IP Access Control List Security
Network security is a crucial element of any network strategy. Cisco routers can be used as part of your network security strategy. The most important tool in Cisco IOS software used as part of that strategy are Access Control Lists (ACLs). ACLs define rules that can be used to prevent some packets from flowing through the network and should be part of an organization's security policy. IP access control lists (ACLs) cause a router to discard some packets based on criteria the network engineer defines by means of filters. The goal of these filters is to prevent unwanted traffic in the network. Access lists.
There are two main categories of IOS IP ACLs:
• Standard ACLs, which use simpler logic; and
• Extended ACLs, which use more-complex logic.
• Standard ACLs, which use simpler logic; and
• Extended ACLs, which use more-complex logic.
Standard IP Access Control Lists
Filtering logic could be configured on any router and on any of its interfaces. Cisco IOS software applies the filtering logic of an ACL either as a packet enters an interface or as it exits the interface. In other words, IOS associates an ACL with an interface, and specifically for traffic either entering or exiting the interface. After you have chosen the router on which you want to place the access list, you must choose the interface on which to apply the access logic, as well as whether to apply the logic for inbound or outbound packets.
The key features of Cisco ACLs are:
• Packets can be filtered as they enter an interface, before the routing decision.
• Packets can be filtered before they exit an interface, after the routing decision.
• Deny is the term used in Cisco IOS software to imply that the packet will be filtered.
• Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.
• The filtering logic is configured in the access list.
• If a packet does not match any of your access list statements, it is blocked.
• Packets can be filtered as they enter an interface, before the routing decision.
• Packets can be filtered before they exit an interface, after the routing decision.
• Deny is the term used in Cisco IOS software to imply that the packet will be filtered.
• Permit is the term used in Cisco IOS software to imply that the packet will not be filtered.
• The filtering logic is configured in the access list.
• If a packet does not match any of your access list statements, it is blocked.
Access lists have two major steps in their logic: matching, which determines whether it matches the access-list statement; and action, which can be either deny or permit. Deny means to discard the packet, and permit implies that the packet should be allowed. However, the logic that IOS uses with a multiple-entry ACL can be much more complex. Generally, the logic can be summarized as follows:
Step 1: The matching parameters of the access-list statement are compared to the packet.
Step 2: If a match is made, the action defined in this access-list statement (permit or deny) is performed.
Step 3: If a match is not made in Step 2, repeat Steps 1 and 2 using each successive statement in the ACL until a match is made.
Step 4: If no match is made with an entry in the access list, the deny action is performed.
Extended IP Access Control Lists
Extended IP access lists are similar to standard IP ACLs in that you enable extended access lists on interfaces for packets either entering or exiting the interface. IOS then searches the list sequentially. The first statement matched stops the search through the list and defines the action to be taken. The key difference between the extended ACLs and standard ACLs is the variety of fields in the packet that can be compared for matching by extended access lists. A single extended ACL statement can examine multiple parts of the packet headers, requiring that all the parameters be matched correctly in order to match that one ACL statement. That matching logic is what makes extended access lists both much more useful and much more complex than standard IP ACLs. You can configure extended ACL to match the IP protocol type, which identifies what header follows the IP header. You can specify all IP packets, or those with TCP headers, UDP headers, ICMP, etc, by checking the Protocol field. You can also check the source and destination IP addresses, as well as the TCP source and destination port numbers.
An extended access list is more complex than standard access lists. Therefore the configuration commands are more complex. The configuration command for extended access lists is:
• access-list access-list-number action protocol source source-wildcard destination destination-wildcard [log | log-input], which can be used to enable access lists;
• access-list access-list-number action protocol source source-wildcard destination destination-wildcard [log | log-input], which can be used to enable access lists;
Wildcard Masks
IOS IP ACLs match packets by looking at the IP, TCP, and UDP headers in the packet. Standard IP access lists can also examine only the source IP address. You can configure the router to match the entire IP address or just a part of the IP address. When defining the ACL statements you can define a wildcard mask along with the IP address. The wildcard mask tells the router which part of the IP address in the configuration statement must be compared with the packet header. The wildcard masks look similar to subnet masks, in that they represent a 32-bit number. However, the wildcard mask's 0 bits tell the router that those corresponding bits in the address must be compared when performing the matching logic. The binary 1s in the wildcard mask tell the router that those bits do not need to be compared. Thus, wildcard mask 0.0.0.0, which in binary form is 00000000.00000000.00000000.00000000, indicates that the entire IP address must be matched, while wildcard mask 0.0.0.255, which in binary form is 00000000.00000000.00000000.11111111, indicates that the first 24 bits of the IP address must be matched, and wildcard mask 0.0.31.255, which in binary form is 00000000.00000000.00011111.11111111, indicates that the first 24 bits of the IP address must be matched.
0 comments:
Post a Comment