|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Need more practice? 300 additional Security+ questions!|
|Get It Here!|
126.96.36.199.2 Access Control Lists
Access control lists (ACLs), sometimes
called filters, are used to determine which traffic is permitted to
pass through a network interface, in which direction, between which
addresses. Routers typically manage access control via a text file
of access control rules; OSes and home networking devices including
this functionality generally wrap access control lists in a GUI for
ease of use. The network device examines the information in each packet,
comparing it to the ACLs, and either lets the packet through or stops
it depending on the ACL instructions.
Typical attributes that may be examined
by rules in access control lists include a packets:
- Source IP address.
- Destination IP address.
- Source port number.
- Destination port number.
- IP protocol number (this is not the same thing
as the application port number).
Direction of travel (incoming to
or outgoing from the interface)
The above is just a sample list of
common parameters that can be included in an access control list
the features supported by your equipment may vary (unlike Internet protocols,
access lists are not standardized, since they are not required to be
interoperable between different vendors devices).
Typically an overall default policy
is set on each device, specifying whether inbound traffic will be permitted
by default, or denied by default. A similar default policy is set for
outbound traffic. Often it is appropriate to deny all inbound
traffic by default and permit all outbound traffic by default,
but that depends on your organization.
Access Control List (ACL)
An access control list is a set of rules that specify which traffic will be permitted to pass through the network device, and which will be stopped.
Common packet attributes evaluated by access control lists include source and destination IP addresses and port numbers, IP protocol number and direction of the packets travel.
A device may permit all outbound traffic (from your network to the Internet) by default, and contain access lists specifying when to deny it, or deny all outbound traffic by default, and contain access lists specifying when to allow it. Similar rules can be configured for inbound traffic (from the Internet to your network).
It is common to deny all inbound traffic, and permit all outbound traffic.
You should set up access control
lists to enforce your security policies, such as those which specify
which Internet services are, and are not, made available from your network
to the Internet. As pointed out in section 188.8.131.52, two no-brainer
access control list rules to implement are:
- Do not allow into your network, any traffic from
the outside whose Source IP address is set to an address inside your
network (its a red flag that the incoming traffic was spoofed
to keep the attacker out, dont let the traffic in).
- Do not allow out of your network, any traffic
from the inside whose Source IP address is set to an address outside
your network (another red flag that the traffic is spoofed although
this time, youve got more problems, because the spoofer is somewhere
on your network, at least youre not aiding and abetting him in
attacking someone on another network).
Vendors Vary in Implementation
The syntax for access lists varies among vendors. Heres an example of a Cisco IOS standard access list, which allows packets from host 184.108.40.206 into the network:
# access-list 50 permits 220.127.116.11 0.0.255.255
The official syntax for a standard access list looks like:
# access-list [1-99] [permit|deny] [ip address] [mask] [log]
You may notice that this is fairly bare bones, and you might be wondering, Surely Cisco provides better control over network connections than these
dont they? Yes, they do. Part 2 of the story is the idea of an extended IP access list, which incorporates features that have become standard for access lists in the industry, plus others as well. An example of a Cisco IOS extended access list might be:
# access-list 70 permits tcp any host 18.104.22.168 eq 80
which lets anyone connect to port 80 on machine 22.214.171.124. The official syntax for an extended access list looks like:
# access-list [1-1199] [permit|deny] [protocol|protocol keyword] [source source-wildcard|any] [source port] [destination destination-wildcard|any] [destination port] [precedence precedence#] [options]
Depending on the protocol (such as a routing protocol, or TCP, or IP, etc.), many different options may be available.
If you want more information on how
to work with Cisco IOS access lists, check out the Cisco Access Lists
Field Guide by Held and Hundley360, which shows how to work with access lists, use
content-based access control to dynamically open ports for applications
requiring multiple connections, set up NAT, configure IPSec on Cisco
360. Held, Gilbert and Kent Hundley, Cisco Access Lists Field Guide, McGraw-Hill, April, 2000, http://www.nerdbooks.com/item.html?id=0072123354
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.