Transcript TCP Port
Access Control List (ACL) W.lilakiatsakun Transport Layer Review (1) • TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) • UDP (User Datagram Protocol) – DNS (Domain Name Service) – SNMP (Simple Management Protocol) Transport Layer Review (2) Transport Layer Review (3) TCP Port Transport Layer Review (4) UDP Port Transport Layer Review (5) TCP/UDP Common Port Packet Filtering (1) • To controls access to a network by analyzing the incoming and outgoing packets and passing or halting them based on stated criteria. • A router acts as a packet filter when it forwards or denies packets according to filtering rules. Packet Filtering (2) Packet Filtering (3) Packet Filtering (4) • A packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. • These rules are defined using access control lists or ACLs. Packet Filtering (5) - Only permit web access to users from network A. - Deny web access to users from network B, - Permit them Network B to have all other access." ACL (Access Control List) (1) • An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. • ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways. ACL (Access Control List) (2) ACL (Access Control List) (3) ACL guideline (1) • Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet. • Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network. ACL guideline (2) • Configure ACLs on border routers-routers situated at the edges of your networks. – This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network. • Configure ACLs for each network protocol configured on the border router interfaces. – You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both. ACL Operation (1) • Inbound ACLs – Incoming packets are processed before they are routed to the outbound interface. – An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. • Outbound ACLs – Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL. ACL Operation (2) Inbound ACLs ACL Operation (3) Outbound ACLs ACL Operation (4) Type of CISCO ACL Standard ACL (1) The two main tasks involved in using ACLs are as follows: Step 1. Create an access list by specifying an access list number or name and access conditions. Step 2. Apply the ACL to interfaces or terminal lines. Numbering and Naming ACL Where to Place ACL (1) • Locate extended ACLs as close as possible to the source of the traffic denied. – This way, undesirable traffic is filtered without crossing the network infrastructure. • Because standard ACLs do not specify destination addresses, place them as close to the destination as possible. Where to Place ACL (2) Standard ACL Where to Place ACL (3) Extended ACL ACL Best Practice (1) ACL Criteria (1) Configuring Standard ACL (1) Access Control Condition Permit IP from network 192.168.10.0/24 except 192.168.10.1 Permit IP from network 192.0.0.0/8 except 192.168.0.0/16 – access-list 2 deny 192.168.10.1 – access-list 2 permit 192.168.10.0 0.0.0.255 – access-list 2 deny 192.168.0.0 0.0.255.255 – access-list 2 permit 192.0.0.0 0.255.255.255 Configuring Standard ACL (2) Configuring Standard ACL (3) Configuring Standard ACL (4) Router(config)#access-list access-list-number [deny | permit | remark] source [source-wildcard] [log] Removing ACL Configuring Standard ACL (5) Documenting ACL ACL Wildcard Masking (1) • Wildcard masks use the following rules to match binary 1s and 0s: – Wildcard mask bit 0 - Match the corresponding bit value in the address – Wildcard mask bit 1 - Ignore the corresponding bit value in the address ACL Wildcard Masking (2) ACL Wildcard Masking (3) ACL Wildcard Masking (4) ACL Wildcard Masking (5) ACL Wildcard Masking (6) Apply Standard ACL (1) Apply Standard ACL (2) Apply Standard ACL (3) Apply Standard ACL (4) Apply Standard ACL (5) Commenting ACL Named ACL (1) Named ACL (2) Verifying ACL Extended ACL (1) Extended ACLs check the source packet addresses, but they also check the destination address, protocols and port numbers (or services). This gives a greater range of criteria on which to base the ACL. Extended ACL (2) Extended ACL (2) Configuring Extended ACL (1) • The network administrator needs to restrict Internet access to allow only website browsing. – ACL 103 applies to traffic leaving the 192.168.10.0 network – ACL 104 to traffic coming into the network. Configuring Extended ACL (2) Configuring Extended ACL (3) • ACL 103 accomplishes the first part of the requirement. – It allows traffic coming from any address on the 192.168.10.0 network to go to any destination, subject to the limitation that traffic goes to ports 80 (HTTP) and 443 (HTTPS) only. Configuring Extended ACL (4) • ACL 104 does that by blocking all incoming traffic, except for the established connections. – HTTP establishes connections starting with the original request and then through the exchange of ACK, FIN, and SYN messages. Configuring Extended ACL (5) • The established parameter allows responses to traffic that originates from the 192.168.10.0 /24 network to return inbound on the s0/0/0. • A match occurs if the TCP datagram has the ACK or reset (RST) bits set, which indicates that the packet belongs to an existing connection. Apply Extended ACL (1) Apply Extended ACL (2) Apply Extended ACL (3) Named Extended ACL Complex ACL Dynamic ACL (1) • AKA lock-and-key ACL – Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. – The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. Dynamic ACL (2) Dynamic ACL (3) Reflexive ACL (1) • Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. • This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists. Reflexive ACL (2) Reflexive ACL (3) Time Based ACL (1) • Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. • To implement time-based ACLs, you create a time range that defines specific times of the day and week. Time Based ACL (2) Time Based ACL (3) Troubleshooting ACL (1) Troubleshooting ACL (2) UDP Troubleshooting ACL (3) Troubleshooting ACL (4) Troubleshooting ACL (5)