Scribd Logo
Upload

Welcome to Scribd!

  • Lecture 8

    Uploaded by

    علي الجنابي
    9 views8 pages
    Access Control Lists (ACLs) allow you to control traffic flowing into and out of a network. An ACL is a sequential list of permit and deny statements that apply to IP addresses and protocols. When a packet comes through an interface with an associated ACL, the ACL checks the packet header against its rules from top to bottom and either permits or denies the packet based on a matching statement.

    Original Description:

    Original Title

    lecture 8

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Access Control Lists (ACLs) allow you to control traffic flowing into and out of a network. An ACL is a sequential list of permit and deny statements that apply to IP addresses and protocols. When a packet comes through an interface with an associated ACL, the ACL checks the packet header against its rules from top to bottom and either permits or denies the packet based on a matching statement.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views8 pages

    Lecture 8

    Uploaded by

    علي الجنابي
    Access Control Lists (ACLs) allow you to control traffic flowing into and out of a network. An ACL is a sequential list of permit and deny statements that apply to IP addresses and protocols. When a packet comes through an interface with an associated ACL, the ACL checks the packet header against its rules from top to bottom and either permits or denies the packet based on a matching statement.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    lecture 8

    Access Control Lists (ACLs)


    Ali A Yehya

    CCNA4-1 Chapter 5

    Access Control Lists

    Using ACLs to Secure Networks

    CCNA4-2 Chapter 5
    Using ACLs to Secure Networks

    ACLs enable you to control traffic into and out of your


    network.
    Can be as simple as permitting or denying network hosts
    or addresses.
    Or to control network traffic based on the TCP port being
    used.
    To understand how an ACL works with TCP, let us look at
    the dialogue that occurs during a TCP conversation when
    you download a webpage to your computer.
    • ACL .
    .‫ ﻣﻦ اﻟﺘﺤﻜﻢ ﻓﻲ ﺣﺮﻛﺔ اﻟﻤﺮور داﺧﻞ وﺧﺎرج ﺷﺒﻜﺘﻚ‬ACL ‫•ﺗﻤﻜﻨﻚ ﻗﻮاﺋﻢ‬
    ‫ﻄﺎ ﻣﺜﻞ اﻟﺴﻤﺎح أو رﻓﺾ ﻣﻀﯿﻔﻲ اﻟﺸﺒﻜﺔ أو‬ ً ‫•ﯾﻤﻜﻦ أن ﯾﻜﻮن اﻷﻣﺮ ﺑﺴﯿ‬
    .‫ﻋﻨﺎوﯾﻨﮭﻢ‬
    CCNA4-3
    .‫ اﻟﻤﺴﺘﺨﺪم‬TCP ‫ •أو ﻟﻠﺘﺤﻜﻢ ﻓﻲ ﺣﺮﻛﺔ ﻣﺮور اﻟﺸﺒﻜﺔ ﺑﻨﺎ ًء ﻋﻠﻰ ﻣﻨﻔﺬ‬Chapter 5
    ‫ دﻋﻨﺎ ﻧﻠﻘﻲ ﻧﻈﺮة‬، TCP‫( ﻣﻊ‬ACL) ‫•ﻟﻔﮭﻢ ﻛﯿﻔﯿﺔ ﻋﻤﻞ ﻗﺎﺋﻤﺔ اﻟﺘﺤﻜﻢ ﺑﺎﻟﻮﺻﻮل‬
    ‫ ﻋﻨﺪﻣﺎ ﺗﻘﻮم ﺑﺘﻨﺰﯾﻞ ﺻﻔﺤﺔ وﯾﺐ‬TCP ‫ﻋﻠﻰ اﻟﺤﻮار اﻟﺬي ﯾﺤﺪث أﺛﻨﺎء ﻣﺤﺎدﺛﺔ‬
    .‫ﻋﻠﻰ ﺟﮭﺎز اﻟﻜﻤﺒﯿﻮﺗﺮ اﻟﺨﺎص ﺑﻚ‬

    Chapter 5
    Using ACLs to Secure Networks

    Packet Filtering:
    Controls access to a network by analyzing the incoming
    and outgoing packets and passing or halting them based
    on stated criteria.
    These criteria are defined using ACLs.

    An Access Control List (ACL) is a sequential list of


    permit or deny statements that apply to IP addresses
    or upper-layer protocols.

    :‫• ﺗﺼﻔﯿﺔ اﻟﺤﺰم‬


    ‫• اﻟﺘﺤﻜﻢ ﻓﻲ اﻟﻮﺻﻮل إﻟﻰ اﻟﺸﺒﻜﺔ ﻣﻦ ﺧﻼل ﺗﺤﻠﯿﻞ اﻟﺤﺰم اﻟﻮاردة واﻟﺼﺎدرة‬
    .‫وﺗﻤﺮﯾﺮھﺎ أو إﯾﻘﺎﻓﮭﺎ ﺑﻨﺎ ًء ﻋﻠﻰ اﻟﻤﻌﺎﯾﯿﺮ اﻟﻤﺤﺪدة‬
    CCNA4-8 .ACL ‫• ﯾﺘﻢ ﺗﻌﺮﯾﻒ ھﺬه اﻟﻤﻌﺎﯾﯿﺮ ﺑﺎﺳﺘﺨﺪام ﻗﻮاﺋﻢ‬ Chapter 5

    ‫( ھﻲ ﻗﺎﺋﻤﺔ ﺗﺴﻠﺴﻠﯿﺔ ﻟﺒﯿﺎﻧﺎت اﻟﺴﻤﺎح أو‬ACL) ‫• ﻗﺎﺋﻤﺔ اﻟﺘﺤﻜﻢ ﻓﻲ اﻟﻮﺻﻮل‬


    .‫ أو ﺑﺮوﺗﻮﻛﻮﻻت اﻟﻄﺒﻘﺔ اﻟﻌﻠﯿﺎ‬IP ‫اﻟﺮﻓﺾ اﻟﺘﻲ ﺗﻨﻄﺒﻖ ﻋﻠﻰ ﻋﻨﺎوﯾﻦ‬
    Using ACLs to Secure Networks

    Packet Filtering:
    The ACL can extract the following
    information from the packet header,
    test it against its rules and make
    permit or deny decisions based on:
    Source IP address.
    Destination IP address.
    and….
    TCP/UDP source port.
    TCP/UDP destination port.
    Packet
    Packet Filtering
    Filtering
    works
    works at Layer
    at Layer 3.3.
    CCNA4-9 :‫• ﺗﺼﻔﯿﺔ اﻟﺤﺰم‬ Chapter 5
    ‫( اﺳﺘﺨﺮاج اﻟﻤﻌﻠﻮﻣﺎت اﻟﺘﺎﻟﯿﺔ ﻣﻦ رأس‬ACL) ‫• ﯾﻤﻜﻦ ﻟﻘﺎﺋﻤﺔ اﻟﺘﺤﻜﻢ ﺑﺎﻟﻮﺻﻮل‬
    :‫اﻟﺤﺰﻣﺔ واﺧﺘﺒﺎرھﺎ وﻓﻘًﺎ ﻟﻘﻮاﻋﺪھﺎ واﺗﺨﺎذ ﻗﺮارات اﻟﺴﻤﺎح أو اﻟﺮﻓﺾ ﺑﻨﺎ ًء ﻋﻠﻰ‬
    .‫ اﻟﻤﺼﺪر‬IP ‫• ﻋﻨﻮان‬
    .…‫ و‬.‫ اﻟﻮﺟﮭﺔ‬IP ‫• ﻋﻨﻮان‬
    .TCP/UDP ‫• ﻣﻨﻔﺬ ﻣﺼﺪر‬
    .TCP/UDP ‫• ﻣﻨﻔﺬ اﻟﻮﺟﮭﺔ‬
    Using ACLs to Secure Networks

    For Example:
    Web HTML
    OK for
    Network A
    but not for
    Network B.
    CCNA4-11 HTML ‫ وﯾﺐ‬:‫ﻋﻠﻰ ﺳﺒﯿﻞ اﻟﻤﺜﺎل‬ Chapter 5
    ."‫ﻣﻮاﻓﻖ ﻟﻠﺸﺒﻜﺔ "أ" وﻟﻜﻦ ﻟﯿﺲ ﻟﻠﺸﺒﻜﺔ "ب‬

    What is an ACL?

    An Access Control List (ACL) is:


    A sequential list of permit or deny statements.
    Apply to IP addresses (Layer 3 header)
    Apply to upper-layer protocols (Layer 4 header).
    Controls whether a router permits or denies packets to
    pass through the router.
    A commonly used object in the Cisco IOS.
    Also used to select certain types of traffic to be
    analyzed, forwarded or processed.
    e.g. Network Address Translation (NAT), securing
    Telnet or SSH access to the router.
    :‫( ھﻲ‬ACL) ‫• ﻗﺎﺋﻤﺔ اﻟﺘﺤﻜﻢ ﻓﻲ اﻟﻮﺻﻮل‬
    CCNA4-12 .‫ﻟﺘﺼﺮﯾﺤﺎت اﻟﺘﺼﺮﯾﺢ أو اﻟﺮﻓﺾ‬
    Chapter 5 ‫• ﻗﺎﺋﻤﺔ ﺗﺴﻠﺴﻠﯿﺔ‬
    (3 ‫ )رأس اﻟﻄﺒﻘﺔ‬IP ‫• ﺗﻨﻄﺒﻖ ﻋﻠﻰ ﻋﻨﺎوﯾﻦ‬
    .(‫• ﯾﻨﻄﺒﻖ ﻋﻠﻰ ﺑﺮوﺗﻮﻛﻮﻻت اﻟﻄﺒﻘﺔ اﻟﻌﻠﯿﺎ )رأس اﻟﻄﺒﻘﺔ اﻟﺮاﺑﻌﺔ‬
    .‫• اﻟﺘﺤﻜﻢ ﻓﯿﻤﺎ إذا ﻛﺎن ﺟﮭﺎز اﻟﺘﻮﺟﯿﮫ ﯾﺴﻤﺢ أو ﯾﺮﻓﺾ ﻣﺮور اﻟﺤﺰم ﻋﺒﺮ ﺟﮭﺎز اﻟﺘﻮﺟﯿﮫ‬
    .Cisco IOS ‫• ﻛﺎﺋﻦ ﺷﺎﺋﻊ اﻻﺳﺘﺨﺪام ﻓﻲ‬
    .‫• ﯾﺴﺘﺨﺪم أﯾﻀًﺎ ﻟﺘﺤﺪﯾﺪ أﻧﻮاع ﻣﻌﯿﻨﺔ ﻣﻦ ﺣﺮﻛﺔ اﻟﻤﺮور اﻟﺘﻲ ﺳﯿﺘﻢ ﺗﺤﻠﯿﻠﮭﺎ أو إﻋﺎدة ﺗﻮﺟﯿﮭﮭﺎ أو ﻣﻌﺎﻟﺠﺘﮭﺎ‬
    .‫ إﻟﻰ ﺟﮭﺎز اﻟﺘﻮﺟﯿﮫ‬SSH ‫ أو‬Telnet ‫ وﺗﺄﻣﯿﻦ وﺻﻮل‬،(NAT) ‫ ﺗﺮﺟﻤﺔ ﻋﻨﻮان اﻟﺸﺒﻜﺔ‬.‫• ﻋﻠﻰ ﺳﺒﯿﻞ اﻟﻤﺜﺎل‬
    What is an ACL?

    By default, a router does not have any ACLs.


    As each packet comes through an interface with an
    associated ACL:
    The ACL is checked from top to bottom.
    One line at a time.
    Matches the pattern defined in the ACL statement to
    the specified area of the incoming packet.
    Stops checking when it finds a matching statement.
    Takes the defined action (permit or deny).
    If no match is present, the default is to deny the
    packet.

    CCNA4-13 Chapter 5

    .ACL ‫ ﻻ ﯾﺤﺘﻮي ﺟﮭﺎز اﻟﺘﻮﺟﯿﮫ ﻋﻠﻰ أﯾﺔ ﻗﻮاﺋﻢ‬،‫• ﺑﺸﻜﻞ اﻓﺘﺮاﺿﻲ‬


    :‫( اﻟﻤﺮﺗﺒﻄﺔ ﺑﮭﺎ‬ACL) ‫• ﺑﻤﺎ أن ﻛﻞ ﺣﺰﻣﺔ ﺗﺄﺗﻲ ﻋﺒﺮ واﺟﮭﺔ ﻣﻊ ﻗﺎﺋﻤﺔ اﻟﺘﺤﻜﻢ ﺑﺎﻟﻮﺻﻮل‬
    .‫ ﻣﻦ اﻷﻋﻠﻰ إﻟﻰ اﻷﺳﻔﻞ‬ACL ‫• ﯾﺘﻢ ﻓﺤﺺ‬
    .‫• ﺳﻄﺮ واﺣﺪ ﻓﻲ ﻛﻞ ﻣﺮة‬
    .‫ ﻣﻊ اﻟﻤﻨﻄﻘﺔ اﻟﻤﺤﺪدة ﻟﻠﺤﺰﻣﺔ اﻟﻮاردة‬ACL ‫• ﯾﻄﺎﺑﻖ اﻟﻨﻤﻮذج اﻟﻤﺤﺪد ﻓﻲ ﻋﺒﺎرة‬
    .‫• ﯾﺘﻮﻗﻒ ﻋﻦ اﻟﺘﺤﻘﻖ ﻋﻨﺪﻣﺎ ﯾﺠﺪ ﻋﺒﺎرة ﻣﻄﺎﺑﻘﺔ‬
    .(‫• اﺗﺨﺎذ اﻹﺟﺮاء اﻟﻤﺤﺪد )اﻟﺴﻤﺎح أو اﻟﺮﻓﺾ‬
    .‫ ﯾﻜﻮن اﻹﻋﺪاد اﻻﻓﺘﺮاﺿﻲ ھﻮ رﻓﺾ اﻟﺤﺰﻣﺔ‬،‫• ﻓﻲ ﺣﺎﻟﺔ ﻋﺪم وﺟﻮد ﺗﻄﺎﺑﻖ‬
    The Three P’s

    ACL Functions: (Why do we need them?)


    Limit network traffic and increase network performance.
    Provide traffic flow control.
    Provide a basic level of security for network access.
    Decide which types of traffic are forwarded or blocked at
    the router interfaces.
    Allow an administrator to control what areas a client can
    access on a network.
    Screen certain hosts to either allow or deny access to
    part of a network.
    Grant or deny user permission to access only certain
    types of files such as FTP or HTTP.
    CCNA4-15 Chapter 5

    (‫ )ﻟﻤﺎذا ﻧﺤﺘﺎﺟﮭﺎ؟‬:ACL ‫• وظﺎﺋﻒ‬


    .‫• اﻟﺤﺪ ﻣﻦ ﺣﺮﻛﺔ ﻣﺮور اﻟﺸﺒﻜﺔ وزﯾﺎدة أداء اﻟﺸﺒﻜﺔ‬
    .‫• ﺗﻮﻓﯿﺮ اﻟﺘﺤﻜﻢ ﻓﻲ ﺗﺪﻓﻖ ﺣﺮﻛﺔ اﻟﻤﺮور‬
    .‫• ﺗﻮﻓﯿﺮ ﻣﺴﺘﻮى أﺳﺎﺳﻲ ﻣﻦ اﻷﻣﺎن ﻟﻠﻮﺻﻮل إﻟﻰ اﻟﺸﺒﻜﺔ‬
    .‫• ﺗﺤﺪﯾﺪ أﻧﻮاع ﺣﺮﻛﺔ اﻟﻤﺮور اﻟﺘﻲ ﺳﯿﺘﻢ إﻋﺎدة ﺗﻮﺟﯿﮭﮭﺎ أو ﺣﻈﺮھﺎ ﻋﻠﻰ واﺟﮭﺎت ﺟﮭﺎز اﻟﺘﻮﺟﯿﮫ‬
    .‫• اﻟﺴﻤﺎح ﻟﻠﻤﺴﺆول ﺑﺎﻟﺘﺤﻜﻢ ﻓﻲ اﻟﻤﻨﺎطﻖ اﻟﺘﻲ ﯾﻤﻜﻦ ﻟﻠﻌﻤﯿﻞ اﻟﻮﺻﻮل إﻟﯿﮭﺎ ﻋﻠﻰ اﻟﺸﺒﻜﺔ‬
    .‫• ﻓﺤﺺ ﺑﻌﺾ اﻟﻤﻀﯿﻔﯿﻦ ﻟﻠﺴﻤﺎح أو رﻓﺾ اﻟﻮﺻﻮل إﻟﻰ ﺟﺰء ﻣﻦ اﻟﺸﺒﻜﺔ‬
    .HTTP ‫ أو‬FTP ‫• ﻣﻨﺢ أو رﻓﺾ إذن اﻟﻤﺴﺘﺨﺪم ﻟﻠﻮﺻﻮل إﻟﻰ أﻧﻮاع ﻣﻌﯿﻨﺔ ﻓﻘﻂ ﻣﻦ اﻟﻤﻠﻔﺎت ﻣﺜﻞ‬
    Types of Cisco ACLs

    Two types:
    Standard ACLs:
    Standard ACLs allow you to permit or deny traffic
    based on the source IP addresses.
    The destination of the packet and the ports involved
    do not matter.

    • Permit all traffic from network 192.168.30.0/24


    network.
    • Because of the implied "deny any" at the end, all other
    traffic is blocked with this ACL.
    CCNA4-25 Chapter 5

    :‫ﻧﻮﻋﯿﻦ‬ •
    :‫ اﻟﻘﯿﺎﺳﯿﺔ‬ACL ‫•ﻗﻮاﺋﻢ‬
    .‫ اﻟﻤﺼﺪر‬IP ‫ اﻟﻘﯿﺎﺳﯿﺔ ﺑﺎﻟﺴﻤﺎح ﺑﺤﺮﻛﺔ اﻟﻤﺮور أو رﻓﻀﮭﺎ ﺑﻨﺎ ًء ﻋﻠﻰ ﻋﻨﺎوﯾﻦ‬ACL ‫•ﺗﺴﻤﺢ ﻟﻚ ﻗﻮاﺋﻢ‬
    .‫•ﻻ ﯾﮭﻢ وﺟﮭﺔ اﻟﺤﺰﻣﺔ واﻟﻤﻨﺎﻓﺬ اﻟﻤﻌﻨﯿﺔ‬
    .24/192.168.30.0 ‫اﻟﺴﻤﺎح ﺑﺠﻤﯿﻊ ﺣﺮﻛﺔ اﻟﻤﺮور ﻣﻦ اﻟﺸﺒﻜﺔ‬
    ‫ ﯾﺘﻢ ﺣﻈﺮ ﻛﺎﻓﺔ ﺣﺮﻛﺔ اﻟﻤﺮور اﻷﺧﺮى ﺑﺎﺳﺘﺨﺪام ﻗﺎﺋﻤﺔ اﻟﺘﺤﻜﻢ‬،‫وﺑﺴﺒﺐ ﻋﺒﺎرة "رﻓﺾ أي" اﻟﻀﻤﻨﯿﺔ ﻓﻲ اﻟﻨﮭﺎﯾﺔ‬
    .(ACL) ‫ﺑﺎﻟﻮﺻﻮل‬

    :‫ﻧﻮﻋﯿﻦ‬ •
    Types of Cisco ACLs :‫ اﻟﻤﻮﺳﻌﺔ‬ACL ‫•ﻗﻮاﺋﻢ‬
    ‫ اﻟﻤﻮﺳﻌﺔ ﺑﺘﺼﻔﯿﺔ‬ACL ‫•ﺗﻘﻮم ﻗﻮاﺋﻢ‬
    ‫ ﺑﻨﺎ ًء ﻋﻠﻰ ﻋﺪة ﺳﻤﺎت؛‬IP ‫ﺣﺰم‬
    Two types: IP ‫ وﻋﻨﻮان‬،‫•ﻧﻮع اﻟﺒﺮوﺗﻮﻛﻮل‬
    TCP ‫ وﻣﻨﺎﻓﺬ‬،‫أو اﻟﻮﺟﮭﺔ‬/‫اﻟﻤﺼﺪر و‬
    Extended ACLs: .‫أو اﻟﻮﺟﮭﺔ‬/‫ اﻟﻤﺼﺪر و‬UDP ‫أو‬
    Extended ACLs filter IP packets based on several ‫• ﯾﺴﻤﺢ ﺑﺤﺮﻛﺔ اﻟﻤﺮور اﻟﺼﺎدرة ﻣﻦ‬
    attributes; ‫أي ﻋﻨﻮان ﻋﻠﻰ ﺷﺒﻜﺔ‬
    Protocol type, source and/or destination IP ‫ إﻟﻰ أي ﻣﻨﻔﺬ‬24/192.168.30.0
    .(HTTP) 80 ‫ﻣﻀﯿﻒ وﺟﮭﺔ‬
    address, source and/or destination TCP or UDP
    ports.
    • :

    Permits traffic originating from any address on the


    192.168.30.0/24 network to any destination host
    port 80 (HTTP).
    CCNA4-26 Chapter 5

    You might also like