1 / 76

Access Control List (ACL)

Access Control List (ACL). W.lilakiatsakun. Transport Layer Review (1). TCP (Transmission Control Protocol) HTTP (Web) SMTP (Mail) UDP (User Datagram Protocol) DNS (Domain Name Service) SNMP (Simple Management Protocol). Transport Layer Review (2). Transport Layer Review (3).

gisela-trevino
Télécharger la présentation

Access Control List (ACL)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control List (ACL) W.lilakiatsakun

  2. Transport Layer Review (1) • TCP (Transmission Control Protocol) • HTTP (Web) • SMTP (Mail) • UDP (User Datagram Protocol) • DNS (Domain Name Service) • SNMP (Simple Management Protocol)

  3. Transport Layer Review (2)

  4. Transport Layer Review (3) TCP Port

  5. Transport Layer Review (4) UDP Port

  6. Transport Layer Review (5) TCP/UDP Common Port

  7. Packet Filtering (1) • To controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. • A router acts as a packet filter when it forwards or denies packets according to filtering rules.

  8. Packet Filtering (2)

  9. Packet Filtering (3)

  10. Packet Filtering (4) • A packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. • These rules are defined using access control lists or ACLs.

  11. Packet Filtering (5) • - Only permit web access to users from network A. • Deny web access to users from network B, • Permit them Network B to have all other access."

  12. ACL (Access Control List) (1) • An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. • ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.

  13. ACL (Access Control List) (2)

  14. ACL (Access Control List) (3)

  15. ACL guideline (1) • Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. • Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.

  16. ACL guideline (2) • Configure ACLs on border routers-routers situated at the edges of your networks. • This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. • Configure ACLs for each network protocol configured on the border router interfaces. • You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.

  17. ACL Operation (1) • Inbound ACLs • Incoming packets are processed before they are routed to the outbound interface. • An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. • Outbound ACLs • Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.

  18. ACL Operation (2) Inbound ACLs

  19. ACL Operation (3) Outbound ACLs

  20. ACL Operation (4)

  21. Type of CISCO ACL

  22. Standard ACL (1) The two main tasks involved in using ACLs are as follows: Step 1. Create an access list by specifying an access list number or name and access conditions. Step 2. Apply the ACL to interfaces or terminal lines.

  23. Numbering and Naming ACL

  24. Where to Place ACL (1) • Locate extended ACLs as close as possible to the source of the traffic denied. • This way, undesirable traffic is filtered without crossing the network infrastructure. • Because standard ACLs do not specify destination addresses, place them as close to the destination as possible.

  25. Where to Place ACL (2) Standard ACL

  26. Where to Place ACL (3) Extended ACL

  27. ACL Best Practice (1)

  28. ACL Criteria (1)

  29. Configuring Standard ACL (1) Access Control Condition Permit IP from network 192.168.10.0/24 except 192.168.10.1 Permit IP from network 192.0.0.0/8 except 192.168.0.0/16 • access-list 2 deny 192.168.10.1 • access-list 2 permit 192.168.10.0 0.0.0.255 • access-list 2 deny 192.168.0.0 0.0.255.255 • access-list 2 permit 192.0.0.0 0.255.255.255

  30. Configuring Standard ACL (2)

  31. Configuring Standard ACL (3)

  32. Configuring Standard ACL (4) Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log] Removing ACL

  33. Configuring Standard ACL (5) Documenting ACL

  34. ACL Wildcard Masking (1) • Wildcard masks use the following rules to match binary 1s and 0s: • Wildcard mask bit 0 - Match the corresponding bit value in the address • Wildcard mask bit 1 - Ignore the corresponding bit value in the address

  35. ACL Wildcard Masking (2)

  36. ACL Wildcard Masking (3)

  37. ACL Wildcard Masking (4)

  38. ACL Wildcard Masking (5)

  39. ACL Wildcard Masking (6)

  40. Apply Standard ACL (1)

  41. Apply Standard ACL (2)

  42. Apply Standard ACL (3)

  43. Apply Standard ACL (4)

  44. Apply Standard ACL (5)

  45. Commenting ACL

  46. Named ACL (1)

  47. Named ACL (2)

  48. Verifying ACL

  49. Extended ACL (1) Extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL.

  50. Extended ACL (2)

More Related