Read an Excerpt
Chapter 1: Introduction
In the preface we noted that a router's access list is a network's first line of defense. We also noted that an access list provides a mechanism for controlling the flow of information through different interfaces of a router. This capability allows use of access lists to regulate the flow of information as a mechanism to implement organizational network-related policies. Such policies can represent security functions and affect the prioritization of traffic. For example, an organization may wish to enable or disable access from the Internet to a corporate Web server or allow traffic generated by one or more stations from an internal local area network (LAN) to flow onto an ATM-based communications backbone wide area network (WAN). Both of these situations, as well as other functions, can be accomplished by the use of access lists.
This chapter's goal is to acquaint you with the contents of the book. First we will introduce you to the concept of the Cisco Professional Field Guide Series, of which this book is the first, followed by a brief review of the role of routers and some basic information concerning Cisco access lists. Then we will provide a preview of the book, briefly focusing attention on material presented in succeeding chapters. The introduction, along with the index, will enable you to find topics of interest.
The Cisco Professional Reference Guide
The Cisco Professional Reference Guide Series provides information and a series of practical examples covering the operation of Cisco equipment that you can easily tailor to your specific organizational requirements.
This first book in the reference guide series is focused uponaccess lists, and provides detailed information on the use of different types of access lists, their formats and creation, application to interfaces, and operation. We provide a series of examples for each distinct type of access list that follows a common format, which includes an overview of an application or problem, a network schematic diagram illustrating the basic structure of a router with respect to its WAN and LAN interfaces, and appropriate IOS statements for effecting an access list that satisfies the application or problem. Each access list example concludes with an explanation of the rationale for key IOS statements required to implement the access list.
The Role of Routers
From an operational perspective the major function of a router is to transfer packets from one network to another. Routers operate at the network layer that represents the third layer of the open systems interconnection (OSI) reference model. By examining the network address of packets, routers are programmed to make decisions concerning the flow of packets, as well as the creation and maintenance of routing tables. Such protocols as the routing information protocol (RIP), open shortest path first (OSPF), and the border gateway protocol (BGP) represent only three of more than 50 routing protocols that have been developed over the past 20 years. The router represents the first line of protection for a network in terms of security. That protection is in the form of access lists created to enable or deny the flow of information through one or more router interfaces.
Cisco Systems routers support two types of access lists, basic and extended. A basic access list controls the flow of information based on network addresses. An extended access list controls the flow of information by network address and the type of data being transferred within a packet. Although access lists represent the first line of protection for a network, as currently implemented they usually do not examine the actual contents of the information fields of packets-nor do they maintain information about the "state" of a connection. In other words, each packet is examined individually without the router attempting to determine whether the packet is part of a legitimate conversation stream.
Over the past 2 years Cisco Systems has significantly enhanced the capability of access lists to include new functions such as the examination of inbound and outbound traffic based upon time of day and day of week, the ability to insert dynamic entries into standard and extended access lists, and the ability to prevent one of the more common methods of hacker attacks from adversely affecting Web servers and other network devices.
We will examine the types and features of Cisco access lists, including context-based access control lists (CBAC) and reflexive access control lists (reflexive ACLs). CBAC is the heart of the Cisco firewall feature set (FFS). The FFS is a specific code revision available for some Cisco router models. Beginning with IOS 12.0T, CBAC is available on the 800, 1600, 1720, 2500, 3600, and 7200 series routers. This feature maintains information about the state of an existing connection, examines application layer information for a limited number of TCP and UDP protocols, and provides a significantly greater level of security than traditional access lists. Reflexive ACLs are a new feature introduced in the 11.3 revision of the Cisco IOS. Reflexive ACLs maintain a degree of "pseudostate" information by creating dynamic entries in traditional ACLs once a legitimate conversation is started. Future packets are evaluated against the dynamic entries in the reflexive ACL to determine if they are part of an existing connection. Once the conversation is ended, the dynamic entries are deleted from the ACL. However, reflexive ACLs do not understand higher-layer protocols and are not suitable for use with some multichannel protocols such as file transfer protocol (FTP). CBAC and reflexive ACLs will be covered in detail later.
Access control lists can be used to perform a significant number of functions in addition to security-related tasks, so the examples provided go beyond security. We will illustrate methods to control router table updates, limit the flow of traffic by time and day, and explore other techniques associated with the use of access control lists.
Book Preview
This section provides an overview of the focus of succeeding chapters. You can use the information in this section either by itself or in conjunction with the index to directly locate specific areas of interest. While the authors recommend that persons not familiar with the basics of IOS and use of access lists read the first few chapters in consecutive order, the last five chapters were developed as modular units focused on a single type of access list, so once you become familiar with the initial chapters, you can read the later chapters based on your need for information and examples concerning a particular type of access list.
Router Hardware and Software
The ability to code and apply an access list requires an understanding of Cisco router hardware and software. Knowledge of the hardware enables understanding how a router operates as well as methods to facilitate its configuration. Chapter 2 examines the basic hardware components of a...
