780 likes | 959 Views
Access Control List (ACL). W.lilakiatsakun. Transport Layer Review (1). TCP (Transmission Control Protocol) HTTP (Web) SMTP (Mail) UDP (User Datagram Protocol) DNS (Domain Name Service) SNMP (Simple Management Protocol). Transport Layer Review (2). Transport Layer Review (3).
E N D
Access Control List (ACL) W.lilakiatsakun
Transport Layer Review (1) • TCP (Transmission Control Protocol) • HTTP (Web) • SMTP (Mail) • UDP (User Datagram Protocol) • DNS (Domain Name Service) • SNMP (Simple Management Protocol)
Transport Layer Review (3) TCP Port
Transport Layer Review (4) UDP Port
Transport Layer Review (5) TCP/UDP Common Port
Packet Filtering (1) • To controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. • A router acts as a packet filter when it forwards or denies packets according to filtering rules.
Packet Filtering (4) • A packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. • These rules are defined using access control lists or ACLs.
Packet Filtering (5) • - Only permit web access to users from network A. • Deny web access to users from network B, • Permit them Network B to have all other access."
ACL (Access Control List) (1) • An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. • ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.
ACL guideline (1) • Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. • Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
ACL guideline (2) • Configure ACLs on border routers-routers situated at the edges of your networks. • This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. • Configure ACLs for each network protocol configured on the border router interfaces. • You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.
ACL Operation (1) • Inbound ACLs • Incoming packets are processed before they are routed to the outbound interface. • An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. • Outbound ACLs • Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
ACL Operation (2) Inbound ACLs
ACL Operation (3) Outbound ACLs
Standard ACL (1) The two main tasks involved in using ACLs are as follows: Step 1. Create an access list by specifying an access list number or name and access conditions. Step 2. Apply the ACL to interfaces or terminal lines.
Where to Place ACL (1) • Locate extended ACLs as close as possible to the source of the traffic denied. • This way, undesirable traffic is filtered without crossing the network infrastructure. • Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.
Where to Place ACL (2) Standard ACL
Where to Place ACL (3) Extended ACL
Configuring Standard ACL (1) Access Control Condition Permit IP from network 192.168.10.0/24 except 192.168.10.1 Permit IP from network 192.0.0.0/8 except 192.168.0.0/16 • access-list 2 deny 192.168.10.1 • access-list 2 permit 192.168.10.0 0.0.0.255 • access-list 2 deny 192.168.0.0 0.0.255.255 • access-list 2 permit 192.0.0.0 0.255.255.255
Configuring Standard ACL (4) Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log] Removing ACL
Configuring Standard ACL (5) Documenting ACL
ACL Wildcard Masking (1) • Wildcard masks use the following rules to match binary 1s and 0s: • Wildcard mask bit 0 - Match the corresponding bit value in the address • Wildcard mask bit 1 - Ignore the corresponding bit value in the address
Extended ACL (1) Extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL.