ACLs


Introduction:
Network security is a huge subject, and much of it is far beyond the scope of this course. However, one of the most important skills a network administrator needs is mastery of access control lists (ACLs). Administrators use ACLs to stop traffic or permit only specified traffic while stopping all other traffic on their networks. This chapter includes an opportunity to develop your mastery of ACLs with a series of lessons, activities, and lab exercises.
Network designers use firewalls to protect networks from unauthorized use. Firewalls are hardware or software solutions that enforce network security policies. Consider a lock on a door to a room inside a building. The lock only allows authorized users with a key or access card to pass through the door. Similarly, a firewall filters unauthorized or potentially dangerous packets from entering the network. On a Cisco router, you can configure a simple firewall that provides basic traffic filtering capabilities using ACLs.
An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. ACLs provide a powerful way to control traffic into and out of your network. You can configure ACLs for all routed network protocols.
The most important reason to configure ACLs is to provide security for your network. This chapter explains how to use standard and extended ACLs as part of a security solution and teaches you how to configure them on a Cisco router. Included are tips, considerations, recommendations, and general guidelines on how to use ACLs.

A TCP Conversation:
ACLs enable you to control traffic into and out of your network. This control can be as simple as permitting or denying network hosts or addresses. However, ACLs can also be configured to control network traffic based on the TCP port being used. To understand how an ACL works with TCP, let us look at the dialogue that occurs during a TCP conversation when you download a webpage to your computer.
When you request data from a web server, IP takes care of the communication between the PC and the server. TCP takes care of the communication between your web browser (application) and the network server software. When you send an e-mail, look at a webpage, or download a file, TCP is responsible for breaking data down into packets for IP before they are sent, and for assembling the data from the packets when they arrive. The TCP process is very much like a conversation in which two nodes on a network agree to pass data between one another.
Recall that TCP provides a connection-oriented, reliable, byte stream service. The term connection-oriented means that the two applications using TCP must establish a TCP connection with each other before they can exchange data. TCP is a full-duplex protocol, meaning that each TCP connection supports a pair of byte streams, each stream flowing in one direction. TCP includes a flow-control mechanism for each byte stream that allows the receiver to limit how much data the sender can transmit. TCP also implements a congestion-control mechanism.

What is an ACL?
An ACL is a router configuration script that controls whether a router permits or denies packets to pass based on criteria found in the packet header. ACLs are among the most commonly used objects in Cisco IOS software. ACLs are also used for selecting types of traffic to be analyzed, forwarded, or processed in other ways.
As each packet comes through an interface with an associated ACL, the ACL is checked from top to bottom, one line at a time, looking for a pattern matching the incoming packet. The ACL enforces one or more corporate security policies by applying a permit or deny rule to determine the fate of the packet. ACLs can be configured to control access to a network or subnet.
By default, a router does not have any ACLs configured and therefore does not filter traffic. Traffic that enters the router is routed according to the routing table. If you do not use ACLs on the router, all packets that can be routed through the router pass through the router to the next network segment.

Here are some guidelines for using ACLs:
Use ACLs in firewall routers positioned between your internal network and an external network such as the Internet.
Use ACLs on a router positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
Configure ACLs on border routers-routers situated at the edges of your networks. This provides a very basic buffer from the outside network, or between a less controlled area of your own network and a more sensitive area of your network.
Configure ACLs for each network protocol configured on the border router interfaces. You can configure ACLs on an interface to filter inbound traffic, outbound traffic, or both.
The Three Ps
A general rule for applying ACLs on a router can be recalled by remembering the three Ps. You can configure one ACL per protocol, per direction, per interface:
One ACL per protocol-To control traffic flow on an interface, an ACL must be defined for each protocol enabled on the interface.
One ACL per direction-ACLs control traffic in one direction at a time on an interface. Two separate ACLs must be created to control inbound and outbound traffic.
One ACL per interface-ACLs control traffic for an interface, for example, Fast Ethernet 0/0.
Writing ACLs can be a challenging and complex task. Every interface can have multiple protocols and directions defined. The router in the example has two interfaces configured for IP: AppleTalk and IPX. This router could possibly require 12 separate ACLs-one ACL for each protocol, times two for each direction, times two for the number of ports.

ACLs perform the following tasks:
Limit network traffic to increase network performance. For example, if corporate policy does not allow video traffic on the network, ACLs that block video traffic could be configured and applied. This would greatly reduce the network load and increase network performance.
Provide traffic flow control. ACLs can restrict the delivery of routing updates. If updates are not required because of network conditions, bandwidth is preserved.
Provide a basic level of security for network access. ACLs can allow one host to access a part of the network and prevent another host from accessing the same area. For example, access to the Human Resources network can be restricted to select users.
Decide which types of traffic to forward or block at the router interfaces. For example, an ACL can permit e-mail traffic, but block all Telnet traffic.
Control which areas a client can access on a network.
Screen hosts to permit or deny access to network services. ACLs can permit or deny a user to access file types, such as FTP or HTTP.
ACLs inspect network packets based on criteria, such as source address, destination address, protocols, and port numbers. In addition to either permitting or denying traffic, an ACL can classify traffic to enable priority processing down the line. This capability is similar to having a VIP pass at a concert or sporting event. The VIP pass gives selected guests privileges not offered to general admission ticket holders, such as being able to enter a restricted area and be escorted to their box seats.

How ACLs Work
packets that relay through the router, and packets that exit outbound interfaces of the router. ACLs do not act on packets that originate from the router itself.
ACLs are configured either to apply to inbound traffic or to apply to outbound traffic.
Inbound ACLs-Incoming packets are processed before they are routed to the outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet is discarded. If the packet is permitted by the tests, it is then processed for routing.
Outbound ACLs-Incoming packets are routed to the outbound interface, and then they are processed through the outbound ACL.
ACL statements operate in sequential order. They evaluate packets against the ACL, from the top down, one statement at a time.
If a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as determined by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached.
A final implied statement covers all packets for which conditions did not test true. This final test condition matches all other packets and results in a "deny" instruction. Instead of proceeding into or out of an interface, the router drops all of these remaining packets. This final statement is often referred to as the "implicit deny any statement" or the "deny all traffic" statement. Because of this statement, an ACL should have at least one permit statement in it; otherwise, the ACL blocks all traffic.
You can apply an ACL to multiple interfaces. However, there can be only one ACL per protocol, per direction, and per interface.
Before a packet is forwarded to an outbound interface, the router checks the routing table to see if the packet is routable. If the packet is not routable, it is dropped. Next, the router checks to see whether the outbound interface is grouped to an ACL. If the outbound interface is not grouped to an ACL, the packet can be sent to the output buffer. Examples of outbound ACL operation are as follows:
If the outbound interface is not grouped to an outbound ACL, the packet is sent directly to the outbound interface.
If the outbound interface is grouped to an outbound ACL, the packet is not sent out on the outbound interface until it is tested by the combination of ACL statements that are associated with that interface. Based on the ACL tests, the packet is permitted or denied.
For outbound lists, "to permit" means to send the packet to the output buffer, and "to deny" means to discard the packet.

ACL and Routing and ACL Processes on a Router
The figure shows the logic of routing and ACL processes on a router. When a packet arrives at a router interface, the router process is the same, whether ACLs are used or not. As a frame enters an interface, the router checks to see whether the destination Layer 2 address matches its own or if the frame is a broadcast frame.
If the frame address is accepted, the frame information is stripped off and the router checks for an ACL on the inbound interface. If an ACL exists, the packet is now tested against the statements in the list.
If the packet matches a statement, the packet is either accepted or rejected. If the packet is accepted in the interface, it is then checked against routing table entries to determine the destination interface and switched to that interface.
Next, the router checks whether the destination interface has an ACL. If an ACL exists, the packet is tested against the statements in the list.
If the packet matches a statement, it is either accepted or rejected.
If there is no ACL or the packet is accepted, the packet is encapsulated in the new Layer 2 protocol and forwarded out the interface to the next device.
The Implied "Deny All Traffic" Criteria Statement
At the end of every access list is an implied "deny all traffic" criteria statement. It is also sometimes referred to as the "implicit deny any" statement. Therefore, if a packet does not match any of the ACL entries, it is automatically blocked. The implied "deny all traffic" is the default behavior of ACLs and cannot be changed.
There is a key caveat associated with this "deny all" behavior: For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog