 48 jon 05 27 10 08 47 jon
15. Juniper JunOS Specifies the firewall filter that will Not used be created or modified in the JunOS configuration Cisco IOS Specifies the name of the access list Only used if device Cisco PIX that will be created or modified in Protocol 1s Telnet or Cisco ASA PIX 7 x the IOS configuration SSH and the Device Aruba Interface Names field 1s Forcel0 FTOS not blank in which case 1t 21 Forcel0 E Series specifies the router interface Forcel0 SFTOS for a ip access group or 1pv traffic filter command to be inserted into the interface configuration Netscreen Not used Interface must specify the source and destination zones for the access list rules to apply to in the form srczone dstzone iptables Not used Not used ip6tables Figure 1 Device Filter Name Usage Dummy Devices The device type Dummy Device is a special type of device used for testing and experimenting with access list policies when you do not want to use an actual network device Rotating Device Filter Names Some devices have a smoother transition if the entire new access list 1s loaded before the interface is changed to the new ACL For Cisco IOS PIX ASA Aruba and all Force 10 device types it is possible to rotate the access list used on the device To take advantage of this feature simply enter the access list names you would like to use separated by a 66 99 comma or semi colon in the D
16. S DECITICS ra 20 Dana Deseo Soie deett E 21 Rotatme Device Filter NAMES coria 21 MS BC RU nn ene TUE a ee 21 Standard versus Extended Access Lists on IOS Devices sess 2 DCAM TODAS CULO NT E Um 22 IA IPAE A ELE 22 SANO TA t 23 Manasement Peste nee tal 23 SBOE us ceste REO E A 23 Seal iil pue TRUM 24 Textual Sere DeS ads 24 ZAdyaticed cat di edo dies 24 TESTA A AA 26 liora T 26 LM iaa 27 DeploV MCMUNIO en A bs 27 IS VISTO DIS POT sicud nc 27 NS A E 27 O 27 Command ane TOOLS A tice 28 Branding and CUSstOTitZattOTI i 28 SUDOR 30 iii Introduction Thanks Thanks for choosing CYBER ACL and we hope you enjoy its powerful features for managing your organizations network access policies Please let us know if there is any way you feel this product its documentation or its support could be improved to better meet your needs About CYBER ACL CYBER ACL is a system which allows your organization to store control and implement all of your organization s network access policies for different brands and types of networking devices from one centrally managed database with revision history and access control It also provides you advanced tools for creating analyzing and deploying your access control policies including comparison searching conflict detection hierarchal lists and simultaneous synchronization of devices with the database
17. a sublist will automatically be marked in need of synchronization Cyber Eyber ALL Network Definitions Reporting Reference Example1 First lt lt 1 2 3 Last Page 1 of 3 e Show 10 per page 23 Entries Action x EL ol F 41 Permittcp bogons Camera Services to Any Delete M Ed r 2Permitip Any to 172 20 100 3 32 Cut X EP r 3 Permitudp 187 20 0 0 31 port 15292 to 133 44 0 0 14 port gt 4332 Copy E x EL JE M 4 Sublist Cyber FW Inbound Paste X Ed r 5Permittcp 9 61 0 0 26 port 26008 to 171 82 0 0 26 port 16807 established _ Select All 3 X Bedell r 6 Deny ip 192 55 0 0 31 to 72 0 0 0 5 _ Select Visible i X EP r 7 Permiticmp Any to Any 181 145 _ Select None X Eel r 8 Permittcp 9 65 0 0 26 port 19497 31217 to 173 124 0 0 14 port 23737 X Ed r 9Denyicmp Any to Any 47 34 X EP r 10 Permiticmp Any to Any 29 47 Append New Entry Append New Sublist Save Cancel Delete Ma Cr r mevision Figure 5 A Sublist Defining Groups Networks and Services CYBER ACL allows you to create custom defined values which can be used from within your access lists to more easily manage your network access policies These consist of Networks Services and Groups Networks are predefined combinations of network address ranges services are combinations of ports and port ranges and groups are combinations of devices targets and other groups which also allow you to define an access list to be included by each group
18. ated ACL which is automatically included as a sublist for each interface on the device You can edit this list to add any entries that you want included for all interfaces 16 Cuber Z peratione Lu ber ALL y Network Definitions Reporting Reference All Devices First lt lt 1 gt gt Last Page 1 of 1 Show 20 ha per page Description Type Address Catalyst2960 Cisco IOS 192 168 1 122 Cisco4 Cisco IOS cisco4 cyberoperations com Force10 Force 10 FTOS Juniper2 Juniper Junos juniper2 cyberoperations com Linux Server iptables dantest cyberoperations com Cyber ACL Logout Copyright 1999 2010 Cyber Operations Inc All rights reserved 153 Cahaba Valley Parkway Pelham Alabama 35124 USA Ph 866 404 2923 Figure 8 All Devices When you click Add New Device you will be taken to a page asking you for the basic configuration values for the device Below are the fields which you must enter to setup your device e Description This will be the name of your device within CYBER ACL e Type This menu allows you to select one of the supported device types e Address This is the network address of the device Specifically the address of the interface on the device that CYBER ACL will use to communicate with the device e Protocol For some devices more than one communication protocol for interoperating with the device 1s supported Select the protocol that you wish to use to communicate with the device You mus
19. ation begins a deployment log entry will be added for the Interface indicating that it has a deployment in progress showing the user initiating the action and any comment they entered Upon completion cancellation or failure of synchronization to an Interface the deployment log entry will updated to indicate the result and the message The result will either be Success or Failed Cancelled synchronizations are marked failed The Message field contains the text Cancelled for cancellations and for errors it will contain the text of any error messages indicating what problems occurred Management Features Schedules You can schedule synchronizations to take place at a later date or time or on a recurring schedule To view the scheduled synchronizations click on the Schedules link in the navigation menu 24 Simply click Add New Synchronization Schedule to create a new scheduled synchronization You will be prompted to enter a name for the Schedule select the Interface or all Interfaces that the schedule applies to and a date for the schedule to begin If you click the Recurring Schedule checkbox then you will also need to set the interval which can be either hourly daily weekly monthly or other which allows you to specify a number of minutes between synchronizations When entering the Date Time value you can enter relative amounts of time from the present For example you could enter 1day to sched
20. e hour day month year AuthldleTimeout 90 minutes is the same as AuthldleTimeout I hour 30 minutes Fields that are a server address can use dot notation or domain name Setup the Database After the database is configured run the following command to initialize with the tables that CYBER ACL will need cgi bin aclserver database init Setup the Web Server Set the root directory to usr local acl html and the cgi bin directory to usr local acl cgi bin This example uses Apache In the httpd conf file DocumentRoot usr local acl html Directory usr local acl html AllowOverride None Options None Order allow deny Allow from all lt Directory gt ScriptAlias cgi bin usr local acl cgi bin lt Directory usr local acl cgi bin gt AllowOverride None Options None Order allow deny Allow from all lt Directory gt Run the command apachectl restart Configure Authorization When the user begins an action an Authorization request is sent to the AAA server For TACACS or Radius Authorization Use lt command gt lt argument gt Commands Are read write sync Arguments Are device includes devices interfaces trackers deployment logs deployment reports and schedules acl includes ACL s networks services groups ACL tests ACL logs and ACL reports admin includes global device account email notifcations and administrative tasks includes user settings in db
21. evice Filter field Additionally if you enter two numeric values or two names both ending in a number then CYBER ACL will rotate through all the intermediate numbers as well Here are some examples firstName secondName Synchronizations will alternate between firstName and secondName as the access list name on the device name101 name102 name103 Synchronizations will cycle through name101 namel102 etc and wrap back around to namel01 IP v6 Access Lists For devices which support it the IPv6 checkbox selects whether an IPv6 or IPv4 access list is generated for the interface Standard versus Extended Access Lists on IOS Devices The Extended option applies only to Cisco IOS and Aruba devices and a standard access list is generated if this option is not checked Also if you specify a number for the access list name and this number falls into the ranges used by Cisco IOS for 22 numbered standard access lists then a standard access list will be generated instead of an extended list regardless of the setting of the Extended checkbox Standard access lists allow limiting traffic only based on the source address Traffic Direction If the device protocol is SSH or Telnet and the device type 1s either Cisco IOS Cisco ASA PIX 7 x or Aruba then the Traffic Direction radio items will control whether the access list is applied to inbound outbound or all both traffic Previewing List
22. ilable Phone 205 403 2923 Email support CyberOperations com Website www CyberOperations com Cyber 2 Operations INTEGRATED SECURITY TECHNOLOGIES
23. ility to create lists of test entries to be run against defined access lists to create test reports Reports CYBER ACL supports two types of reports deployment reports cover all synchronizations which have taken place and list reports which cover all changes made to access lists Reports viewed by clicking the Reports links from the navigational menu 2 Dates are specified in the form MM DD Y Y Y Y or MM DD YYY Y HH MM and can also be specified as offsets backwards such as 30days or 1hrs or 30mins After you have selected parameters for your report click the Filter button to refresh the data Logging CYBER ACL maintains two types of logs The first type of log saves a history of all synchronizations performed by any user to any interface The second type of log saves a history of all modifications made to the database by users These logging features allow you to better track user actions and troubleshoot any problems with your lists or devices Deployment Logs On the Edit Interface page the deployment log is shown for that particular Interface with the time user note result finish time and any message for each synchronization A separate page showing all deployment logs can be viewed by clicking the Deployment Logs link in the navigational menu This page shows the Interface device user note start time finish time result and any message for each deployment Deployment logs also provide the data used f
24. ison BRIEF SUMMARY 1 Matching Line gt Example4 Line 1 gt Example1 Line 1 Line 2 is only in Example1 1 Matching Line Example4 Line 2 gt Example1 Line 3 Line 4 is only in Example1 1 1 Matching Line gt Example4 Line 3 Example1 Line 5 Line 6 is only in Example1 S 1 Matching Line Example4 Line 4 Example1 Line 7 Line 8 is only in Example1 1 Matching Line gt Example4 Line 5 Example1 Line 9 ES Line 10 is only in Example1 10 Matching Lines Example4 Lines 11 20 Example1 Lines 11 20 2 Lines 21 22 are only in Example1 5 Lines 6 10 from Example4 were not used in Example1 LONG REPORT Example4 Red lines are found only in Example4 Permit tcp bogons Camera Services to Any Permit udp 187 20 0 0 31 port 15292 to 133 44 0 0 14 port gt 4332 Deny ip 192 55 0 0 31 to 72 0 0 0 5 Permit tcp 9 65 0 0 26 port 19497 31217 to 173 124 0 0 14 port 23737 Permit icmp Any to Any 29 47 Deny udp 106 59 0 0 27 port 28347 to 217 82 0 0 28 port 4146 15906 Permit udp 166 52 0 0 21 port lt 23243 to 197 0 0 0 9 port 1226 20260 Deny udp 139 81 0 0 29 port 15963 to 23 112 0 0 13 port 11061 Permit udp 0 0 0 0 1 port gt 17106 to 32 0 0 0 3 port gt 18419 10 Deny udp 196 89 0 0 23 port 8028 to 72 80 0 0 14 port 15685 11 Deny udp 106 59 0 0 27 port 28347 to 217 82 0 0 28 port 4146 15906 12 Permit udp 5 64 0 0 11 port gt 25462 to 186 39 0 0 24 port 1637 22467 13 Permit udp 16
25. m some types of devices From the Edit Device page of the appropriate device you click the link Import from Device and you will be taken to the importer interface but instead of requesting you to select a file you will be able to import directly from the device Dependencies CYBER ACL allows you to view all lists which reference a specific list service or network On the Access List Edit Network and Edit Service pages use the Referenced By bar with links on the right titled Any Lists Interfaces Devices Groups Clicking on any one of these links will take you to the dependency browser page and will show you all lists of the selected type that reference that network list or service For example 1f you went to the network My Network and clicked the Groups link across from Referenced By you would be shown all group access lists which contained entries referencing My Network This also includes lists which include sublists that reference My Network Similarly 1f you had clicked the Any link instead you would see access lists of any type referencing My Network Working with Devices Devices Within CYBER ACL a device represents a physical networking device such as a router or firewall For each device a description internet address and information required to access the device is maintained in the database A device also has an associ
26. member automatically Networks CYBER ACL allows you to create Network definitions which can then be used within access lists The currently defined networks can be viewed by clicking on the Networks navigation link 12 di Cyber ALL y Network Definitions Reporting Reference All Network De Ane Network Definition Setup Bogons Network Addresses Add 4 43 114 8 29 Bermuda 4 79 245 128 26 Bermudas 63 85 42 0 23 Bermudas 64 15 227 224 27 Bermudas 64 71 158 144 29 Bermudas 64 147 80 0 20 Bermudas 64 194 81 0 26 Bermudas 65 19 156 104 29 Bermuda Save Cancel Delete M p Referenced By Cyber ACL Logout Copyright 1999 2010 Cyber Operations Inc All rights reserved 153 Cahaba Valley Parkway Pelham Alabama 35124 USA Ph 866 404 2923 Figure 6 Network Setup The Add Network Address link will prompt you for a network and mask as well as a comment for the network address you are adding Additionally there will be a menu allowing you to select whether this address will be included in or excluded from your network definition For example you could create a network definition that included all of the 10 0 0 0 class A private IP block except for the class C beginning with 10 0 1 by adding the address and mask 10 0 0 0 8 to be included and adding the network address and mask 10 0 1 0 24 to be excluded Network Overrides You can override a network s definition
27. n the device The device script must be in the scripts folder on the server running CYBER ACL When the device script is called it will be passed the list in the native syntax of the device as standard input via a UNIX pipe and the output of the device script written to standard out will be used by CYBER ACL as the modified version of an access list to be sent to the device The directory samples sample dev scripts contains some example device scripts for your convenience 20 Cyber ALL Definitions Reporting Reference Interface Setup Outbound Description Device Filter Name out IPv6 Script Include Remarks IPv6 1 include Remarks Save Cancel Delete Sync Time User Sync Comment Result Finish Time Message 06 01 10 09 25 jon test permit any Complete 06 01 10 09 26 Empty ACL Sync is not allowed Please 06 01 10 09 25 jon test empty Failed 06 01 10 09 25 Add entries to the Interface s ACL Unable to convert ACL Override These Networks Cyber ACL Logout Copyright 1999 2010 Cyber Operations Inc All rights reserved 153 Cahaba Valley Parkway Pelham Alabama 35124 USA Ph 866 404 2923 F 7 sd e etl ie M s C w y es ee Figure 12 Interface Setup Device Type Specifics The Device Filter Name and Device Interface Names take on different meanings depending on the type of parent device Device Type Device Filter Name Device Interface Names
28. om Setup CYBER ACL Installation Installing CYBER ACL on a server consists of unpacking the gzip ed tar file containing the distribution then running the provided install script Below is an example of the required commands you would need to run with root access gunzip acl tar gz tar xvf acl tar cd acl installacl This will install to the directory usr local acl NOTE All relative path names used in this manual are from the usr local acl directory Read the file INSTALL for detailed information on setup and configuration Updating CYBER ACL CYBER ACL has a built in auto update mechanism To check for and install an upgrade to the system run the command cgi bin aclserver update To install from a file rather than over the internet cgi bin aclserver update lt update file gt System Configuration By default the system configuration file is etc aclserver conf Override this file by creating usr local acl aclserver conf For future reference the original is located at usr local acl aclserver conf original Use the configuration file to set up the database authentication logging and many other options You must set up the database and authentication in the configuration file in order to use CYBER ACL The config file uses standard syntax Key Value Lines starting with are comments Syntax Notes Keys are case insensitive Fields that are a time duration understand the words second minut
29. or generating deployment reports as discussed in the Reports section of this manual Revision History ACL Revision History documents all the changes made to access lists by the users of the system The most recent modification log entries for an access list are displayed by clicking the Revision History link for that list For each log entry the date user event action taken and comment entered are shown The Revision History 1s discussed in the section History and Rollback in this manual Notification CYBER ACL supports email snmp notification when certain types of events take place This feature is controlled via the Notifications page Syslog Syslog file logging tracing etc are documented in the aclserver conf file and can be configured there 28 SNMP Traps SNMP trap destinations and options are configured in the etc aclserver conf file This includes the hostname for the SNMP trap server version and other options Minimally the SVMPHost configuration value must be set Next in the Admin gt Notifications menu of CYBER ACL configure which events should send traps to the trap server The MIB CYBER SNMP MIB is located on the CYBER ACL application server and also 1s available in the downloads and support section of http www cyberoperations com Command Line Tools CYBER ACL also includes an extensive command line tool that allows the user access to much of the features available via the
30. rface and its access list the system maintains synchronization times and modification times so that the system knows if a list or any of its sublists or any networks or services it references have been modified since the last time the interface was synchronized When viewing the Interfaces page each interface that needs to be synchronized will have an icon in the Synchronize column that looks like a circle with two arrows Clicking on the synchronize icon for a interface will begin the synchronization process for that interface All synchronizations take place in separate processes from the interface so you can continue your work within CYBER ACL while interfaces are being synchronized Any Interface that is currently being synchronized will show a barber pole type progress animation in the Synchronize column If you view an Interface in the Interface Setup page by clicking its name from the Interface page or from its parent s Device Setup page you will see a horizontal bar stating Interface NOT synchronized if the Interface is not up to date with its access list The Synchronize button starts the deployment in the background in the same manner as clicking the sync icon on the All Interfaces page would When synchronization 1s in progress the Synchronize button on the Interface Setup page will be replaced by a Cancel Sync button with a barber pole type progress indicator next to it When synchroniz
31. s It is possible to preview the device specific syntax generated for an Interface s access list without sending it to the device To do so click the Preview link from the Interface Setup page for the appropriate interface This will take you to a page containing the textual list data that would be sent to the Interface during an actual synchronization so that you can preview any changes you have made Cyber Cyber ALL Network Definitions Reporting Reference Output Preview ip access list extended deploytest permit udp 187 20 0 0 0 0 0 1 eq 15292 133 44 0 0 0 3 255 255 gt 4332 deny IP 112 16 0 0 0 0 0 255 50 1 0 0 0 0 0 1 permit tcp 9 61 0 0 0 0 0 63 eq 26008 171 82 0 0 0 0 0 63 eq 16807 established permit IP 212 0 0 0 3 255 255 255 244 0 0 0 0 15 255 255 deny IP 192 55 0 0 0 0 0 1 72 0 0 0 7 255 255 255 permit IP 13 107 0 0 0 0 0 127 28 88 0 0 7 255 255 permit icmp any any 181 145 deny tcp 66 68 0 1 255 255 eq 13373 214 0 0 0 1 255 255 255 eq 8356 established permit tcp 9 65 0 0 0 0 0 63 range 19497 31217 173 124 0 0 0 3 255 255 eq 23737 permit icmp any any 63 1e1 deny icmp any any 47 34 permit icmp any any 222 129 permit icmp any any 29 47 permit icmp any any 181 129 permit tcp 81 67 0 0 0 0 255 255 gt 25698 224 95 0 0 0 0 0 255 gt 15969 established deny udp 81 72 0 0 0 0 0 3 eq 20011 155 0 0 0 0 255 255 255 range 30227 32084 deny udp 186 59 0 31 lt 28347 217 82 0 0 0 0 0 15 range 4146 15906 permit
32. s containing the word tcp or the word udp Advanced Search From the List Entries page the Advanced Search link takes you to the Advanced Search page where you can specify ACL entry values to match against entries in the list while searching All fields are the same as the fields from the Edit Entry page where you define access list entry values with the exceptions that there are no search fields for Log Reflect Evaluate Reflect or Established and at the top there is an additional field named Match Type where you specify the relationship the entry must have to the search values to be considered a match The choices are 2 e Intersection If there is any overlap between the entry and the search settings the entry will be considered a match For example TCP and UDP do not intersection but IP and TCP do and 192 168 1 0 and 10 0 0 0 do not intersect but 192 168 0 0 16 and 192 168 1 0 24 do intersect e Superset The list entry must be a superset of the search values to match This means that each value must be the same or less restrictive in the list entry For example IP is a superset of TCP as a protocol and 192 168 0 0 16 1s a superset of 192 168 1 0 24 as a Source Net Mask e Subset This is the opposite of superset meaning that the search values must be a superset of the list entry values e Exact Only match entries that match each field in the search parameter
33. s exactly Any field not specified on the Advanced Search page defaults to include any value meaning that leaving Source Net Mask or Destination Net Mask blank defaults to any source or destination address and that leaving Port Service blank defaults to any port Once you have entered all of your search parameters click the Search button and you will be returned to the List Entries page with all matching entries highlighted in yellow Cyber ALL Access Control Lists Definitions Reporting Reference Example1 Advanced Search Reset Search First lt lt 1 2 3 Last Page 1 of 3 x Show 10 perpage 23 Entries C Action x EL d M 1 Permittcp bogons Camera Services to Any Dok X E r 2Permitip Any to 172 20 100 3 32 Cut X ER r 3 Permitudp 187 20 0 0 31 port 15292 to 133 44 0 0 14 port gt 4332 Copy KX Es r 4 sublist Cyber FW Inbound Paste X Eel r 5Permittcp 9 61 0 0 26 port 26008 to 171 82 0 0 26 port 16807 established _ Select All KX EI r 6 Denyip 192 55 0 0 31 to 72 0 0 0 5 _ Select Visible X EP r 7PermitiempAnyto Any 181145 elect None T 8 Permit tcp 9 65 0 0 26 port 19497 31217 to 173 124 0 0 14 port 8 rsP 9 65 0 0 26 port 19497 31217 to 173 124 0 0 14 port 23737 X EI r sbenyicnpAnytoanyarisa X ERI 10 Permiticmp Any to Any 29 47 Append New Entry Append New Sublist Save Cancel Delete Referenced By Figure 14 Advanced Search 26
34. t have the device configured to allow this protocol See the table Protocols for a more complete description of each option e Folder Enter the path to be displayed on the Network Tree Page Folders allow grouping of devices for easier management on the Network Tree Figure 10 e Device Authorization If Static then the login and password are set on this page for this particular device If Global Authorization then the login password from the admin menu are used If Prompt then the operator is asked for a 17 password when synchronization is initiated RSA Key Device Authorization is also supported e Device Login Name The login name for the device if using static authorization e Device Password Password when logging into the device using static authorization This field is ignored when using an RSA key e Enable Password Password to enable management features on the device This does not apply to all device types This is only used if using static authorization e Advanced This lets you set more advanced configuration options that may also be specific to certain device types When you are through entering the values for your device save it by clicking the Save button In order to send an access list to a device you must define one or more interfaces on that device Network Definitions Reporting Reference O Device Setup juniper Description Type Address Protocol Juniper Junos
35. udp 157 1 7 255 255 eq 40 52 88 0 0 0 7 255 255 lt 19385 permit udp 5 64 1 255 255 gt 25462 186 39 0 0 0 0 0 255 range 1637 22467 permit IP 48 70 5 255 207 55 0 0 0 0 0 255 permit udp 166 5 permit udp 133 53 permit IP 218 32 0 0 0 1 255 lt 23243 197 0 0 0 0 127 255 255 range 1226 20260 1 255 eq 6613 3 83 0 0 0 0 3 255 eq 15816 e 6 e e de 7 3 3 255 255 123 0 0 0 31 255 255 255 4 7 e e e e e 8 e 8 permit icmp any any 18 deny udp 139 81 0 0 e deny icmp any any 196 permit tcp 122 45 0 8 e 2 2 1 e e 5 1 e 5 e eq 15963 23 112 0 0 0 7 255 255 lt 11061 57 0 0 0 0 3 255 range 16482 30308 224 0 0 0 31 255 255 255 range 2165 6289 established permit udp 245 93 0 0 0 0 0 63 eq 3796 62 0 0 80 0 255 255 255 eq 31151 permit udp 6 0 0 0 127 255 255 255 gt 17106 32 0 0 8 31 255 255 255 gt 18419 permit tcp 2 0 0 8 1 255 255 255 eq 13919 62 51 8 0 0 0 7 255 range 15228 24227 permit IP 196 21 0 0 0 0 1 255 7 0 0 0 0 15 255 255 0 7 255 255 255 156 86 0 0 0 0 31 255 deny udp 196 89 1 255 eq 8028 72 80 0 0 0 3 255 255 lt 15685 deny tcp 141 88 255 255 gt 20587 144 12 0 0 3 255 255 gt 25212 established permit tcp 59 38 0 0 0 0 0 15 eq 23285 173 100 0 0 0 0 127 255 gt 21235 permit icmp any any 132 172 E e e e e e e e 3 Figure 13 Preview ACL 25 Synchronizing Within CYBER ACL synchronization is the sending of the appropriate access list or lists to a Interface or Interfaces For each Inte
36. ule a synchronization 24 hours away Or you could enter 30mins or 2hours If you click on the name of a Schedule on the Schedules page then you will be able to change any of the values for an existing schedule or delete that schedule Searching There are two different types of searches supported by the system Textual searches allow you to search the textual representation of a list and advanced searches allow you to search list entries based on specific parameters for entry fields Textual Searches The textual search feature allows you to regular expressions to search the textual representation of the list entries The regular expressions syntax used 1s that of POSIX 1003 2 and all expression matching 1s case insensitive To search within a list you must be on the List Entries page of the appropriate list Enter the string or regular expression you wish to search for in the text field to the left of the Search button then click Search All matching entries will be hilited with a yellow background Below are some examples of regular expression for searching e permit udp This would match any entry containing the text udp somewhere after the text permit The Represents a wildcard matching any character and the indicates match zero or more of the preceding value e port This would simply match any entry containing the port keyword e tcp l udp This would match all entrie

Cyber ACL User Manual - Cyber Operations, Inc.

Contents

Download Pdf Manuals

Related Search

Related Contents