Ch9 Access Control Lists - Theory Flashcards
Access Control Lists
Series of IOS commands that control whether a router forwards or drops packets based on information found in the packet header.
Tasks Performed By ACLs (6)
- Limit network traffic to increase network performance.
- Provide traffic flow control (restrictt router / system updates).
- Provide basic level of security for network access.
- Filter traffic based on traffic type.
- Screen hosts to permit or deny access to network services.
- Select specific traffic to be analyzed / sorted / classified for other purposes.
TCP Protocol Overview (3)
- Connection Oriented Protocol.
- Full-Duplex.
- Uses Flow-Control and Congestion-control Mechanisms.
FTP Port
21 TCP
Telnet Port
23 TCP
SMTP Port
25 TCP
HTTP Port
80 TCP
IMAP Port
143 TCP
Internet Relay Chat (IRC) Port
194 TCP
Secure HTTP Port
443 TCP
Trivial File Transfer Protocol (TFTP) Port
69 UDP
Routing Information Protocol (RIP) Port
520 UDP
Where does Packet Filtering Occur
Works at Layer 3 (Network) and Layer 4 (Transport) OSI Model; Internet Layer TCP/IP Model
Access Control Entries
aka: ACL Statements; The permit or deny statements that controls the behavior of an ACL.
3 Items ACL Extracts from Layer 3 Packet Header
- Source IP
- Destination IP
- ICMP Message Type
2 Items ACL May Extract from Layer 4 Header
- TCP / UDP Source
2. TCP / UDP Destination.
2 Directional Forms of ACLs
- Inbound ACL’s
2. Outbound ACL’s
Inbound ACL
ACL whose entries are processed before the packet is routed to an outboard interface.
When is it best to Inbound ACLs
When the network attached is the only source of packets that needs to be examined.
Outbound ACL
ACL whose entries are processed after the packed has been routed to an outboard interface but before it has left the interface.
When is it bet to use Outbound ACLs
When the same filter will be applied to multiple packets coming from multple inbound interfaces, but exiting the same outbound interface.
Implicit Deny
Last statement of an ACL designed to block all traffic that is automatically inserted at the end of each ACL even though it has no actual entry in the list.
Two Types of Cisco IPv4 ACLs
- Standard ACL
2. Extended ACL.
Standard ACL
ACL used to permit or deny traffic only from source IPv4 addresses.
Extended ACL
ACL used to permit or deny traffic based on a variety of server attributes.
Six Server Attributes That Can Apply to Extended ACLs
- Protocol Type
- Source IPv4 Address.
- Destination IPv4 Address.
- Source TCP / UDP Ports.
- Destination TCP / UDP Ports
- Optional protocol type information for finer. control.
Where are ACLs created.
Global Configuration Mode.
Standard ACL Number Ranges
1 to 99, 1300, and 1999
Extended ACL Number Ranges
100 to 199 and 2000 to 2699
Wildcard Mask
String of 32 binary digits used by the router to determine which bits of address to examine for a match.
0’s Wildcard Significance
Match value of the corresponding bit.
1’s Wildcard Significance
Ignore value of corresponding bit.
Another Name for Wildcard Mask
Inverse Mask
Calculating Wildcard Mask
Subtract specific network’s subnet mask from 255.255.255.255.
Host Keyword
Substitutes for 0.0.0.0 WC mask. States that all IPv4 address bits must match exactly.
Any Keyword
Substitutes 255.255.255.255 WC mask; ignore IPv4 address and accept any addresses.
ACL Guidelines
- Use ACLs in firewall routers between your internal and external networks.
- Use ACLs on routers between two parts of your network to control traffic entering or exiting a specific part of your internal network.
- Configure ACLs on border routers.
- Configure ACLs for each network protocol configured on the border router interfaces.
Three P’s Rule
- One ACL Per Protocol on the interface.
- One ACL per direction.
- One ACL per interface.
ACL Best Practices
- Base your ACLs on the security policy of your organization.
- Prepare a description of what you want your ACLs to do.
- Use a text editor to create, edit, and save ACLs
- Test your ACLs on a development network before implementing them on a production network.
Where should Extended ACLs be placed on the network?
Ext. ACLs should be placed as close as possible to the source of the traffic to be filtered.
Where should Standard ACLs be placed on the network?
Standard ACLs should be placed as close to the destination as possible.
How BIg Can ACL Remarks Be ?
100 characters.
Where Should Remarks Be Placed in an ACL.
Remarks can be placed before or after the ACE it pertains too. Creator must remember to be consistent in placement either all before or all after.
What is the function of Established in Extended ACL Command?
Indicates an established connection; optional; used in TCP only.
5 Common ACL Errors
- Placing ACEs in an order such that a preceding Deny prevents a later Permit from taking effect.
- Selecting wrong protocol / host / network address for an ACE may result in an implicit deny
- Having protocol / host / network address in wrong location within an ACE may result in undesired execution of ACE
- Incorrect IP / Host Addresses can lead to unwanted execution of ACE
- Filtering in the wrong direction (outbound vs inbound)
IPv6 ACL Types
IPv6 uses only named / extended ACLs.
Can an IPv4 and IPv6 ACL Share the Same Name?
No.
Can an IPv4 and IPv6 ACL Share the Same Name?
No.
