Advertisement

Using Access Control Lists (ACLs) as a Virus-Detection Tool

By Edward Tetz from Cisco Networking All-in-One For Dummies

As a network administrator, you can do a few things with your Access Control Lists (ACLs) which can help you detect viruses. If you know a virus that has a certain type of traffic, perhaps on TCP port 1090, you can create an ACL that makes use of the log option. This allows information about these packets to be recorded in the system log, which could go to a centralized Syslog server.

You will make a small change to your Application Control Engine (ACEs) to enable logging. Simply by adding log to the end of the ACE, any traffic that matches the ACE will be logged.

ASAFirewall1(config)# access-list 103 deny tcp any any eq 1090 ?
configure mode commands/options:
  inactive    Keyword for disabling an ACL element
  log         Keyword for enabling log option on this ACL element
  time-range  Keyword for attaching time-range option to this ACL element
  <cr>
Router1(config)#access-list 103 deny tcp any any eq 1090 ?
  dscp        Match packets with given dscp value
  fragments   Check non-initial fragments
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  precedence  Match packets with given precedence value
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>

Cisco IOS devices have a small log configured on them. When you consider that your router may have as little as 64MB of memory, this does not leave very much space to maintain log information for very long. The alternative to using the router’s memory for logging is to have your log information sent to a server on the network.

Syslog is an industry standard format for accepting and storing these log messages. Many Syslog servers are available for different operating systems, including Kiwi Syslog Server for Windows. Kiwi Syslog Server is available as a free version and is often suitable enough for many people. To enable your device to send messages to a Syslog server, use this command on your IOS device (192.168.1.5 is the IP address of my Syslog server):

Router1>enable
Password:
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#logging 192.168.1.5

Rather than logging the data, you can view it in real time on the device using the debug command, such as debug ip packet 103 detail, on the device where you expect to see that type of data. The following is debug showing a denied access attempt for a device with the 10.0.2.25 IP address:

Router1>enable
Router1#terminal monitor
Router1#debug ip packet 103 detail
IP packet debugging is on (detailed) for access list 103
Router1#
00:11:55: %SEC-6-IPACCESSLOGP: list 103 denied tcp 10.0.2.25(3541) -> 192.168.8.10(1090), 1 packet
Router1#no debug all
All possible debugging has been turned off

Dummies Recommends

From Around the Web

blog comments powered by Disqus

Get the Book

Cisco Networking All-in-One For Dummies (0470945583) cover image
Cisco Networking All-in-One For Dummies
US $39.99 Add to Cart
Advertisement
Advertisement

Inside Dummies.com

Create a For Dummies Cover

Create a For Dummies Cover
It's free, it's fun, and the possibilities are endless!
Make and share now.

CAREER STRATEGIES

Job searching? Career change? Get help from our reliable tips and sound advice.
Job searching? Career change? Get help from our reliable tips and sound advice.

New — Get Ready for Windows 8

The Windows 8 Center makes learning Microsoft's latest operating system easier!
The Windows 8 Center makes learning Microsoft's latest operating system easier!

Dummies.com Sweepstakes

Win $5,000 and Personal Consultation with Finance Guru Eric Tyson!
Win $5,000 and Personal Consultation with Finance Guru Eric Tyson!