Lecture CCNA Exploration 4.0 (Kỳ 4) - Chapter 5: ACLs

Chia sẻ: You Can | Ngày: | Loại File: PDF | Số trang:86

Thêm vào BST

Báo xấu

62
lượt xem 5
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

In this chapter, you will learn to: Explain how ACLs are used to secure a medium-size enterprise branch office network, including the concept of packet filtering, the purpose of ACLs, how ACLs are used to control access, and the types of Cisco ACLs. Configure standard ACLs in a medium-size enterprise branch office network, including defining filtering criteria, configuring standard ACLs to filter traffic, and applying standard ACLs to router interfaces,...

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Lecture CCNA Exploration 4.0 (Kỳ 4) - Chapter 5: ACLs

Chapter 5 - ACLs CCNA Exploration 4.0 1
Introduction Học viện mạng Bach Khoa - Website: www.bkacad.com 2
Using ACLs to Secure Networks Học viện mạng Bach Khoa - Website: www.bkacad.com 3
A TCP Conversation • ACLs enable you to control traffic into and out of your network. This control can be as simple as permitting or denying network hosts or addresses. • ACLs can also be configured to control network traffic based on the TCP port being used. Học viện mạng Bach Khoa - Website: www.bkacad.com 4
A TCP Conversation Học viện mạng Bach Khoa - Website: www.bkacad.com 5
Packet Filtering • Packet filtering, sometimes called static packet filtering, controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. • Packet filtering works at the network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP. Học viện mạng Bach Khoa - Website: www.bkacad.com 6
Packet Filtering • The ACL is a sequential list of permit or deny statements that apply to IP addresses or upper-layer protocols. • The ACL can extract the following information from the packet header, test it against its rules, and make "allow" or "deny" decisions based on: 1. Source IP address 2. Destination IP address 3. ICMP message type • The ACL can also extract upper layer information and test it against its rules. Upper layer information includes: 1. TCP/UDP source port 2. TCP/UDP destination port Học viện mạng Bach Khoa - Website: www.bkacad.com 7
Packet Filtering Example Học viện mạng Bach Khoa - Website: www.bkacad.com 8
What is an ACL ? • An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. • ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. Học viện mạng Bach Khoa - Website: www.bkacad.com 9
What is an ACL ? The Three Ps You can configure one ACL per protocol, per direction, per interface. • Here are some guidelines for using ACLs: 1. Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. 2. Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. 3. Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. 4. Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both. Học viện mạng Bach Khoa - Website: www.bkacad.com 10
What is an ACL ? • ACLs perform the following tasks: 1. Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance. 2. Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved. 3. Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to select users. 4. Decide which types of traffic to forward or block at the router interfaces. For example, an ACL can permit e-mail traffic, but block all Telnet traffic. 5. Control which areas a client can access on a network. 6. Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP. Học viện mạng Bach Khoa - Website: www.bkacad.com 11
ACL Operation • ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets that relay through the router, and packets that exit outbound interfaces of the router. • ACLs do not act on packets that originate from the router itself. • Inbound ACLs -Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing. Học viện mạng Bach Khoa - Website: www.bkacad.com 12
ACL Operation • Outbound ACLs -Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. Học viện mạng Bach Khoa - Website: www.bkacad.com 13
ACL Operation • ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time. – If a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as determined by the matched statement. – If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. • A final implied statement covers all packets for which conditions did not test true.Instead of proceeding into or out of an interface, the router drops all of these remaining packets. • This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement. • Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic. Học viện mạng Bach Khoa - Website: www.bkacad.com 14
ACL Operation • There is a key caveat associated with this "deny all" behavior: – For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. – If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list. Học viện mạng Bach Khoa - Website: www.bkacad.com 15
Types of Cisco ACLs • The two main tasks involved in using ACLs are as follows: – Step 1. Create an access list by specifying an access list number or name and access conditions. – Step 2. Apply the ACL to interfaces or terminal lines. Học viện mạng Bach Khoa - Website: www.bkacad.com 16
How a Standard ACL works ? Học viện mạng Bach Khoa - Website: www.bkacad.com 17
Numbering and Naming ACLs • Using numbered ACLs is an effective method for determining the ACL type on smaller networks with more homogeneously defined traffic. – a number does not inform you of the purpose of the ACL. – starting with Cisco IOS Release 11.2, you can use a name to identify a Cisco ACL. Học viện mạng Bach Khoa - Website: www.bkacad.com 18
Where to place ACLs Học viện mạng Bach Khoa - Website: www.bkacad.com 19
Where to place ACLs • The basic rules are: – Locate extended ACLs as close as possible to the source of the traffic denied. This way, undesirable traffic is filtered without crossing the network infrastructure. – Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Học viện mạng Bach Khoa - Website: www.bkacad.com 20