Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Packet Filtring Project

    Hochgeladen von

    Mussab Riani
    23 Ansichten20 Seiten
    How to filter packet in your network using ACL

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PPT, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    How to filter packet in your network using ACL

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    23 Ansichten20 Seiten

    Packet Filtring Project

    Hochgeladen von

    Mussab Riani
    How to filter packet in your network using ACL

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 20

    Academy of Science Misurata Computer Science Department

    Firewalls based on Access Control Lists (Packet filtering)


    prepared by: Mussab Saleh El Riani Supervision: Dr Behalul El Fgee

    Firewalls

    Sits between two networks

    Used to protect one from the other Places a bottleneck between the networks All communications must pass through the bottleneck this gives us a single point of control
    17 March 2009 ITCN

    Protection Methods

    Packet Filtering

    Rejects TCP/IP packets from unauthorized hosts and/or connection attempts bt unauthorized hosts Translates the addresses of internal hosts so as to hide them from the outside world Also known as IP masquerading

    Network Address Translation (NAT)


    Packet Filters

    Compare network and transport protocols to a database of rules and then forward only the packets that meet the criteria of the rules Implemented in routers and sometimes in the TCP/IP stacks of workstation machines

    in a router a filter prevents suspicious packets from reaching your network in a TCP/IP stack it prevents that specific machine from responding to suspicious traffic

    Packet-filtering Router

    Packet-filtering Router is implemented in router with access control lists So what are access control lists?

    This Week Access Control Lists


    What are ACLs? What are they for?

    How do they work?


    Standard ACLs

    Extended ACLs
    Where to place them

    Reasons for ACLs


    Limit network traffic to where we define and increase network performance Provide traffic flow control

    ACLs can restrict or reduce the contents of routing updates

    Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at router interfaces

    Consider an arbitrary Network

    17 March 2009

    ITCN

    The task of ACLs


    An ACL is a group of statements that define how or whether packets: Enter inbound interfaces Exit outbound interfaces of the router

    The Order of ACLs is important

    If you create a condition statement that permits all traffic, no statements added later will ever be checked Implicit last statement denies all traffic Must make statements preceding this allow the permitted traffic to flow Construct statements carefully Anything not explicitly permitted will be denied

    10

    Standard ACLs

    You use standard ACLs when you : want to block all traffic from a network allow all traffic from a specific network

    Standard ACLs check the source address of packets that could be routed across your network Standard ACLs are not used very often

    11

    Extended ACLs

    These are used whenever we want to be more specific about the type of traffic to block e.g. a certain host or an entire protocol e.g. www or ftp or icmp (ping)

    These are used very frequently

    12

    Standard and Extended ACLs

    ACL 1 to 99 are for standard ACL statements ACL 100 to 199 are for extended ACL statements

    13

    Which Interface to place the ACL?

    ACLs assigned to one or more interfaces Can filter inbound or outbound traffic Inbound ACLs must check all packets before switching packet to outbound interface

    14

    Examples of ACLs

    access-list 33 permit 192.168.0.0

    0.0.255.255

    (permits all traffic in the range 192.168.0.0 to 192.168.255.255)

    access-list 44 deny 192.168.13.7

    0.0.0.0

    (denies traffic from only the host 192.168.13.7) access-list 55 permit 0.0.0.0 any (permits all traffic from any network )

    15

    Extended ACLs

    Provide a greater range of control than standard ACLs E.g. we can allow Web traffic but deny File Transfer Protocol (FTP) or TELNET or other traffic Extended ACLs check for both source and destination packet addresses. Specific protocols, port numbers and other parameters can be checked for

    16

    Extended ACL example


    chatham(config)#ip access-list extended 150 chatham(config-ext-nacl)#? default Set a command to its defaults deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment chatham(config-ext-nacl)#permit tcp 192.168.1.1 0.0.0.255 192.168.2.3 0.0.0.255

    17

    Well-known Port numbers


    Some ports are commonly used Their numbers are well-known PC can be configured by a hacker to use a different port !

    18

    17 March 2009

    ITCN

    Placing Standard and Extended ACLs

    Put the Extended ACLs as close as possible to the source machine or range (on your network) for the traffic type denied Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near to the destination machine (or range) we want to deny as possible

    19

    Conclusion

    ACLs will check packets for certain conditions Standard ACLs test simple conditions Extended ACLs test for more rigorous conditions Define ACL Apply to interface Place ACLs sensibly Be sure to order ACLs sensibly too!

    20

    Das könnte Ihnen auch gefallen