Beruflich Dokumente
Kultur Dokumente
Firewalls
Used to protect one from the other Places a bottleneck between the networks All communications must pass through the bottleneck this gives us a single point of control
17 March 2009 ITCN
Protection Methods
Packet Filtering
Rejects TCP/IP packets from unauthorized hosts and/or connection attempts bt unauthorized hosts Translates the addresses of internal hosts so as to hide them from the outside world Also known as IP masquerading
Packet Filters
Compare network and transport protocols to a database of rules and then forward only the packets that meet the criteria of the rules Implemented in routers and sometimes in the TCP/IP stacks of workstation machines
in a router a filter prevents suspicious packets from reaching your network in a TCP/IP stack it prevents that specific machine from responding to suspicious traffic
Packet-filtering Router
Packet-filtering Router is implemented in router with access control lists So what are access control lists?
Extended ACLs
Where to place them
Limit network traffic to where we define and increase network performance Provide traffic flow control
Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at router interfaces
17 March 2009
ITCN
An ACL is a group of statements that define how or whether packets: Enter inbound interfaces Exit outbound interfaces of the router
If you create a condition statement that permits all traffic, no statements added later will ever be checked Implicit last statement denies all traffic Must make statements preceding this allow the permitted traffic to flow Construct statements carefully Anything not explicitly permitted will be denied
10
Standard ACLs
You use standard ACLs when you : want to block all traffic from a network allow all traffic from a specific network
Standard ACLs check the source address of packets that could be routed across your network Standard ACLs are not used very often
11
Extended ACLs
These are used whenever we want to be more specific about the type of traffic to block e.g. a certain host or an entire protocol e.g. www or ftp or icmp (ping)
12
ACL 1 to 99 are for standard ACL statements ACL 100 to 199 are for extended ACL statements
13
ACLs assigned to one or more interfaces Can filter inbound or outbound traffic Inbound ACLs must check all packets before switching packet to outbound interface
14
Examples of ACLs
0.0.255.255
0.0.0.0
(denies traffic from only the host 192.168.13.7) access-list 55 permit 0.0.0.0 any (permits all traffic from any network )
15
Extended ACLs
Provide a greater range of control than standard ACLs E.g. we can allow Web traffic but deny File Transfer Protocol (FTP) or TELNET or other traffic Extended ACLs check for both source and destination packet addresses. Specific protocols, port numbers and other parameters can be checked for
16
17
18
17 March 2009
ITCN
Put the Extended ACLs as close as possible to the source machine or range (on your network) for the traffic type denied Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near to the destination machine (or range) we want to deny as possible
19
Conclusion
ACLs will check packets for certain conditions Standard ACLs test simple conditions Extended ACLs test for more rigorous conditions Define ACL Apply to interface Place ACLs sensibly Be sure to order ACLs sensibly too!
20