Scribd
Upload
408 views

Modul 5 Access Control List PDF

An access control list (ACL) is a sequential list of permit or deny statements that apply to network addresses and protocols. ACLs allow network administrators to filter network traffic by selectively permitting or denying traffic based on defined conditions. Standard ACLs can filter based on source IP addresses, while extended ACLs can also filter on destination addresses, protocols, and port numbers. To implement an ACL, it must be defined with permit and deny statements, then applied to an interface on the router.

Uploaded by

Sankit Singh
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
408 views

Modul 5 Access Control List PDF

An access control list (ACL) is a sequential list of permit or deny statements that apply to network addresses and protocols. ACLs allow network administrators to filter network traffic by selectively permitting or denying traffic based on defined conditions. Standard ACLs can filter based on source IP addresses, while extended ACLs can also filter on destination addresses, protocols, and port numbers. To implement an ACL, it must be defined with permit and deny statements, then applied to an interface on the router.

Uploaded by

Sankit Singh
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 48

Access Control List (ACL)

Muhammad Zen Samsono Hadi,


Hadi ST.
ST MSc.
MSc

Lab. Komunikasi Digital


G d
Gedung D4 Lt.
Lt 1
EEPIS-ITS
Overview
2
Network administrators must figure out how to deny unwanted access
to the network while allowing internal users appropriate access to
necessary services.
i
Although security tools, such as passwords, callback equipment, and
physical security devices are helpful, they often lack the flexibility of
b i traffic
basic t ffi filtering
filt i and d th
the specific
ifi controls
t l mostt administrators
d i i t t
prefer.
For example, a network administrator may want to allow users access to
th IInternet,
the t t b
butt nott permit
it external
t l users ttelnet
l t access iinto
t th
the LAN
LAN.
Routers provide basic traffic filtering capabilities, such as blocking
Internet traffic, with access control lists (ACLs).
An ACL is a sequential list of permit or deny statements that apply to
addresses or upper-layer protocols.
This module will introduce standard and extended ACLs as a means
to control network traffic, and how ACLs are used as part of a security
solution.
What are ACLs?
3

An access list is a sequential


q series of commands or filters.
These lists tell the router what types of packets to:
accept or
deny

Acceptance and denial can be based on specified conditions.


ACLs applied on the router's interfaces.
What are ACLs?
4

The router examines each packet to determine


whether to forward or drop it,
it based on the
conditions specified in the ACL.
Some ACL decision points are:
IP source address
IP destination addresses
UDP or TCP protocols
p
upper-layer (TCP/UDP) port numbers
What are ACLs?
5

ACLs must be defined on a:


per-protocol
per protocol (IP
(IP, IPX
IPX, AppleTalk)
per direction (in or out)

per port (interface) basis.

ACLs control traffic in one direction at a time on an interface.


A separate ACL would need to be created for each direction, one for
inbound and one for outbound traffic.
Finally every interface can have multiple protocols and directions
defined.
How ACLs work
6

An ACL is a group of statements that define whether packets are


accepted or rejected coming into an interface or leaving an interface.
interface
ACL statements operate in sequential, logical order (top down).
If a condition match is true, the packet is permitted or denied and the
rest of the ACL statements are not checked.
If all the ACL statements are unmatched, an implicit "deny any"
statement is placed at the end of the list by default. (not visible)
When first learning how to create ACLs, it is a good idea to add the
implicit deny at the end of ACLs to reinforce the dynamic presence
of the command line.
Two types of ACLs
7

Standard IP ACLs
Can only filter on source IP addresses

Extended IP ACLs
Can filter on:
Source IP address
S dd
Destination IP address
Protocol (TCP, UDP)
Port Numbers (Telnet 23, http 80, etc.)
and other parameters
Creating Standard ACLs 2 Steps
8
Creating ACLs 2 Steps
9

(Standard IP)
Learn by example!
172.16.20.0/24 10172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Task:
Permit only the host 172.16.30.2 from exiting the Sales
network.
Deny all other hosts on the Sales network from leaving the
172.16.30.0/24 network.
Learn by example!
172.16.20.0/24 11172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Step 1 ACL statements Implicit deny any, which is automatically added.


Test Condition

RouterB(config)#access-list 10 permit 172.16.30.2


Implicit deny any -do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255

(Standard IP)
From Cisco Web Site
172.16.20.0/24 12172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Applying ACLs
You can define ACLs without applying them.
them
However, the ACLs will have no effect until they are applied to the router's
interface.
It is a good practice to apply the Standard ACLs on the interface closest to the
destination of the traffic and Extended ACLs on the interface closest to the
source. (coming later)
Defining In, Out, Source, and Destination
Out - Traffic that has already been routed by the router and is leaving the
interface
In - Traffic that is arriving on the interface and which will be routed router.
Learn by example!
172.16.20.0/24 13172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Step 2 Apply to an interface(s)


RouterB(config)#access-list 10 permit 172.16.30.2
Implicit deny any -do not need to add this, discussed later
RouterB(config)#access-list
( g) 10 deny
y 0.0.0.0 255.255.255.255

RouterB(config)# interface e 0
( g ) ip
RouterB(config-if)# p access-group
g p 10 in
Learn by example!
172.16.20.0/24 14172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Step 2 Or the outgoing interfaces Which is preferable and why?


RouterB(config)#access-list 10 permit 172.16.30.2
Implicit deny any -do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255

RouterB(config)# interface s 0
RouterB(config-if)# ip access-group 10 out
R t B(
RouterB(config)#
fi )# interface
i t f s 1
RouterB(config-if)# ip access-group 10 out
Learn by example!
172.16.20.0/24 15172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Because of the implicit deny any, this has an adverse affect of also denying
packets from Administration from reaching
p g Engineering,
g g, and denying
y gp packets from
Engineering from reaching Administration.
RouterB(config)#access-list 10 permit 172.16.30.2
Implicit deny any -do not need to add this, discussed later
R t B(
RouterB(config)#access-list
fi )# li t 10 denyd 0.0.0.0
0 0 0 0 255.255.255.255
255 255 255 255

RouterB(config)# interface s 0
g
RouterB(config-if)# ip
p access-group
g p 10 out
RouterB(config)# interface s 1
RouterB(config-if)# ip access-group 10 out
Example 2
172.16.20.0/24 16172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Task:
Permit only the hosts 172.16.30.2, 172.16.30.3, 172.16.30.4,
172.16.30.5 from exiting the Sales network.
Deny all other hosts on the Sales network from leaving the
172.16.30.0/24 network.
Example 2
172.16.20.0/24 17172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Once a condition is met, all other statements are ignored, so the implicit
y any
deny y only
y applies
pp to not-matched p packets.
RouterB(config)#access-list 10 permit 172.16.30.2
RouterB(config)#access-list 10 permit 172.16.30.3
RouterB(config)#access-list 10 permit 172.16.30.4
RouterB(config)#access list
RouterB(config)#access-list 10 permit 172
172.16.30.5
16 30 5
Implicit deny any -do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255

RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
Example 2
172.16.20.0/24 18172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

To remove an Access List, use the no access-list command. Removing the


g
access-group p only
y from from the interface leaves the access list,, but they
y are
not currently being applied. Usually, best to remove it from both.
RouterB(config)#no access-list 10

RouterB(config)# interface e 0
RouterB(config-if)# no ip access-group 10 in
Example 3
172.16.20.0/24 19172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Task:
Deny only the host 172.16.30.2 from exiting the Sales network.
Permit all other hosts on the Sales network to leave the
172.16.30.0/24 network.
Keyword
y any
y can b
be used to represent
p all IP
Addresses.
Example 3
172.16.20.0/24 20172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Order matters! What if these two statements were reversed? Does the
p
implicit deny
y any
y ever g
get a match? No,, the permit
p any
y will cover all other
packets.
RouterB(config)#access-list 10 deny 172.16.30.2
RouterB(config)#access-list 10 permit any
Implicit deny any -do not need to add this, discussed later
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255

RouterB(config)#
R t B( fi )# interface
i t f e 0
RouterB(config-if)# ip access-group 10 in
Notes from www.cisco.com
21

Traffic coming into the router is compared to ACL entries based on the
order that the entries occur in the router.
New statements are added to the end of the list.
The router keeps looking until it has a match.
If no matches are found when the router reaches the end of the list, the
t ffi iis d
traffic denied.
i d
For this reason, you should have the frequently hit entries at the top of the
list.
There is an "implied
p deny"
y for traffic that is not p
permitted.
A single-entry ACL with only one "deny" entry has the effect of denying all
traffic.
You must have at least one "permit" statement in an ACL or all traffic will
be blocked.
blocked

access-list 10 permit 10.1.1.1 0.0.0.255


access-list 10 deny ip any (implicit)
Time for Wildcard Masks!
22

A wildcard mask address:


Tells how much of the packets source IP address (or
d i i IP address)
destination dd ) needs
d to matchh ffor this
hi
condition to be true.
Wildcard Masks!
Test Condition
23
Test
Conditon
10101100.00010000.00000000.00000000
10101100 00010000 00000000 00000000
00000000.00000000.11111111.11111111
------------------------------------
Must Match No Match Necessary
A Match The packet
10101100.00010000.any
y value.any
y value
Resulting in the bits that must match or doesnt matter.

Matching packets will look like this.

0 - check
check the corresponding bit value.
value.
1 - do not check (ignore) that corresponding bit value.
Example 4 Using Wildcard Masks
172.16.20.0/24 24172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Task:
Want RouterA to permit entire sales network and just the
172.16.50.2 station.
Deny all other traffic from entering Administrative network.
Example 4 Using Wildcard Masks
172.16.20.0/24 25172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Dont forget to apply the access-list to an interface.

RouterA(config)#access-list 11 permit 172.16.30.0 0.0.0.255


RouterA(config)#access-list 11 permit 172.16.50.2 0.0.0.0

RouterA(config)# interface e 0
RouterA(config-if)#ip access-group 11 out
Practice
26
RouterB(config)#access-list 10 permit __________ ___________

Permit the following networks:


Network/Subnet Mask Address/Wildcard Mask
A. 172.16.0.0 255.255.0.0
B
B. 172 16 1 0 255.255.255.0
172.16.1.0 255 255 255 0
C. 192.168.1.0 255.255.255.0
D. 172.16.16.0 255.255.240.0 (hmmm . . .?)
E
E. 172 16 128 0 255.255.192.0
172.16.128.0 255 255 192 0 (hmmm . . .?)
?)

Permit the following hosts:


Network/Subnet
/ Mask Address/Wildcard
/ Mask
A. 172.16.10.100
B. 192.168.1.100
C. All hosts
Practice Do you see a relationship?
27
RouterB(config)#access-list 10 permit __________ ___________

Permit the following networks:


Network/Subnet Mask Address/Wildcard Mask
A. 172.16.0.0 255.255.0.0 172.16.0.0 0.0.255.255
B
B. 172 16 1 0 255
172.16.1.0 255.255.255.0
255 255 0 172
172.16.1.0
16 1 0 0.0.0.255
0 0 0 255
C. 192.168.1.0 255.255.255.0 192.168.1.0 0.0.0.255
D. 172.16.32.0 255.255.240.0 172.16.32.0 0.0.15.255
E
E. 172 16 128 0 255
172.16.128.0 255.255.192.0
255 192 0 172
172.16.128
16 128 0.0.63.255
0 0 63 255

Permit the following hosts:


Network/Subnet
/ Mask Address/Wildcard
/ Mask
A. 172.16.10.100 172.16.10.100 0.0.0.0
B. 192.168.1.100 192.168.1.100 0.0.0.0
C. All hosts 0.0.0.0 255.255.255.255
255.255.255.255 Subnet = Wildcard
28
RouterB(config)#access-list 10 permit __________ ___________

Permit the following networks:


255.255.255.255. - Subnet Mask = Wildcard Mask
A. 255.255.255.255 - 255.255.0.0 = 0.0.255.255
B
B. 255 255 255 255
255.255.255.255 - 255 255 255 0
255.255.255.0 = 0
0.0.0.255
0 0 255
C. 255.255.255.255 - 255.255.255.0 = 0.0.0.255
D. 255.255.255.255 - 255.255.240.0 = 0.0.15.255
E
E. 255 255 255 255
255.255.255.255 - 255 255 192 0
255.255.192.0 = 0
0.0.63.255
0 63 255

Permit the following hosts: (host routes have a /32 mask)


255.255.255.255.
55 55 55 55 - /3 /32 Mask = Wildcard Mask
A. 255.255.255.255 255.255.255.255 = 0.0.0.0
B. 255.255.255.255 255.255.255.255 = 0.0.0.0
host option
29
RouterB(config)#access-list 10 permit 192.168.1.100 0.0.0.0
RouterB(config)#access-list 10 permit host 192.168.1.100

Permit the following hosts:


Network/Subnet Mask Address/Wildcard Mask
A. 172.16.10.100 172.16.10.100 0.0.0.0
B. 192.168.1.100 192.168.1.100 0.0.0.0

The host option substitutes for the 0.0.0.0 mask.


This mask requires that all bits of the ACL address and the packet address
match.
The host keyword precedes the IP address.
This option will match just one address.

172.16.10.100 0.0.0.0 replaced by host 172.16.10.100


192.168.1.100 0.0.0.0 replaced by host 192.168.1.100
Verifying Access Lists
30
Verifying Access Lists
31
Verifying Access Lists
32

Note: More than one interface can use the same access-list.
Standard ACL
33

W will
We ill see why
h in
i a moment.

The full syntax of the standard ACL command is:


Router(config)#access-list
Router(config)#access list access
access-list-number
list number {deny |
permit} source [source-wildcard ] [log]

The no form of this command is used to remove a standard ACL. This is


the
h syntax: ((Deletes
l entire
i ACACL!)
!)
Router(config)#no access-list access-list-number
Extended Access Lists
34
Extended Access Lists
35

Extended ACLs are used more often than standard ACLs because they
provide a greater range of control.
Extended
te ded ACLs
C sccheck
ec tthee sou
source
ce a
andd dest
destination
at o pac
packet
et
addresses as well as being able to check for protocols and port
numbers.
This gives greater flexibility to describe what the ACL will check.
Packets can be permitted or denied access based on where the packet
originated and its destination as well as protocol type and port addresses.
Extended Access Lists
36

Operator and operand can


also refer to ICMP Types and
Codes or whatever the protocol
is being checked.
If the
th operatort and d operandd
follow the source address it
refers to the source port
If the operator and operand
follow the destination
address it refers to the
destination port.
Extended Access Lists - Examples
37

port number or protocol name

The ip access-group
access group command links an existing extended ACL to
an interface.
Remember that only one ACL per interface, per direction, per protocol
is allowed. The format of the command is:
Router(config-if)#ip access-group access-list-number
{in | out}
Example 1
172.16.20.0/24 38172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24
Port 172.16.30.2/24 172.16.50.2/24
80

Task
What if we wanted Router A to permit only the Engineering workstation
172.16.50.2 to be able to access the web server in Administrative
network with the IP address 172.16.10.2 and p port address 80.
All other traffic is denied.
Example 1
172.16.20.0/24 39172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172 16 10 3/24
172.16.10.3/24 172 16 30 3/24
172.16.30.3/24 172 16 50 3/24
172.16.50.3/24

172.16.10.2/24
Port 172.16.30.2/24 172.16.50.2/24
80

RouterA(config)#access list 110 permit tcp host 172


RouterA(config)#access-list 172.16.50.2
16 50 2
host 172.16.10.2 eq 80

RouterA(config)#inter e 0
RouterA(config-if)#ip access-group 110 out

Whyy is better to p
place the ACL on RouterA instead of RouterC?
Notes from www.cisco.com
40

In the following example, the last entry is sufficient.


You do not need the first three entries because TCP includes Telnet,
and IP includes TCP, User Datagram Protocol (UDP), and Internet
Control Message Protocol (ICMP).

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq


telnet
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1
access-list 101 permit udp host 10.1.1.2 host 172.16.1.1
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0
0 0 0 255
0.0.0.255
Placing ACLs
41

Source
10.0.0.0/8
Destination 172.16.0.0/16

The g
general rule:
Standard ACLs do not specify destination addresses, so they should
be placed as close to the destination as possible.
Put the extended ACLs as close as possible to the source of the traffic
denied.
Placing ACLs
42

Source
10.0.0.0/8
Destination 172.16.0.0/16

If the ACLs are placed in the proper location, not only can traffic be
filtered, but it can make the whole network more efficient.
Iff traffic
ffi is
i going
i to be
b filtered,
fil d the
h ACL should
h ld b
be placed
l d whereh iit h
has
the greatest impact on increasing efficiency.
Placing ACLs Extended Example
43

deny telnet
deny ftp
permit any
Source
S
10.0.0.0/8
Destination 172.16.0.0/16

Policy is to deny telnet or FTP Router A LAN to Router D LAN.


All other traffic must be permitted.
Several approaches can accomplish this policy.
policy
The recommended approach uses an extended ACL specifying both
source and destination addresses.
Placing ACLs Extended Example
44

deny telnet
deny ftp
permit any
Source
S
10.0.0.0/8
RouterA Destination 172.16.0.0/16
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq telnet
access-list 101 deny tcp any 172.16.0.0 0.0.255.255 eq ftp
access-list 101 permit ip any any
interface fastethernet 0/1
access-group 101 in
Place this extended ACL in Router A.
Then,
Then packets do not cross Router AA'ss Ethernet,
Ethernet do not cross the serial interfaces of
Routers B and C, and do not enter Router D.
Traffic with different source and destination addresses will still be permitted.
Placing ACLs Standard Example
45

deny 10.0.0.0
Source
S permit an
any
10.0.0.0/8
Destination 172.16.0.0/16
access-list 10 deny 10.0.0.0 0.255.255.255
RouterD access-list 10 permit any
interface fastethernet 0/0
access-group
g 10 i
in

Standard ACLs do not specify destination addresses, so they should be


placed as close to the destination as possible.
If a standard ACL is put too close to the source, it will not only deny
the intended traffic, but all other traffic to all other networks.
Placing ACLs Standard Example
46

deny 10.0.0.0
Source
S permit an
any
10.0.0.0
Destination 172.16.0.0/16
interface fastethernet 0/0
RouterD access-group 10 in
access-list 10 deny 10.0.0.0 0.255.255.255
access-list
li t 10 permit
mit any

Better to use extended access lists, and place them close to the source,
as this traffic will travel all the wayy to RouterD before being
g denied.
Firewalls
47

A firewall is an architectural structure that exists between the user and


the outside world to protect the internal network from intruders.
intruders
In most circumstances, intruders come from the global Internet and the
thousands of remote networks that it interconnects.
Typically, a network firewall consists of several different machines that
workk together
h to prevent unwanted d andd ill
illegall access.
ACLs should be used in firewall routers, which are often positioned
between the internal network and an external network, such as the
Internet.
The firewall router provides a point of isolation so that the rest of the
internal network structure is not affected.
ACLs can be used on a router positioned between the two parts of the
network to control traffic entering or exiting a specific part of the
internal network.
Firewalls
48

ISPs use ACLs to deny


d RFC 1918 addresses
dd iinto their
h i networks
k as these
h
are non-routable Internet addresses.
IP packets coming into your network should never have a source
addresses
dd that
h b belong
l to your network.
k ((This
hi should
h ld bbe applied
li d on all
ll
network entrance routers.)
There are several other simple access lists which should be added to
networkk entrance routers.

You might also like