6 - Advanced Network Security Flashcards
What are ACLs or access control lists used for?
identify and control packet flow across a network
What is traffic identified by an ACL referred to?
interesting traffic
How do standard ACLs identify traffic?
source ip address
How do extended ACLs identify traffic?
source ip address
destination ip address
protocol
port number
What happens to traffic that has not been identified in an ACL?
explicitly denied
ACLs are made up of one or more rules called?
statements
What is the implicit deny rule in an ACL?
packets that do not match any of the statements are dropped
What is the order that an ACL is evaluated?
Top to bottom
What is used in an ACL to match a host, subnet, or subnets?
wildcard mask
What is the trick for calculating wildcard masks?
Subtracting the subnet mask from 255 for each octet
What do the bits in a wildcard mask determine?
0’s indicate they should be compared
1’s indicate they should be disregarded
Where should you apply a standard ACL?
the router interface closest to the destination
Where should you apply an extended ACL?
the router interface closest to the source
What is the number value range in a standard ACL?
1-99
1300-1999
What is the number value range in an extended ACL?
100-199
2000-2699
What keyword in an ACL is used to match a specific computers ip address?
host
What protocols are available in an ACL?
gre icmp igrp ip tcp udp
What operators are availablein an ACL?
eq or equal neq or not equal LT or less than gt or greater than range
What is the difference between the access-list command and the ip access-list command?
- ip access-list is used to create named access lists
- ip access-list command will put you in ACL configuration mode (config-sta-nacl)
- ip access-list command allows you to use the sequence numbers
- access-list command keeps you in config mode
- access-list command has to have the commands in the correct sequence order
What is the next step after you create an ACL?
apply it to an interface
how do you apply an ACL to an interface?
ip access-group guest-block in
How many ACLs can you have per interface?
one acl per interface, per protocol, per direction, ie two tcp acls one inbound and one outbound to a single interface
Why are ACLs applied to inbound traffic?
test all incoming packets with the same set of parameters
Why are ACLs applied to outbound traffic?
test incoming packets with more than one perameter
What is a disadvantage of using outbound ACLs?
create unnecessary overhead for the router because it has to process the traffic even though it may be discarded
What does the show access-lists or show ip access-lists commands do?
view the contents of all the ACLs configured on the router
What command is used to verify that an ACL has been applied to the interface?
sh ip interface
What is logging good for on an ACL?
verify that an acl is functioning as intended
How do you use the log keyword in an ACL?
it has to be applied at the end of each statement that is intended to be logged
What is the downside for logging in an ACL?
Increase cpu usage
CEF is disabled and instead fast switched
What is a time-based acl?
uses a time profile to apply an acl
What is a dynamic acl?
offers additional security by forcing a user to authenticate before gaining permission to send packets
What is a reflexive acl?
generate temporary acl statements that permit inbound traffic sent in response to outbound traffic
What is the command to apply an acl to a vty line?
access-class 10 in
What are some additional uses for an acl?
qos
nat
vpn