Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.5  Security Baselines
           9  3.5.2  Network Hardening
                9  Configuration

Previous Topic/Section  Enabling and Disabling Services and Protocols
Previous Page
Pages in Current Topic/Section
Next Page
3.5.3  Application Hardening
Next Topic/Section  Access Control Lists

Access control lists (ACLs), sometimes called filters, are used to determine which traffic is permitted to pass through a network interface, in which direction, between which addresses. Routers typically manage access control via a text file of access control rules; OSes and home networking devices including this functionality generally wrap access control lists in a GUI for ease of use. The network device examines the information in each packet, comparing it to the ACLs, and either lets the packet through or stops it depending on the ACL instructions.

Typical attributes that may be examined by rules in access control lists include a packet’s:

  • Source IP address.

  • Destination IP address.

  • Source port number.

  • Destination port number.

  • IP protocol number (this is not the same thing as the application port number).

Direction of travel (incoming to or outgoing from the interface)

The above is just a sample list of common parameters that can be included in an access control list – the features supported by your equipment may vary (unlike Internet protocols, access lists are not standardized, since they are not required to be “interoperable” between different vendors’ devices).

Typically an overall default policy is set on each device, specifying whether inbound traffic will be permitted by default, or denied by default. A similar default policy is set for outbound traffic. Often it is appropriate to “deny all” inbound traffic by default and “permit all” outbound traffic by default, but that depends on your organization.

Access Control List (ACL)

An access control list is a set of rules that specify which traffic will be permitted to pass through the network device, and which will be stopped.

Common packet attributes evaluated by access control lists include source and destination IP addresses and port numbers, IP protocol number and direction of the packet’s travel.

A device may permit all outbound traffic (from your network to the Internet) by default, and contain access lists specifying when to deny it, or deny all outbound traffic by default, and contain access lists specifying when to allow it. Similar rules can be configured for inbound traffic (from the Internet to your network).

It is common to deny all inbound traffic, and permit all outbound traffic.

You should set up access control lists to enforce your security policies, such as those which specify which Internet services are, and are not, made available from your network to the Internet. As pointed out in section, two “no-brainer” access control list rules to implement are:

  • Do not allow into your network, any traffic from the outside whose Source IP address is set to an address inside your network (it’s a red flag that the incoming traffic was spoofed – to keep the attacker out, don’t let the traffic in).

  • Do not allow out of your network, any traffic from the inside whose Source IP address is set to an address outside your network (another red flag that the traffic is spoofed – although this time, you’ve got more problems, because the spoofer is somewhere on your network, at least you’re not aiding and abetting him in attacking someone on another network).

[spacer]Vendors Vary in Implementation

The syntax for access lists varies among vendors. Here’s an example of a Cisco IOS “standard” access list, which allows packets from host into the network:

# access-list 50 permits

The official syntax for a standard access list looks like:

# access-list [1-99] [permit|deny] [ip address] [mask] [log]

You may notice that this is fairly bare bones, and you might be wondering, “Surely Cisco provides better control over network connections than these… don’t they?” Yes, they do. Part 2 of the story is the idea of an extended IP access list, which incorporates features that have become standard for access lists in the industry, plus others as well. An example of a Cisco IOS extended access list might be:

# access-list 70 permits tcp any host eq 80

… which lets anyone connect to port 80 on machine The official syntax for an extended access list looks like:

# access-list [1-1199] [permit|deny] [protocol|protocol keyword] [source source-wildcard|any] [source port] [destination destination-wildcard|any] [destination port] [precedence precedence#] [options]

Depending on the protocol (such as a routing protocol, or TCP, or IP, etc.), many different options may be available.

If you want more information on how to work with Cisco IOS access lists, check out the Cisco Access Lists Field Guide by Held and Hundley360, which shows how to work with access lists, use content-based access control to dynamically open ports for applications requiring multiple connections, set up NAT, configure IPSec on Cisco routers, etc.


360. Held, Gilbert and Kent Hundley, Cisco Access Lists Field Guide, McGraw-Hill, April, 2000,

Previous Topic/Section  Enabling and Disabling Services and Protocols
Previous Page
Pages in Current Topic/Section
Next Page
3.5.3  Application Hardening
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.