Upon completing this lesson, you will be able to:
Use Cisco IOS commands to configure IP standard and extended access lists, given a functioning router
Use show commands to identify anomalies in IP standard and extended access lists, given an operational router.
Upon completing this module, you will be able to:
Use Cisco IOS commands to configure standard and extended IP access lists, and NAT/PAT, given a functioning router
Use show commands to identify anomalies in standard and extended IP access lists, given an operational router
The last few chapters introduced you to routing protocols and their basic configuration.
By default, once you set up routing, your router will allow any packet to flow from
one interface to another. You may want to implement policies to restrict the flow of
traffic, for either security or traffic policy reasons. Cisco allows you affect the flow of traffic from
one interface to another by using access control lists (ACLs). ACLs, pronounced ackles, are a
very powerful feature of the IOS.
Chapter 4 objectives: Describe numbered and named, standard and extended IP ACLs, configure IP ACLs with IOS CLI and CCP, describe TCP established ACL functionality, describe and configure reflexive ACLs, describe and configure dynamic ACLs,... Inviting you to refer.
After completing this chapter, students will be able to understand: Standard IPv4 ACLs allow you to filter based on source IP address; extended ACLs allow you to filter based on source IP address, destination IP address, protocol, and port number; named ACLs allow you to delete individual statements froman ACL; you can use the show access-lists and show ip interface commands to troubleshoot common ACL configuration errors.
IPS/HIPS provide for an increased level of protection not available from a static access list or stateful firewall
inspection. IPS and HIPS offer security by sensing abnormalities in traffic communications or protocol, and
packet behaviors that are known to have malicious objectives. Here are some recommendations for installing
and hardening your IPS sensors:
Explain how ACLs are used to secure a medium-size enterprise branch office network, including the concept of packet filtering, the purpose of ACLs, how ACLs are used to control access, and the types of Cisco ACLs. – Configure standard ACLs in a medium-size enterprise branch office network, including defining filtering criteria, configuring standard ACLs to filter traffic, and applying standard ACLs to router interfaces.
The IP addressing job aids are intended for your use when working with IP addresses. The
information in Supplement 1, “Addressing Review,” and Supplement 2, “IP Access Lists,”
should be a review of the fundamentals of IP addressing and of the concepts and
configuration of access lists, respectively. The other supplements contain examples and
additional material on the OSPF, EIGRP, and BGP routing protocols, and on route
In this module introduce Access Control Lists (ACLs). ACLs can be used for IP packet filtering or to identify traffic to assign it special handling. ACLs perform top-down processing and can be configured for incoming or outgoing traffic. You can create an ACL using a named or numbered ACL. Named or numbered ACLs can be configured as standard or extended ACLs, which determines what they can filter.
Switch management includes the ability to communicate to all switches through
a routed environment. This requires that all switches be properly configured
with the necessary TCP/IP settings. Some networks want no VLAN 1 access
from non-VLAN 1 hosts and some networks require management access to
VLAN 1 from any other VLAN using access-lists to control who may have access
to VLAN 1 from other VLAN’s.
International Travel Agency (ITA) maintains a secure network (10.0.0.0/8) behind
SanJose1, which acts as a firewall. You have been transferred to a remote site in the
company (192.168.3.0/24) that is not permitted through SanJose1’s firewall. The
company allows you to modify SanJose1’s access list so that you, and you alone, can
access the secured resources. Because you work at various stations at the remote site,
you decide to configure lock-and-key so that you can get access from any IP address....
Cisco Certified Network Associate (CCNA®) validates the ability to install, configure, operate, and troubleshoot medium-size route and switched networks, including implementation and verification of connections to remote sites in a WAN. CCNA curriculum includes basic mitigation of security threats, introduction to wireless networking concepts and terminology, and performance-based skills.
Taking the network scenario of Figure 1, there will be web interfaces (routers and serv-
ers), BACnet/IP controllers (connected to interesting devices that are network accessible),
and operator workstations that may have vulnerable OS as well as configuration files and
other interesting data and resources.
The following table is adapted from a Drexel report on network security [Eisenstein et al.,
2003a] and lists known IT threats to a BACnet network connected to the public Internet.