Access Lists
An access lists is essentially a list of conditions that
categorize packets, and they really come in handy when you need to exercise
control over network traffic.
Access-lists are one of the most common and an
easiest-to-understand use of access list is to filter unwanted packets when
implementing security policies. You can set them up to make very specific
decisions about regulating traffic patterns so that they’ll allow only certain
host to access web resources on the internet while restricting others. With the
right combination of access list, network managers arm themselves with the
power to enforce nearly any security policy they can invent.
Access lists statements
If a given condition is met, then a given action is taken.
If the specific condition is not met, nothing happens and the next statement is
evaluated. Access lists statement are basically packets filters that packets
are compared against, categorized by, and acted upon accordingly. Once the
lists are built, they can be applied to either inbound or out bound traffic on
any interface. Applying an ACL cause the router to analyze every packet
crossing that interface in the specified direction and take the appropriate
action.
There are three important rules that a packet follow when it’s being compared with an access list:
·
The packet is always compared with each line of
the ACL in sequential order it will always started with the first statement of
the ACL, moves on to 2 statement, then 3rd statement, and so on.
·
The packet is compared with statement of the
access list until a match is made. Once it matches the condition on a statement
of the access list, the packet is acted upon and no further comparisons take
place.
·
There is an implicit “deny” at the end of each
access list, this means that if a packet doesn’t match any condition on any of
the statements in the access list, the packet will be discarded.
Type of access list (ACL)
1.
Standard access lists these access list use only source IP
address in an IP packet as the condition test. All decisions are made based on
the source IP address. This means that standard ACLs basically permit or deny
an entire suite of protocols. They do not distinguished between any of the many
type of IP traffic such as web, telnet, UDP and so on.
2.
Extended access lists extended ACLs can evaluate
many of the other fields in the layer 3 and layer 4 headers of an IP packet.
They can evaluate source and destination IP addresses, the protocol field in
the network layer header, and the port number at the transport layer header. This
gives extended ACLs the ability to make much more granular decisions when
controlling traffic.
3.
Named access lists name access list are either
standard or extended and not actually a district type. To use ACLs as a packet
filter, you need to apply it to an interface on the router which you wanted the
traffic filtered. And you’ve got to specify which direction of traffic you want
the ACLs applied to. You must you different ACLs for inbound and outbound
traffic on a single interface :
·
Inbound ACLs: when an access lists is applied to
inbound packet on an interface, those packets are processed through the access
list before being routed to the outbound interface. Any packets that are denied
won’t be routed.
·
Outbound ACLs when an access list is applied to
outbound packets on an interface, packets are routed to the outbound interface
and then processed through the access list before being queued.
No comments:
Post a Comment