Complex ACLs

Types of Complex ACLs
Standard and extended ACLs can become the basis for complex ACLs that provide additional functionality.There are three types complex ACLs, they are:

  • Dynamic ACLs (Lock-and-Key)
  • Reflexive ACLs
  • Time-Based ACLs
What are Dynamic ACLs?
Lock-and-key is a traffic filtering security feature that uses dynamic ACLs, which are sometimes referred to as lock-and-key ACLs. Lock-and-key is available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs.
Dynamic ACL configuration starts with the application of an extended ACL to block traffic through the router. Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular period; idle and absolute timeouts are possible.

When to Use Dynamic ACLs
Some common reasons to use dynamic ACLs are as follows:
When you want a specific remote user or group of remote users to access a host within your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user and then permits limited access through your firewall router for a host or subnet for a finite period.
When you want a subset of hosts on a local network to access a host on a remote network that is protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local hosts. Lock-and-key requires the users to authenticate through a AAA, TACACS+ server, or other security server before it allows their hosts to access the remote hosts.

enefits of Dynamic ACLs

Dynamic ACLs have the following security benefits over standard and static extended ACLs:
Use of a challenge mechanism to authenticate individual users
Simplified management in large internetworks
In many cases, reduction of the amount of router processing that is required for ACLs
Reduction of the opportunity for network break-ins by network hackers
Creation of dynamic user access through a firewall, without compromising other configured security restrictions
In the figure the user at PC1 is an administrator that requires a back door access to the /24 network located on router R3. A dynamic ACL has been configured to allow FTP and HTTP on router R3 access but only for a limited time.

What are Reflexive ACLs?
Reflexive ACLs force the reply traffic from the destination of a known recent outbound packet to go to the source of that outbound packet. This adds greater control to what traffic you allow into your network and increases the capabilities of extended access lists.
Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. These ACLs allow the router to manage session traffic dynamically. The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACL to allow replies back in. Reflexive ACLs contain only temporary entries. These entries are automatically created when a new IP session begins, for example, with an outbound packet, and the entries are automatically removed when the session ends.
Reflexive ACLs provide a truer form of session filtering than an extended ACL that uses the established parameter introduced earlier. Although similar in concept to the established parameter, reflexive ACLs also work for UDP andICMP, which have no ACK or RST bits. The established option also does not work with applications that dynamically alter the source port for the session traffic. The permit established statement only checks ACK and RST bits-not source and destination address.
Reflexive ACLs are not applied directly to an interface but are "nested" within an extended named IP ACL that is applied to the interface.
Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named ACLs or with other protocol ACLs. Reflexive ACLs can be used with other standard and static extended ACLs.

Benefits of Reflexive ACLs
Reflexive ACLs have the following benefits:
Help secure your network against network hackers and can be included in a firewall defense.
Provide a level of security against spoofing and certain DoS attacks. Reflexive ACLs are much harder to spoof because more filter criteria must match before a packet is permitted through. For example, source and destination addresses and port numbers, not just ACK and RST bits, are checked.
Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.

What are Time-based ACLs?
Time-based ACLs are similar to extended ACLs in function, but they allow for access control based on time. To implement time-based ACLs, you create a time range that defines specific times of the day and week. You identify the time range with a name and then refer to it by a function. The time restrictions are imposed on the function itself.

Time-based ACLs have many benefits, such as:

Offers the network administrator more control over permitting or denying access to resources.
Allows network administrators to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without analyzing the many logs that are generated during peak hours.


Post a Comment


NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog