Firewalls

Firewall

11.2.5 A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders. In most circumstances, intruders come from the global Internet and the thousands of remote networks that it interconnects. Typically, a network firewall consists of several different machines that work together to prevent unwanted and illegal access.

In this architecture, the router that is connected to the Internet, referred to as the exterior router, forces all incoming traffic to go to the application gateway. The router that is connected to the internal network, the interior router, accepts packets only from the application gateway. The gateway controls the delivery of network-based services both into and from the internal network. For example, only certain users might be allowed to communicate with the Internet, or only certain applications might be permitted to establish connections between an interior and exterior host. If the only application that is permitted is e-mail, then only e-mail packets should be allowed through the router. This protects the application gateway and avoids overwhelming it with packets that it would otherwise discard.

ACLs should be used in firewall routers, which are often positioned between the internal network and an external network, such as the Internet. This allows control of traffic entering or exiting a specific part of the internal network. The firewall router provides a point of isolation so that the rest of the internal network structure is not affected.

A configuration of ACLs on border routers, which are routers situated on the boundaries of the network, is necessary to provide security benefits. This provides basic security from the outside network, or from a less controlled area of the network, into a more private area of the network. On these border routers, ACLs can be created for each network protocol configured on the router interfaces.

The next page will describe virtual ports.

Placing ACLs

Placing ACLs

11.2.4 The placement of ACLs is an important consideration.
Proper ACL placement will filter traffic and make the network more efficient. The ACL should be placed where it has the greatest impact on efficiency.
In Figure the administrator wants to deny Telnet or FTP traffic from the Router A Ethernet LAN segment to the switched Ethernet LAN Fa0/1 on Router D. At the same time, other traffic must be permitted. There are several ways to do this. The recommended solution is an extended ACL that specifies both source and destination addresses. Place this extended ACL in Router A. Then, packets do not cross the Router A Ethernet segment or the serial interfaces of Routers B and C, and do not enter Router D. Traffic with different source and destination addresses will still be permitted.
The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. Standard ACLs do not specify destination addresses, so they should be placed as close to the destination as possible. For example, a standard ACL should be placed on Fa0/0 of Router D to prevent traffic from Router A.
Administrators can only place access lists on devices that they control. Therefore access list placement must be determined in the context of where the network administrator's control extends.
The Interactive Media Activity will teach students where to place ACLs.
The next page will discuss firewalls

Named ACLs

Named ACLs 

11.2.3 IP named ACLs were introduced in Cisco IOS Software Release 11.2. Named ACLs allow standard and extended ACLs to be given names instead of numbers. The following are advantages that are provided by a named access list:

• Alphanumeric names can be used to identify ACLs.
• The IOS does not limit the number of named ACLs that can be configured.
• Named ACLs provide the ability to modify ACLs without deletion and reconfiguration. However, a named access list will only allow for statements to be inserted at the end of a list. It is a good idea to use a text editor to create named ACLs.

Consider the following before implementing named ACLs.
Named ACLs are not compatible with Cisco IOS releases prior to Release 11.2.
The same name may not be used for multiple ACLs. For example, it is not permissible to specify both a standard and extended ACL named George.
It is important to be aware of named access lists because of the advantages just discussed. Advanced access list operations such as named ACLs will be presented in the CCNP curriculum.
A named ACL is created with the ip access-list command. This places the user in the ACL configuration mode. In ACL configuration mode, specify one or more conditions to be permitted or denied. This determines whether the packet is passed or dropped when the ACL statement matches.
The configuration in Figure creates a standard ACL named Internetfilter and an extended ACL named marketing_group. The figure also shows how the named access lists are applied to an interface.
The Lab Activities on this page will show students how to create named ACLs to control network traffic.
The next page will discuss the placement of ACLs.

Extended ACLs

Extended ACLs 

11.2.2

Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses and can also check for protocols and port numbers. This gives greater flexibility to describe what the ACL will check. Access can be permitted or denied based on where a packet originates, its destination, protocol type, and port addresses. An extended ACL can simultaneously allow e-mail traffic from Fa0/0 to specific S0/0 destinations and deny file transfers and Web browsing. When packets are discarded, some protocols send an echo packet to the sender, stating that the destination was unreachable.
For a single ACL, multiple statements may be configured. Each statement should have the same access list number, to relate the statements to the same ACL. There can be as many condition statements as needed, limited only by the available router memory. Of course, the more statements there are, the more difficult it will be to comprehend and manage the ACL.
The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. The wildcards also have the option of using the host or anykeywords in the command.
At the end of the extended ACL statement, an administrator can specify a TCP or UDP port number. The well-known port numbers for TCP/IP are shown in Figure . Logical operations may be specified such as, equal (eq), not equal (neq), greater than (gt), and less than (lt). The extended ACL will perform these operations on specific protocols. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). In Cisco IOS Software Release 12.0.1, extended ACLs began using additional numbers (2000 to 2699) to provide a maximum of 799 possible extended ACLs. These additional numbers are referred to as expanded IP ACLs.
The ip access-group command links an existing extended ACL to an interface. Remember that only one ACL per interface, per direction, per protocol is allowed. The format of the command is as follows:

Router(config-if)#ip access-group access-list-number {in | out }

The Lab Activities on this page will help students plan, configure, and apply extended ACLs to filter network traffic.
The next page will describe named ACLs.