The first level of network security
For many network administrators, configuring the access control list of the router is a regular task. It can be said that the access control list of the router is the first level of network security. Access lists provide a mechanism that can control and filter information flows to different directions through different interfaces of the router. This mechanism allows users to use access tables to manage information flows to formulate relevant policies for the company's internal network. These policies can describe security features and reflect the priority of traffic. For example, an organization may wish to allow or deny Internet access to internal web servers, or allow one or more workstations on the internal LAN to stream data to the wide area network. These situations, as well as some other functions, can achieve the purpose by accessing the table.
Types of access lists
Current routers generally support two types of access tables: basic access tables and extended access tables.
The basic access table controls the information flow based on network addresses and allows filtering only source addresses.
The extended access table is flow-controlled through network addresses and data types in transmission, allowing filtering of source addresses, destination addresses and upper-level application data.
Table 1 lists the number ranges of different access tables supported by the router.
Standard IP access table
The basic format of the standard IP access table is:
access-list [list number][permit|deny][host/any][sourceaddress][wildcard-mask][log]
The following explains the parameters in the basic format of the standard IP access table:
number---Table number range
The table number identification of the standard IP access table is from 1 to 99.
/deny----Allow or deny
The keywords permit and deny are used to indicate whether messages that satisfy access table entries are allowed to pass through the interface or should be filtered out. permit means that messages are allowed to pass through the interface, while deny means that messages matching the source address of the standard IP access table are to be discarded.
address-----source address
For standard IP access tables, the source address is a dotted decimal representation of the host or a group of hosts, such as: 198.78.46.8.
/any---Host Match
Host and any are used to specify a single host and all hosts, respectively. Host represents an exact match with a mask code of 0.0.0.0. For example, suppose we want to allow messages from 198.78.46.8, use the standard access control list statement as follows:
access-list 1 permit 198.78.46.8 0.0.0.0
If the keyword host is used, the following statement can also be used instead:
access-list 1 permit host 198.78.46.8
That is to say, host is the abbreviation of 0.0. wildcard masking code.
In contrast, any is the abbreviation of the source certificate/target address/255.255.255.255. Assuming that we want to reject messages from source address 198.78.46.8 and allow messages from other source addresses, the standard IP access table can use the following statement to achieve this goal:
access-list 1 deny host 198.78.46.8
access-list 1 permit any
Note that the order of these two statements; the order of processing of access table statements is from top to bottom. If we reverse the order of the two statements and put the permit statement in front of the deny statement, we will not be able to filter messages from the host address 198.78.46.8 because the permit statement will allow all messages to pass. Therefore, it is very important to access the statement order in the table, because unreasonable statement order will create security vulnerabilities in the network, or make users unable to make good use of the company's network policies.
5.wi1dcardmask------Wildcard masking code
The wildcard mask code supported by Cisco access table function is exactly the opposite of the subnet mask code, that is, binary O represents a "match" condition, and binary 1 represents a "not caring" condition. Assuming that the organization has a Class C network 198.78.46.0, if the subnet is not used, then when configuring each workstation in the network, it is used for the network blocking code 255.255. In this case, 1 means a "match", and 0 means a "not caring" condition. Because the Cisco wildcard mask code is opposite to the subnet mask code, the wildcard mask code that matches all packets in the source network address 198.78.46.0 is: 0..255.
---Log Recording
The log keyword only exists in IOS version 11.3. If this keyword is used in the access table, those messages that can match the permit and deny statements in the access table are logged. The log information includes the access table number, the allow or denial of the message, the source IP address, and the number of messages within every 5 minute interval since the first match was displayed. Using the log keyword will enable the console log to provide both test and alarm functions. System administrators can use logs to observe packet matching under different activities, so that they can test the design of different access tables. When it is used for alarms, the administrator can view the display results to locate access table statements that have been denied multiple attempts. Multiple attempts to execute an access table statement are denied, which is likely to indicate potential hacking activity.
Extended IP access control list
As the name implies, an extended IP access table is used to extend message filtering capabilities. An extended IP access table allows users to filter messages based on the following contents: source and destination addresses, protocols, source and destination ports, and allows special bit comparisons in specific message fields, etc. The general syntax grid of an extended IP access table or the following briefly introduces the functions of each keyword:
number----Table number range
The table number identification of the extended IP access table is from 100 to 199.
-----protocol
The protocol item defines the protocol that needs to be filtered, such as IP, TCP, UDP, 1CMP, etc. Protocol options are important because there is a close relationship between the various protocols in the TCP/IP protocol stack. If the administrator wants to filter messages according to special protocols, he or she needs to specify the protocol.
In addition, administrators should pay attention to putting relatively important filter items in the front position. If the statement that allows IP addresses is placed before the statement that rejects TCP addresses in the command set by the administrator, the latter statement does not work at all. However, if these two statements are replaced, the TCP protocol is rejected while allowing other protocols on that address.
3. Source port number and destination port number
The source port number can be specified in several different ways. It can be explicitly specified, using a number or using a recognizable mnemonic. For example, we can use 80 or http to specify the Web's hypertext transfer protocol. For TCP and UDP, readers can use the operators ""(greater than)"="(equal to) and ""(not equal to).
The method of specifying the destination port number is the same as the method of specifying the source port number. Readers can specify a port range using numbers, mnemonics, or using formats that combine operators with numbers or mnemonics.
The following example illustrates how to use some keywords in the extended IP access table:
access-list 101 permit tcp any host 198.78.46.8 eq smtp
access-list 101 permit tcp any host 198.78.46.3 eq www
The first statement allows TCP messages from any host to reach the smtp service port of a specific host 198.78.46.8 (25); the second statement allows any TCP messages from any host to the www or http service port of a specified host 198.78.46.3 (80).
4. Options
The extended IP access table supports many options. One of the commonly used options is log, which has been introduced earlier when discussing the standard access table. Another commonly used option is fistahlishfid, which is only used for the TCP protocol and responds to sessions initiated by the other end in one direction of the TCP communication flow. To achieve this function, use the access table statement of the estab1ished option to check each TCP message to determine whether the ACK or RST bit of the message has been set.
For example, consider the following extended IP access table statement:
access-list 101 permit tcp any host 198.78.46.8 established
The purpose of this statement is: As long as the ACK and RST bits of the message are set, the access table statement allows TCP messages from any source address to flow to the specified host 198.78.46.8. This means that the host 198.78.46.8 must initiate a TCP session before.
5. Other keywords
deny/permit, source and wildcard masking code, destination and wildcard masking code, and host/any are used the same as in the standard IP access table.
Manage and use access tables
Configuring access tables on one interface requires three steps:
(1) Define the access table;
(2) Specify the interface to which the access table is applied;
(3) Define the direction in which the access table acts on the interface.
We have discussed how to define standard and extended IP access tables, and below will discuss how to specify the interface used to access tables and the direction of the interface application.
Generally, an interface command is used to specify an interface. For example, in order to apply the access table to serial port 0, you should specify this port using the following command:
interface serial0
Similarly, when applying the access table to the Ethernet port of the router, assuming that the port is Ethernet0, you should use the following command to specify this port:
interface ethernet0
The third step in the above three steps is to define the interface direction applied to the access table, which is usually specified using the ip access-group command. Where the list number identifies the access table, and the keyword in or out indicates the direction used to access the table. Direction is used to indicate that messages are filtered when they enter or leave the router interface. The following example combines these three steps:
intface serial0
ip access-group 107 in
access-list 107 remark allow traffic to tom's pc
access-list 107 ip any host 198.78.46.8
access-list 107 remark allow only web traffic to webserver
access-list 107 tcp any host 198.78.46.12 eq 80
access-list 107 remark block everything else
access-list 107 deny any any
In this example, first use the interface command to specify serial port 0, and use the ipaccess-group command to apply the statement in access table 107 to the inward direction of the serial interface. Finally, enter 6 access table statements, three of which use the keyword remark to provide annotation instructions about successor statements in the list. Note the last statement in the access table, which represents the implicit denyall settings related to each access table, and will not be seen if it is not explicitly listed. If readers want to enter these commands and statements directly from terminals connected to the console port of the router, they should first use the EXEC privileged command. An example of this terminal session process is shown in the following figure:
In addition, when the reader configures access table to view the list using the IOS show command, it is sometimes easy to be confused by the displayed content, because when the wildcard masking bit is set to 1 (irrelevant), 1OS sets this bit of the IP address part of the access table entry to binary 0.
For example, enter the following configuration command to create an extended IP access table and display its list content:
In this example, since the host subsegment of the wildcard mask code of the C-class address is set to all 1 (255), the host address 198.78.46.20 on network 198.78.46.0 is automatically converted to the network segment address.