Friday, 31 January 2014

Access Control Lists

Introduction

Hello everyone. How are you all. This time i'm going to discuss about Access control list with you in hell of details. haha, i mean in depth, really tough work it was for me to prepare all this for you. Let me give a brief idea about what is included in this session. i have discussed every single detail about ACL. Such as what are ACL, reasons why we need ACL and in which situation, Testing Packets with ACL, How ACL works, Then i have discussed flow chart of ACL, how the flow take place in an ACL,How to create ACL then grouping them to corresponding interface, How do we assign numbers to ACL, what purpose does wild card mask bits hold, significance of any command, Host command. then Standard ACL, Examples of ACL, Placing ACL, Verifying ACL and writing ACL to deny a specific host and Many many more. Hope you will enjoy this.

                                                                   

Network administrators must figure out how to deny unwanted access to the network while allowing appropriate access. Although security tools, such as passwords, callback equipment and physical security devices are helpful, they often lack the flexibility of basic traffic filtering and the specific controls most administrators prefer. For example, a network administrator might want to allow users access to the Internet, but might not want external users TELNETting into the LAN. 

Routers provide basic traffic filtering capabilities, such as blocking Internet traffic, with access control lists (ACLs). An ACL is a sequential collection of permit or deny statements that apply to addresses or upper-layer protocols. In this lecture, you will learn about using standard and extended ACLs as a means to control network traffic and how ACLs are used as part of a security solution. 

In addition, this lecture includes tips, considerations, recommendations and general guidelines on how to use ACLs and includes the commands and configurations needed to create ACLs. Finally, this lecture provides examples of standard and extended ACLs and how to apply ACLs to router interfaces. 

What are ACLs?

ACLs are lists of instructions you apply to a router's interface. These lists tell the router what kinds of packets to accept and what kinds of packets to deny. Acceptance and denial can be based on certain specifications, such as source address, destination address and port number. ACLs enable you to manage traffic and scan specific packets by applying the ACL to a router interface. Any traffic going through the interface is tested against certain conditions that are part of the ACL.

ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX), to filter packets as the packets pass through a router. ACLs can be configured at the router to control access to a network or subnet. For example ACLs could be used to prevent student traffic from entering the administrative network.


                               

ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. The router examines each packet to determine whether to forward or drop it, based on the conditions specified in the ACL. ACL conditions could be 
                             
the source address of the traffic, the destination address of the traffic, the upper-layer protocol or other information.

ACLs must be defined on a per-protocol basis. In other words, you must define an ACL for every protocol enabled on an interface if you want to control traffic flow for that interface. (Note that some protocols refer to ACLs as filters.) For example, if your router interface were configured for IP, AppleTalk and IPX, you would need to define at least three ACLs. ACLs can be used as a tool for network control by adding the flexibility to filter the packets that flow into or out of router interfaces.

Reasons for ACLs

There are many reasons to create ACLs. For example, ACLs can be used to:
  • Limit network traffic and increase network performance. For example, ACLs can designate certain packets to be processed by a router before other traffic, on the basis of a protocol. This is referred to as queuing, which ensures that routers will not process packets that are not needed. As a result, queuing limits the network traffic and reduces network congestion.
  • Provide traffic flow control. For example, ACLs can restrict or reduce the contents of routing updates. These restrictions are used to limit information about specific networks from propagating through the network.
  • Provide a basic level of security for network access. For example, ACLs can allow one host to access a part of your network and prevent another host from accessing the same area. Host A is allowed to access the Human Resources network and Host B is prevented from accessing the Human Resources network. If you do not configure ACLs on your router, all packets passing through the router could be allowed onto all parts of the network.
  • Decide which types of traffic are forwarded or blocked at the router interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all TELNET traffic.

Testing Packets with ACLs

The order in which you place ACL statements is important. When the router is deciding whether to forward or block a packet, the Cisco Internetwork Operating System (IOS) software tests the packet against each condition statement in the order in which the statements were created.

Note: After a match is found, no more condition statements are checked.

If you create a condition statement that permits all traffic, no statements added later will ever be checked. If you need additional statements in a standard or extended ACL you must delete the ACL and re-create it with the new condition statements. This is why it is a good idea to edit a router configuration on a PC using a text editor and then Trivial File Transfer Protocol (TFTP) it to the router.

You can create an ACL for each protocol you want to filter for each router interface. For some protocols, you create one ACL to filter inbound traffic and one ACL to filter outbound traffic.

After an ACL statement checks a packet for a match, the packet can be denied or permitted to use an interface in the access group. Cisco IOS ACLs check the packet and upper-layer headers.

How ACLs Work

An ACL is a group of statements that define how packets:
  • Enter inbound interfaces
  • Relay through the router
  • Exit outbound interfaces of the router

                                      

The beginning of the communication process is the same, whether ACLs are used or not. As a packet enters an interface, the router checks to see whether the packet is routable or bridgeable. Now the router checks whether the inbound interface has an ACL. If one exists, the packet is now tested against the conditions in the list. If the packet is allowed it will then be checked against routing table entries to determine the destination interface.

Next, the router checks whether the destination interface has an ACL. If it does not, the packet can be sent to the destination interface directly; for example, if it will use E0, which has no ACLs, the packet uses E0 directly.

ACL statements operate in sequential, logical order. If a condition match is true, the packet is permitted or denied and the rest of the ACL statements are not checked. If all the ACL statements are unmatched, an implicit "deny any" statement is imposed. This means that even though you will not see the "deny any" as the last line of an ACL, it is there.

Flowchart of ACL process

By matching the first test, a packet is denied access to the destination. It is discarded and dropped into the bit bucket and it is not exposed to any ACL tests that follow. If the packet does not match conditions of the first test, it drops to the next statement in the ACL.

ACLs allow you to control which clients can gain access to your network. Conditions in an ACL file can:
                                                

  • Screen out certain hosts to either allow or deny access to part of your network
  • Set up password authentication so that only users who supply a valid login and password can access part of the network
  • Grant users permission to access part of the network for such things as an individual user's files or folders

Creating ACLs

Now let's Focus on creating ACL. In practice, ACL commands can be lengthy character strings. Key tasks covered in this section for creating ACLs include the following:
  • You create ACLs by using the global configuration mode.
  • Specifying an ACL number from 1 to 99 instructs the router to accept standard ACL statements. Specifying an ACL number from 100 to 199 instructs the router to accept extended ACL statements. (see table below)
  • You must carefully select and logically order the ACL. Permitted IP protocols must be specified; all other protocols should be denied.
  • You should select which IP protocols to check; any other protocols are not checked. Later in the procedure, you can also specify an optional destination port for more precision.

Grouping ACLs to interfaces

Although each protocol has its own set of specific tasks and rules that are required to provide traffic filtering, in general most protocols require the two basic steps. The first step is to create an ACL definition and the second step is to apply the ACL to an interface.

ACLs are assigned to one or more interfaces and can filter inbound traffic or outbound traffic, depending on the configuration. Outbound ACLs are generally more efficient than inbound and are therefore preferred. A router with an inbound ACL must check every packet to see whether it matches the ACL condition before switching the packet to an outbound interface.

Assigning a unique number to each ACL

  • When configuring ACLs on a router, you must identify each ACL uniquely by assigning a number to the protocol's ACL. When you use a number to identify an ACL, the number must be within the specific range of numbers that is valid for the protocol.
  • You can specify ACLs by numbers for the protocols listed in the table. The table also lists the range of ACL numbers that is valid for each protocol.
                                   

After you create a numbered ACL, you must assign it to an interface for it to be used. If you want to alter an ACL containing numbered ACL statements, you need to delete all the statements in the numbered ACL by using the command no access-list [list-number].

Purpose and Function of Wildcard Mask Bits


                                     
A wildcard mask is a 32-bit quantity that is divided into four octets, with each octet containing 8 bits. A wildcard mask bit 0 means "check the corresponding bit value" and a wildcard mask bit 1 means "do not check (ignore) that corresponding bit value".

A wildcard mask is paired with an IP address. The numbers one and zero are used to identify how to treat the corresponding IP address bits. ACLs use wildcard masking to identify a single or multiple addresses for permit or deny tests. The term wildcard masking is a nickname for the ACL mask-bit matching process and comes from of an analogy of a wildcard that matches any other card in a poker game.

Although both are 32-bit quantities, wildcard masks and IP subnet masks operate differently. Recall that the zeros and ones in a subnet mask determine the network, subnet and host portions of the corresponding IP address. The zeros and ones in a wildcard, as just noted, determine whether the corresponding bits in the IP address should be checked or ignored for ACL purposes.

As you have learned, the zero and one bits in an ACL wildcard mask cause the ACL to either check or ignore the corresponding bit in the IP address. In the figure below, this wildcard masking process is applied.

Say you want to test an IP address for subnets that will be permitted or denied. Assume that the IP address is a Class B address (that is, the first two octets are the network number) with 8 bits of subnetting (the third octet is for subnets). You want to use IP wildcard mask bits to permit all packets from any host in the 172.30.16.0 to 172.30.31.0 subnets. The figure below shows an example of how to use the wildcard mask to do this.

        

To begin, the wildcard mask checks the first two octets (172.30), using corresponding zero bits in the wildcard mask. Because there is no interest in individual host addresses (a host ID does not have .00 at the end of the address), the wildcard mask ignores the final octet, using corresponding one bits in the wildcard mask.

In the third octet, the wildcard mask is 15 (00001111) and the IP address is 16 (00010000). The first four zeros in the wildcard mask tell the router to match the first four bits of the IP address (0001). Because the last four bits are ignored, all numbers in the range of 16 (00010000) to 31 (00011111) will match because they begin in the pattern 0001. For the final (least-significant) four bits in this octet, the wildcard mask ignores the value because in these positions, the address value can be binary zero or binary one and the corresponding wildcard bits are ones. In this example, the address 172.30.16.0 with the wildcard mask 0.0.15.255 matches subnets 172.30.16.0 to 172.30.31.0. The wildcard mask does not match any other subnets.

The ANY Command

Working with decimal representations of binary wildcard mask bits can be tedious. For the most common uses of wildcard masking, you can use abbreviations. These abbreviations reduce the amount of typing you need to do when configuring address test conditions. For example, say you want to specify that any source address will be permitted in an ACL test. To indicate any IP address, you would enter 0.0.0.0; then, to indicate that the ACL should ignore (that is, allow without checking) any value, the corresponding wildcard mask bits for this address would be all ones (that is, 255.255.255.255). You can use the abbreviation any to communicate this same test condition to Cisco IOS ACL software. Instead of typing 0.0.0.0 255.255.255.255, you can use the word any by itself as the keyword.

For example, instead of using this:

Satnam(config)# access-list 1 permit 0.0.0.0 255.255.255.255

you can use this:

Satnam(config)# access-list 1 permit any

The HOST Command

A second common condition where Cisco IOS permits an abbreviation in the ACL wildcard mask is when you want to match all the bits of an entire IP host address. For example, say you want to specify that a specific IP host address will be denied in an ACL test. To indicate a host IP address, you would enter the full address (for example, 172.30.16.29); then, to indicate that the ACL should check all the bits in the address, the corresponding wildcard mask bits for this address would be all zeros (that is, 0.0.0.0). You can use the abbreviation host to communicate this same test condition to Cisco IOS ACL software. In the example, instead of typing 172.30.16.29 0.0.0.0, you can use the word host in front of the address.

For example, instead of using this:

Satnam(config)# access-list 1 deny 172.30.16.29 0.0.0.0

you can use this:

Satnam(config)# access-list 1 deny host 172.30.16.29

Standard ACLs

You use standard ACLs when you want to block all traffic from a network, allow all traffic from a specific network, or deny protocol suites. Standard ACLs check the source address of packets that could be routed. The result permits or denies output for an entire protocol suite, based on the network, subnet and host addresses. For example, packets coming in E0 are checked for source address and protocol. If they are permitted, the packets are output through S0, which is grouped to the ACL. If they are not permitted, they

are dropped.          

Writing a Standard ACL command using Standard Parameters

As you have learned, you use the standard version of the access-list global configuration command to define a standard ACL with a number. This command is used in global configuration command mode.

The full syntax of the command is

Satnam(config)# access-list access-list-number {deny | permit} source [source-wildcard ] [log]

You use the no form of this command to remove a standard ACL. This is the syntax:

Satnam(config)# no access-list access-list-number

Examples of ACLs

Access-list 33 permit 172.16.0.0 0.0.255.255 (permits all traffic from 172.16.0.0)

Access-list 44 deny 172.16.13.7 0.0.0.0 (denies traffic from host 172.16.13.7)

Access-list 55 deny 172.16.64.0 any (denies all traffic from network 172.16.64.0)

Placing ACLs

The second part of establishing an access list is applying the list to a specific interface.

Satnam(config-if)# ip access-group 33 in (applies access-list 33 to the packets inbound to the interface being configured)

Satnam(config-if)# ip access-group 44 out (applies access-list 44 to packets outbound from the interface being configured)

Verify Standard ACLs

You use the show access-lists EXEC command to display the contents of all ACLs. In addition, you use the show access-lists EXEC command followed by the name or number of an ACL to display the contents of one ACL. The following example of a standard ACL allows access for hosts on the three specified networks:

access-list 1 permit 192.5.34.0 0.0.0.255

access-list 1 permit 128.88.0.0 0.0.255.255

access-list 1 permit 36.0.0.0 0.255.255.255

!(Note: all other access implicitly denied)

In the example, the wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the ACL statements will be rejected. To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands have the same effect:

access-list 2 permit 36.48.0.3

access-list 2 permit 36.48.0.3 0.0.0.0

The ip access-group command groups an existing ACL to an interface. Remember that only one ACL per port per protocol per direction is allowed. The format of the command is:

Satnam(config)#ip access-group access-list-number {in | out}

Instance of a Standard ACL


                               

In the example below, the ACL allows only traffic from source network 172.16.0.0 to be forwarded. Non-172.16.0.0 network traffic is blocked. The example shows how the ACL allows only traffic from source network 172.16.0.0 to be forwarded and non-172.16.0.0 to be blocked.

Also shown in the example, the command ip access-group 1 out groups the ACL to an outgoing interface.

Permitting Traffic from Source Network 172.16.0.0

access-list 1 permit 172.16.0.0 0.0.255.255

(implicit deny any - not visible in the list)

(access-list 1 deny 0.0.0.0 255.255.255.255)

interface ethernet 0

ip access-group 1 out

interface ethernet 1

ip access-group 1 out

Writing an ACL to deny a Specific Host

The example below shows how an ACL is designed to block traffic from a specific address, 172.16.4.13 and to allow all other traffic to be forwarded on interface Ethernet 0. The first access-list command uses the deny parameter to deny traffic from the identified host. The address mask 0.0.0.0 in this line requires the test  to match all bits.
                                           

In the second access-list command, the 0.0.0.0 255.255.255.255 IP address/ wildcard mask combination identifies traffic from any source. This combination can also be written using the keyword any. All zeros in the address indicate a placeholder and all ones in the wildcard mask indicate that all 32 bits will not be checked in the source address. Any packet that does not match the first line of the ACL will match the second one and be forwarded.

Denying a Specific Host

access-list 1 deny host 172.16.4.13 0.0.0.0

access-list 1 permit 0.0.0.0 255.255.255.255

(implicit deny any)

(access-list 1 deny 0.0.0.0 255.255.255.255)

interface ethernet 0

ip access-group 1 out

Writing a Standard ACL to deny a Specific Network

The example shows how an ACL is designed to block traffic from a specific subnet, 172.16.4.0 and to allow all other traffic to be forwarded. Note the wildcard mask, 0.0.0.255: The zeros in the first three octets indicate that those bits will be tested for matches while the last octet of all ones indicates a don't care condition for matching the last octet of the IP address (the host portion). Note also that the any abbreviation has been used for the IP address of the source.
                                                                       
                                  

Denying a Specific Subnet

(access-list 1 deny) 172.16.4.0 0.0.0.255
access-list 1 permit any
(implicit deny any)
access-list 1 deny any
interface ethernet 0
ip access-group 1 out

Extended ACLs

Extended ACLs are used most often to test conditions because they provide a greater range of control than standard ACLs. You would use an extended ACL when you want to allow Web traffic but deny File Transfer Protocol (FTP) or TELNET from non-company networks. Extended ACLs check for both source and destination packet addresses. They also can check for specific protocols, port numbers and other parameters. This gives you more flexibility to describe what checking the ACL will do. Packets can be permitted or denied output based on where the packet originated and based on its destination. For example, the extended ACL can allow e-mail traffic from E0 to specific S0 destinations, while denying remote logins or file transfers.

Let's assume that Interface E0 has been grouped to an extended ACL. This would mean that you used precise, logical statements to create the ACL. Before a packet can proceed to that interface, it is tested by the ACL associated with that interface.

Based on the extended ACL tests, the packet can be permitted or denied. For inbound lists, this means that permitted packets will continue to be processed. For outbound lists, this means that permitted packets will be sent directly to E0. If test results deny permission, the packet will be discarded. The router's ACL provides firewall control to deny use of the E0 interface. When packets are discarded, some protocols return a packet to the sender, stating that the destination was unreachable.

For a single ACL, you can define multiple statements. Each of these statements should reference the same identifying name or number, to tie the statements to the same ACL. You can have as many condition statements as you want, limited only by the available memory. Of course, the more statements you have, the more difficult it will be to comprehend and manage your ACL. Therefore, documenting ACLs prevents confusion.

The standard ACL (numbered 1 to 99) might not provide the traffic-filtering control you need. Standard ACLs filter traffic based on a source address and mask. Standard ACLs also permit or deny the entire Transmission Control Protocol (TCP) protocol suite. You might need a more precise way to control traffic and access.

For more precise traffic-filtering control, you use extended ACLs. Extended ACL statements check for source address and for destination address. In addition, at the end of the extended ACL statement, you gain additional precision from a field that specifies the optional TCP or User Datagram Protocol (UDP) protocol port number. These can be the well-known port numbers for TCP/IP. A few of the most common port numbers are shown in Figure. You can specify the logical operation the extended ACL will perform on specific protocols. Extended ACLs use a number in the range 100 to 199.

Extended ACL Parameters

The complete form of the access-list command is:

  • Satnam(config)# access-list [access-list-number] {permit | deny}
  • protocol source [source-mask destination destination-mask operator operand] [established]

Parameter

Description

Access-list-number

Identifies the list using a number between 100 and 199

Permit | deny

Indicates whether this entry allows or blocks the specified address

Protocol

The protocol such as IP, TCP, UDP, ICMP, GRE or IGRP

Source and destination

Identifies source and destination addresses

Source mask and destination mask

Wildcard mask: 0s indicate bits that must be checked, 1s indicate bits that do not need to be checked

Operator operand

lt, gt, eq, neq (less than, greater than, equal to, not equal to) and a port number

Established

Allows TCP traffic to pass if the packet has an established connection (e.g. has the ACK bit set)

Access-list-number

Indicates the ACL number to be associated with this interface

In | out

Selects whether the ACL is to be applied to the incoming or outgoing interface of this port (out is the default)

The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is:

  • Router(config)# access-list access-list-number {in | out}

UDP and TCP Port Numbers

Destination and source addresses or specific protocols using extended ACLs need to be identified with numbers in the range 100 to 199. Upper-level TCP or UDP port numbers in addition to the other tests in extended ACLs need to be identified, with a number in the range 100 to 199. Some of the reserved UDP and TCP port numbers are shown in the table.

Decimal

Keyword

Description

Protocol

20

FTP (DATA)

FTP (data)

TCP

21

FTP

FTP

TCP

23

TELNET

Terminal Connection

TCP

25

SMTP

Email

TCP

42

NAMESERVER

Host name server

UDP

53

DOMAIN

DNS

TCP /UDP

69

TFTP

Trivial FTP

UDP

80

HTTP



TCP

Writing an ACL to Deny FTP on an Ethernet Interface

The figure shows an example of an extended ACL that blocks FTP traffic. 
                     

The interface E0 access-group 101 command links ACL 101 to outgoing interface E0.

Note that blocking port 21 prevents FTP commands from being transmitted, thus preventing FTP file transfers. Blocking port 20 prevents the traffic itself from being transmitted, but does not block FTP commands. FTP servers can easily be configured to work on different ports.

You should understand that well-known port numbers are just that: well-known. There are no guarantees that services will be on those ports, although they usually are.

Writing an ACL that denies SMTP out of an Ethernet Port but permits all other Traffic

The figure shows an example of an extended ACL that blocks SNMP traffic.
                                           
The interface E0 access-group 101 command links ACL 101 to outgoing interface E0. Note that blocking port 25 prevents SMTP traffic from being transmitted. Mail servers can easily be configured to work on different ports. You should understand that well-known port numbers are just that: well-known. There are no guarantees that services will be on those ports, although they usually are.

Configuring Named ACLs

Named ACLs allow standard and extended IP ACLs to be identified with an alphanumeric string (name) instead of the current numeric (1 to 199) representation. Named ACLs can be used to delete individual entries from a specific ACL. This enables you to modify your ACLs without deleting and then reconfiguring them. Use named ACLs when:
  • You want to intuitively identify ACLs using an alphanumeric name.
  • You have more than 99 simple and 100 extended ACLs to be configured in a router for a given protocol.

Consider the following before implementing named ACLs:
  • Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.
  • You cannot use the same name for multiple ACLs. In addition, ACLs of different types cannot have the same name. For example, it is illegal to specify a standard ACL named George and an extended ACL with the same name.
To name the ACL, use the following command:
  • Satnam(config)# ip access-list {standard | extended} name
In ACL configuration mode, specify one or more conditions permitted or denied. This determines whether the packet is passed or dropped:
  • Satnam(config {std- | ext-}nacl)# deny {source [source-wildcard] | any}
  • Satnam(config {std- | ext-}nacl)# permit {source [source-wildcard] | any}.
The configuration shown in the Figure creates a standard ACL named Internetfilter and an extended ACL named marketing_group.

The DENY Command

You use the deny ACL configuration command to set conditions for a named ACL. The full syntax for this command is:
  • deny {source [source-wildcard] | any}
You use the no form of this command to remove a deny condition, using the following syntax:
  • no deny {source [source-wildcard] | any}

The PERMIT Command

You use the permit access-list configuration command to set conditions for a named standard ACL. The full syntax of this command is:
  • permit {source [source-wildcard] | any}[log]
You use the no form of this command to remove a condition from an ACL, using the following syntax:
  • no permit {source [source-wildcard]| any}
You use this command in access list configuration mode, following the ip access-list command, to define the conditions under which a packet passes the ACL.

The following example is for a standard ACL named Internetfilter:

ip access-list standard Internetfilter
deny 192.5.34.0 0.0.0.255
permit 128.88.0.0 0.0.255.255
permit 36.0.0.0 0.255.255.255
!(Note: all other access implicitly denied)

In this example, permit and deny statements have no number and no removes the specific test from the named ACL:
  • Satnam(config {std- | ext-}nacl)# {permit | deny} {ip ACL test conditions}
  • {permit | deny} {ip ACL test conditions} 
  • no {permit | deny} {ip ACL text conditions}
This example activates the IP named ACL on an interface:
  • Satnam(config-if)# ip access-group {name | 1-199 {in | out}}
A configuration output example is shown in the Figure.

Protocols for which ACLs may be created

ACLs can control most protocols on a Cisco router. You enter a number in the protocol number range as the first argument of the global ACL statement. The router identifies which ACL software to use based on this numbered entry. Many ACLs are possible for a protocol. You select a different number from the protocol number range for each new ACL; however, you can specify only one ACL per protocol per interface. For some protocols, you can group up to two ACLs to an interface: one inbound ACL and one outbound ACL. With other protocols, you group only one ACL, which checks both inbound and outbound packets. If the ACL is inbound, when the router receives a packet, the Cisco IOS software checks the ACL's condition statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet by placing it in the bit bucket. If the ACL is outbound, after receiving and routing a packet to the outbound interface, the software checks the ACL's condition statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet by sending it to the bit bucket.
Where to place your ACL

As you learned earlier, ACLs are used to control traffic by filtering packets and eliminating unwanted traffic at a destination. Depending on where you place an ACL statement, you can reduce unnecessary traffic. Traffic that will be denied at a remote destination should not use network resources along the route to that
destination.
                                   


Suppose an enterprise's policy aims to deny TELNET or FTP traffic on Router A to the switched Ethernet LAN on Router D's E1 port. At the same time, other traffic must be permitted. Several approaches can accomplish this policy. The recommended approach uses an extended ACL. It specifies both source and destination addresses. Place this extended ACL in Router A. Then, packets do not cross Router A's Ethernet, do not cross the serial interfaces of Routers B and C and do not enter Router D. Traffic with different source and destination addresses can still be permitted.

The rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near the destination as possible. For example, you should place either a standard or an extended ACL on E0 of Router D to prevent traffic from Router A.

Using ACLs in Firewall Routers

ACLs should be used in firewall routers, which are often positioned between the internal network and an external network, such as the Internet. The firewall router provides a point of isolation so that the rest of the internal network structure is not affected. You can also use ACLs on a router positioned between two parts of the network to control traffic entering or exiting a specific part of the internal network.

To provide the security benefits of ACLs, you should at a minimum configure ACLs on border routers, which are routers situated on the boundaries of the network. This provides basic security from the outside network, or from a less controlled area of the network, into a more private area of the network. On these border routers, ACLs can be created for each network protocol configured on the router interfaces. You can configure ACLs so that inbound traffic, outbound traffic, or both are filtered on an interface.
Firewall Architecture to Protect your Network

A firewall architecture is a structure that exists between you and the outside world to protect you from intruders. In most circumstances, intruders come from the global Internet and the thousands of remote networks it interconnects. Typically, a network firewall consists of several different machines.

                                   

In this architecture, the router that is connected to the Internet (that is, the exterior router) forces all incoming traffic to go to the application gateway. The router that is connected to the internal network (that is, the interior router) accepts packets only from the application gateway. In effect, the gateway controls the delivery of network-based services both into and from the internal network. For example, only certain users might be allowed to communicate with the Internet, or only certain applications might be permitted to establish connections between an interior and exterior host. If the only application that is permitted is mail, then only mail packets should be allowed through the router. This protects the application gateway and avoids overwhelming it with packets that it would otherwise discard.

Verifying ACLs

The show ip interface command displays IP interface information and indicates whether any ACLs are set. The show access-lists command displays the contents of all ACLs. By entering the ACL name or number as an option for this command, you can see a specific list.

Conclusion

Now that you completed this lecture, you should have a firm understanding of the following:
  1. ACLs perform several functions within a Cisco router, including implementing security/access procedures.
  2. ACLs are used to control and manage traffic.
  3. For some protocols, you can apply up to two ACLs to an interface: one inbound ACL and one outbound ACL.
  4. With ACLs, after a packet is checked for a match with the ACL statement, it can be denied or permitted to use an interface in the access group.
  5. Wildcard mask bits uses the number one and the number zero to identify how to treat the corresponding IP address bits.
  6. The two main types of ACLs are standard ACLs and extended ACLs.
  7. ACLs can be configured for all routed network protocols to filter those protocols' packets as the packets pass through a router.
  8. ACLs are typically used in firewall routers, which are often positioned between the internal network and an external network such as the Internet.
Haahh, Quite long it was, Anyhow we are finished Now. I hope You have enjoyed this handy information. Will be back with something New. Don't forget to comment if you like this and also share it with others. Thank you all!. 

0 comments:

Post a Comment