«
»

Exploration 4-chapter 5

The ACL can extract the following information from the packet header, test it against its rules, and make “allow” or “deny” decisions based on:

• Source IP address
• Destination IP address
• ICMP message type

The ACL can also extract upper layer information and test it against its rules. Upper layer information includes:

• TCP/UDP source port
• TCP/UDP destination port
An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header.
Here are some guidelines for using ACLs:

• Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
• Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
• Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network.
• Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.
ACLs perform the following tasks:

• Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance.
• Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
• Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to select users.
• Decide which types of traffic to forward or block at the router interfaces. For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
• Control which areas a client can access on a network.
• Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
How ACLs Work
ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.

• Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.
• Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
There are two types of Cisco ACLs, standard and extended.
Standard ACLs
Standard ACLs allow you to permit or deny traffic from source IP addresses. The destination of the packet and the ports involved do not matter.
Extended ACLs
Extended ACLs filter IP packets based on several attributes, for example, protocol type, source and destination IP address, destination IP address, source TCP or UDP ports, destination TCP or UDP ports, and optional protocol type information for finer granularity of control.
Wildcard Masking
ACLs statements include masks, also called wildcard masks. A wildcard mask is a string of binary digits telling the router which parts of the subnet number to look at. Although wildcard masks have no functional relationship with subnet masks, they do provide a similar function.
• Wildcard mask bit 0 – Match the corresponding bit value in the address
• Wildcard mask bit 1 – Ignore the corresponding bit value in the address
What are Dynamic ACLs?

Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs.
Some common reasons to use dynamic ACLs are as follows:

• When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user and then permits limited access through your firewall router for a host or subnet for a finite period.
• When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local hosts. Lock-and-key requires the users to authenticate through a AAA, TACACS+ server, or other security server before it allows their hosts to access the remote hosts.
Benefits of Dynamic ACLs

Dynamic ACLs have the following security benefits over standard and static extended ACLs:

• Use of a challenge mechanism to authenticate individual users.
• Simplified management in large internetworks.
• In many cases, reduction of the amount of router processing that is required for ACLs.
• Reduction of the opportunity for network break-ins by network hackers.
• Creation of dynamic user access through a firewall, without compromising other configured security restrictions.

What are Reflexive ACLs?

Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists.
Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named ACLs or with other protocol ACLs. Reflexive ACLs can be used with other standard and static extended ACLs.
Benefits of Reflexive ACLs

Reflexive ACLs have the following benefits:

• Help secure your network against network hackers and can be included in a firewall defense.
• Provide a level of security against spoofing and certain DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked.
• Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.
What are Time-based ACLs?

Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. To implement time-based ACLs, you create a time range that defines specific times of the day and week. You identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.

Time-based ACLs have many benefits, such as:

• Offers the network administrator more control over permitting or denying access to resources.
• Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without analyzing the many logs that are generated during peak hours.

Advertisement

This entry was posted on August 15, 2010 at 11:30 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.