Ch9 Access Control Lists - Theory Flashcards

1
Q

Access Control Lists

A

Series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Tasks Performed By ACLs (6)

A
  1. Limit network traffic to increase network performance.
  2. Provide traffic flow control (restrictt router / system updates).
  3. Provide basic level of security for network access.
  4. Filter traffic based on traffic type.
  5. Screen hosts to permit or deny access to network services.
  6. Select specific traffic to be analyzed / sorted / classified for other purposes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

TCP Protocol Overview (3)

A
  1. Connection Oriented Protocol.
  2. Full-Duplex.
  3. Uses Flow-Control and Congestion-control Mechanisms.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

FTP Port

A

21 TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Telnet Port

A

23 TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SMTP Port

A

25 TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

HTTP Port

A

80 TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IMAP Port

A

143 TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Internet Relay Chat (IRC) Port

A

194 TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Secure HTTP Port

A

443 TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Trivial File Transfer Protocol (TFTP) Port

A

69 UDP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Routing Information Protocol (RIP) Port

A

520 UDP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Where does Packet Filtering Occur

A

Works at Layer 3 (Network) and Layer 4 (Transport) OSI Model; Internet Layer TCP/IP Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Access Control Entries

A

aka: ACL Statements; The permit or deny statements that controls the behavior of an ACL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

3 Items ACL Extracts from Layer 3 Packet Header

A
  1. Source IP
  2. Destination IP
  3. ICMP Message Type
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

2 Items ACL May Extract from Layer 4 Header

A
  1. TCP / UDP Source

2. TCP / UDP Destination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

2 Directional Forms of ACLs

A
  1. Inbound ACL’s

2. Outbound ACL’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Inbound ACL

A

ACL whose entries are processed before the packet is routed to an outboard interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When is it best to Inbound ACLs

A

When the network attached is the only source of packets that needs to be examined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Outbound ACL

A

ACL whose entries are processed after the packed has been routed to an outboard interface but before it has left the interface.

21
Q

When is it bet to use Outbound ACLs

A

When the same filter will be applied to multiple packets coming from multple inbound interfaces, but exiting the same outbound interface.

22
Q

Implicit Deny

A

Last statement of an ACL designed to block all traffic that is automatically inserted at the end of each ACL even though it has no actual entry in the list.

23
Q

Two Types of Cisco IPv4 ACLs

A
  1. Standard ACL

2. Extended ACL.

24
Q

Standard ACL

A

ACL used to permit or deny traffic only from source IPv4 addresses.

25
Q

Extended ACL

A

ACL used to permit or deny traffic based on a variety of server attributes.

26
Q

Six Server Attributes That Can Apply to Extended ACLs

A
  1. Protocol Type
  2. Source IPv4 Address.
  3. Destination IPv4 Address.
  4. Source TCP / UDP Ports.
  5. Destination TCP / UDP Ports
  6. Optional protocol type information for finer. control.
27
Q

Where are ACLs created.

A

Global Configuration Mode.

28
Q

Standard ACL Number Ranges

A

1 to 99, 1300, and 1999

29
Q

Extended ACL Number Ranges

A

100 to 199 and 2000 to 2699

30
Q

Wildcard Mask

A

String of 32 binary digits used by the router to determine which bits of address to examine for a match.

31
Q

0’s Wildcard Significance

A

Match value of the corresponding bit.

32
Q

1’s Wildcard Significance

A

Ignore value of corresponding bit.

33
Q

Another Name for Wildcard Mask

A

Inverse Mask

34
Q

Calculating Wildcard Mask

A

Subtract specific network’s subnet mask from 255.255.255.255.

35
Q

Host Keyword

A

Substitutes for 0.0.0.0 WC mask. States that all IPv4 address bits must match exactly.

36
Q

Any Keyword

A

Substitutes 255.255.255.255 WC mask; ignore IPv4 address and accept any addresses.

37
Q

ACL Guidelines

A
  1. Use ACLs in firewall routers between your internal and external networks.
  2. Use ACLs on routers between two parts of your network to control traffic entering or exiting a specific part of your internal network.
  3. Configure ACLs on border routers.
  4. Configure ACLs for each network protocol configured on the border router interfaces.
38
Q

Three P’s Rule

A
  1. One ACL Per Protocol on the interface.
  2. One ACL per direction.
  3. One ACL per interface.
39
Q

ACL Best Practices

A
  1. Base your ACLs on the security policy of your organization.
  2. Prepare a description of what you want your ACLs to do.
  3. Use a text editor to create, edit, and save ACLs
  4. Test your ACLs on a development network before implementing them on a production network.
40
Q

Where should Extended ACLs be placed on the network?

A

Ext. ACLs should be placed as close as possible to the source of the traffic to be filtered.

41
Q

Where should Standard ACLs be placed on the network?

A

Standard ACLs should be placed as close to the destination as possible.

42
Q

How BIg Can ACL Remarks Be ?

A

100 characters.

43
Q

Where Should Remarks Be Placed in an ACL.

A

Remarks can be placed before or after the ACE it pertains too. Creator must remember to be consistent in placement either all before or all after.

44
Q

What is the function of Established in Extended ACL Command?

A

Indicates an established connection; optional; used in TCP only.

45
Q

5 Common ACL Errors

A
  1. Placing ACEs in an order such that a preceding Deny prevents a later Permit from taking effect.
  2. Selecting wrong protocol / host / network address for an ACE may result in an implicit deny
  3. Having protocol / host / network address in wrong location within an ACE may result in undesired execution of ACE
  4. Incorrect IP / Host Addresses can lead to unwanted execution of ACE
  5. Filtering in the wrong direction (outbound vs inbound)
46
Q

IPv6 ACL Types

A

IPv6 uses only named / extended ACLs.

47
Q

Can an IPv4 and IPv6 ACL Share the Same Name?

A

No.

48
Q

Can an IPv4 and IPv6 ACL Share the Same Name?

A

No.