Content Overview Network administrators
must figure out how to deny unwanted access to the network
while allowing internal users appropriate access to necessary
services. Although security tools, such as passwords, callback
equipment, and physical security devices are helpful, they
often lack the flexibility of basic traffic filtering and the
specific controls most administrators prefer. For example, a
network administrator may want to allow users access to the
Internet, but not permit external users telnet access into the
LAN.Routers provide basic traffic filtering capabilities, such
as blocking Internet traffic, with access control lists (ACLs).
An ACL is a sequential list of permit or deny statements that
apply to addresses or upper-layer protocols. This module will
introduce standard and extended ACLs as a means to control
network traffic, and how ACLs are used as part of a security
solution. In addition, this chapter includes tips,
considerations, recommendations, and general guidelines on how
to use ACLs, and includes the commands and configurations
needed to create ACLs. Finally, the chapter provides examples
of standard and extended ACLs and how to apply ACLs to router
interfaces. ACLs can be as simple as a single line intended to
permit packets from a specific host, or they can be extremely
complex sets of rules and conditions that can precisely define
traffic and shape the performance of router processes. While
many of the advanced uses of ACLs are beyond the scope of this
course, this module provides details about standard and
extended ACLs, the proper placement of ACLs, and some special
applications of ACLs. Students completing this module should be
able to: - Describe the differences between standard and
extended ACLs
- Explain the rules for placement of
ACLs
- Create and apply named ACLs
- Describe the
function of firewalls
- Use ACLs to restrict virtual
terminal access
Content 11.1 Access
Control List Fundamentals 11.1.1 What are
ACLs ACLs are lists of conditions that are applied to
traffic traveling across a router's interface. These lists tell
the router what types of packets to accept or deny. Acceptance
and denial can be based on specified conditions. ACLs enable
management of traffic and secure access to and from a
network.ACLs can be created for all routed network protocols,
such as Internet Protocol (IP) and Internetwork Packet Exchange
(IPX). ACLs can be configured at the router to control access
to a network or subnet. ACLs filter network traffic by
controlling whether routed packets are forwarded or blocked at
the router's interfaces. The router examines each packet to
determine whether to forward or drop it, based on the
conditions specified in the ACL. Some ACL decision points are
source and destination addresses, protocols, and upper-layer
port numbers. ACLs must be defined on a per-protocol, per
direction, or per port basis. To control traffic flow on an
interface, an ACL must be defined for each protocol enabled on
the interface. ACLs control traffic in one direction at a time
on an interface. A separate ACL would need to be created for
each direction, one for inbound and one for outbound traffic.
Finally every interface can have multiple protocols and
directions defined. If the router has two interfaces configured
for IP, AppleTalk, and IPX, 12 separate ACLs would be needed.
One ACL for each protocol, times two for direction in and out,
times two for the number of ports. The following are some of
the primary reasons to create ACLs: - Limit network
traffic and increase network performance. By restricting video
traffic, for example, ACLs could greatly reduce the network
load and consequently increase network performance.
- Provide traffic flow control. ACLs can restrict the
delivery of routing updates. If updates are not required
because of network conditions, bandwidth is preserved.
- Provide a basic level of security for network access. ACLs
can allow one host to access a part of the network and prevent
another host from accessing the same area. For example, Host A
is allowed to access the Human Resources network and Host B is
prevented from accessing it.
- Decide which types of
traffic are forwarded or blocked at the router interfaces.
Permit e-mail traffic to be routed, but block all telnet
traffic.
- Allow an administrator to control what areas
a client can access on a network.
- Screen certain
hosts to either allow or deny access to part of a network.
Grant or deny user permission to access only certain types of
files, such as FTP or HTTP.
If ACLs are not
configured on the router, all packets passing through the
router will be allowed onto all parts of the network. Web
Links Access Control List http://searchsecurity.techtarget.com/ sDefinition/0,,s
id14_ gci213757,00.html
Content 11.1 Access
Control List Fundamentals 11.1.2 How ACLs
work An ACL is a group of statements that define whether
packets are accepted or rejected at inbound and outbound
interfaces. These decisions are made by matching a condition
statement in an access list and then performing the accept or
reject action defined in the statement.The order in which ACL
statements are placed is important. The Cisco IOS software
tests the packet against each condition statement in order from
the top of the list to the bottom. Once a match is found in the
list, the accept or reject action is performed and no other ACL
statements are checked. If a condition statement that permits
all traffic is located at the top of the list, no statements
added below that will ever be checked. If additional condition
statements are needed in an access list, the entire ACL must be
deleted and recreated with the new condition statements. To
make the process of revising an ACL simpler it is a good idea
to use a text editor such as Notepad and paste the ACL into the
router configuration. The beginning of the router’s process is
the same, whether ACLs are used or not. As a frame enters an
interface, the router checks to see whether the layer 2 address
matches or if it is a broadcast frame. If the frame address is
accepted, the frame information is stripped off and the router
checks for an ACL on the inbound interface. If an ACL exists,
the packet is now tested against the statements in the list. If
the packet matches a statement, the action of accepting or
rejecting the packet is performed. If the packet is accepted in
the interface, it will then be checked against routing table
entries to determine the destination interface and switched to
that interface. Next, the router checks whether the destination
interface has an ACL. If an ACL exists, the packet is now
tested against the statements in the list and if the packet
matches a statement, the action of accepting or rejecting the
packet is performed. If there is no ACL or the packet is
accepted, the packet is encapsulated in the new layer 2
protocol and forwarded out the interface to the next device. As
a review, ACL statements operate in sequential, logical order.
If a condition match is true, the packet is permitted or denied
and the rest of the ACL statements are not checked. If all the
ACL statements are unmatched, an implicit "deny any"
statement is placed at the end of the list by default. Even
though the "deny any" is not visible as the last line
of an ACL, it is there and it will not allow any packets not
matched in the ACL to be accepted. When first learning how to