This action might not be possible to undo. Are you sure you want to continue?
Firewalls based on Access Control Lists (Packet filtering)
prepared by: Mussab Saleh El Riani Supervision: Dr Behalul El Fgee
Sits between two networks
Used to protect one from the other Places a bottleneck between the networks All communications must pass through the bottleneck – this gives us a single point of control
17 March 2009 ITCN
Rejects TCP/IP packets from unauthorized hosts and/or connection attempts bt unauthorized hosts Translates the addresses of internal hosts so as to hide them from the outside world Also known as IP masquerading
Network Address Translation (NAT)
Compare network and transport protocols to a database of rules and then forward only the packets that meet the criteria of the rules Implemented in routers and sometimes in the TCP/IP stacks of workstation machines
in a router a filter prevents suspicious packets from reaching your network in a TCP/IP stack it prevents that specific machine from responding to suspicious traffic
Packet-filtering Router is implemented in router with access control lists So what are access control lists?
This Week – Access Control Lists
What are ACLs? What are they for?
How do they work?
Where to place them
Reasons for ACLs
Limit network traffic to where we define and increase network performance Provide traffic flow control
ACLs can restrict or reduce the contents of routing updates
Provide a basic level of security for network access Decide which types of traffic are forwarded or blocked at router interfaces
Consider an arbitrary Network
17 March 2009
The task of ACLs
An ACL is a group of statements that define how or whether packets: Enter inbound interfaces Exit outbound interfaces of the router
The Order of ACLs is important
If you create a condition statement that permits all traffic, no statements added later will ever be checked Implicit ‘last statement’ denies all traffic Must make statements preceding this allow the permitted traffic to flow Construct statements carefully Anything not explicitly permitted will be denied
You use standard ACLs when you : want to block all traffic from a network allow all traffic from a specific network
Standard ACLs check the source address of packets that could be routed across your network Standard ACLs are not used very often
These are used whenever we want to be more specific about the type of traffic to block e.g. a certain host or an entire protocol e.g. www or ftp or icmp (ping)
These are used very frequently
Standard and Extended ACLs
ACL 1 to 99 are for standard ACL statements ACL 100 to 199 are for extended ACL statements
Which Interface to place the ACL?
ACLs assigned to one or more interfaces Can filter inbound or outbound traffic Inbound ACLs must check all packets before switching packet to outbound interface
Examples of ACLs
access-list 33 permit 192.168.0.0
(permits all traffic in the range 192.168.0.0 to 192.168.255.255)
access-list 44 deny 192.168.13.7
(denies traffic from only the host 192.168.13.7) access-list 55 permit 0.0.0.0 any (permits all traffic from any network )
Provide a greater range of control than standard ACLs E.g. we can allow Web traffic but deny File Transfer Protocol (FTP) or TELNET or other traffic Extended ACLs check for both source and destination packet addresses. Specific protocols, port numbers and other parameters can be checked for
Extended ACL example
chatham(config)#ip access-list extended 150 chatham(config-ext-nacl)#? default Set a command to its defaults deny Specify packets to reject exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment chatham(config-ext-nacl)#permit tcp 192.168.1.1 0.0.0.255 192.168.2.3 0.0.0.255
Well-known Port numbers
Some ports are commonly used Their numbers are well-known PC can be configured by a hacker to use a different port !
17 March 2009
Placing Standard and Extended ACLs
Put the Extended ACLs as close as possible to the source machine or range (on your network) for the traffic type denied Standard ACLs do not specify destination addresses, so you have to put the standard ACL as near to the destination machine (or range) we want to deny as possible
ACLs will check packets for certain conditions Standard ACLs test simple conditions Extended ACLs test for more rigorous conditions Define ACL – Apply to interface Place ACLs sensibly Be sure to order ACLs sensibly too!